GDPR Compliance in Six Steps
10 August 2017
By Jan Smets, Cybersecurity Expert at Gemalto
In less than a year’s time, a radical change to data protection and legislation will come into effect in the EU – the General Data Protection Regulation (GDPR).
Aiming to help protect EU citizens’ data, the regulation will ensure that businesses are held accountable to their customers. While companies in the US must declare any data breaches they experience, the same can’t be said for businesses operating within the EU until GDPR comes into effect and changes this. In short, this means the already large number of records lost or stolen in Europe could be considerably larger.
With GDPR almost here, the data protection and privacy landscape of the EU is set to change in big ways. But how can a business ensure that it is compliant with the regulation, and how would they go about becoming compliant? Below are six steps every business should undertake:
Step one – Get to grips with GDPR’s legal framework
The first step that any business needs to take is to understand how each aspect of the legislation apply to them. By conducting a full audit against the GDPR legal framework, a business will need to understand what it needs to do and what the consequences for failing to do so are. As part of this compliance audit, a business should hire a Data Protection Officer (DPO), who will be responsible for ensuring the company adheres to the regulations. Ideally, a DPO would have a background in both law and technology, so they’re able to understand both the technical specifications and the regulatory framework needed to meet this. Every organisation is different, and so no GDPR journey will look the same – correct guidance from business leaders to employees is needed ensure the whole company understands how to be compliant.
Step two – Create a Data Register
Once a business understands the steps they need to take, it’s important that they keep a record of the process. This is best done with a Data Register – essentially a GDPR diary. The Data Protection Association (DPA) of each country will enforce GDPR, and be responsible for judging if a business is compliant when determining any penalties for being breached. In this event, the Data Register will be a crucial tool for demonstrating the progress the affected business has made in becoming compliant. If they have no proof, the DPA would be able to fine between 2% and 4% of the company’s turnover. The amount and speed of the DPA’s decision would depend on the sensitivity of the data.
Step three – Classify data
While understanding what protections, if any, are already in place is important, this step focuses on helping businesses understand what data they need to protect and how that is being done. First, a business must locate any Personal Identifiable Information – information that can directly or indirectly identify someone – of EU citizens. It’s crucial to know where this is stored, who can access it, who it has been shared with etc. It can then determine which data is more vital to protect. In addition to this, it’s important to know who is responsible for controlling and processing the data, and making sure all the correct contracts are in place.
Step four – Identify the top priorities
Next, a business needs to evaluate how that classified data is being produced and protected. Regardless of how data is collected, the first priority should always be to protect the user’s privacy. Businesses should ask themselves if they need the sensitive data they have collected – this data is worth a lot to a hacker, and has the greatest risk of being stolen. Businesses should complete a
Privacy Impact Assessment and Data Protection Impact Assessment of all security policies. When doing this, it’s important to keep the rights of EU citizens in mind, including restrictions of processing and data portability. In particular, any data third parties use to identify someone must be deleted if requested by that individual and approved by the EU. It’s crucial that all this data is correctly and promptly destroyed and can’t be accessed. This process is known as the “right to be forgotten”.
Evaluating how the business protects this data comes next (for example, with encryption, tokenisation or psuedonymisation). The evaluation must explore: any historical data, the data being produced and any data that is backed up – either on-site or in the cloud. This data must be anonymised to protect the privacy and identities of the citizens it relates to. All data needs to be protected from the day it is generated to the day it is not needed.
Step five – Document and assess any additional risks and processes
Of course, there’s more to compliance than just protecting the most sensitive data – the next stage of the process is to assess and document any other risks, to discover any other processes or areas that might be vulnerable. While doing this, the business should update its Data Register, to show the DPA how they are addressing any existing risks. Only by doing this can a business demonstrate to the DPA that it is treating compliance and data protection seriously and with respect.
Step six – Revisit and repeat
Finally, the last step on the compliance journey focuses on revisiting the outcome of the previous steps and remediating any potential consequences, tweaking and updating where necessary. Once this is complete, businesses should evaluate their next priorities and repeat the process from step four.
Moving forward, every decision, plan and application a business makes needs to have security at its forefront. This is process is known as “privacy by design”, and ensures that any data that enters a business is located and protected from the moment it arrives. Any business that fails to demonstrate they have the right measures in place, or have at the very least begun the process of introducing them, will face severe fines and damage to its reputation. In less than a year, when businesses lose the ability to hide their data breaches, we’ll get a realistic picture of the state of cybersecurity in the EU.