If you haven’t heard compliance with the General Data Protection Regulation (GDPR) is around the corner, and it’s not going away. As of May 25, 2018 organizations offering goods and services to EU citizens or monitoring their behavior must comply with GDPR. To some the regulation may seem to be onerous, but it’s the right thing to do. The objective of the regulation is to provide transparency to EU data subjects (citizens and residents) and enable them to understand what personal data is collected, how it’s used, who it’s shared with and how long it’s kept. Additionally, it gives these data subjects certain rights to question the accuracy of data used to profile them or leave a service (e.g., Facebook) and take their data with them. Some of these rights are not absolute, there are some exceptions.
In essence, GDPR provides a data protection framework to maintain the privacy of personal data. This is necessary in today’s increasingly digital society that continuously collects and analyzes all types of data ranging from the footprints we leave when accessing web sites to the sensor data collected by the internet of things. We may not appreciate it but the use of our personal data has a tremendous impact on our lives; therefore, it must be protected.
GDPR is a broad regulation that raises many questions regarding its applicability. Most organizations require assistance to sort through the regulation to understand what it means to them and what’s needed to comply. If you’ve procrastinated and haven’t assessed your situation, don’t hyperventilate, there is still time to demonstrate that you are working towards compliance and taking due care. These are steps you can begin taking to establish compliance:
- Understand GDPR applicability to your organization. Identify the personal data collected and processed. This includes determining how many EU data subjects are in scope along with the level of personal data sensitivity. Are you collecting or processing biometric information or data that exposes a person’s political beliefs, ethnic origins or sexual orientation? Additionally, determine where you fit in the GDPR spectrum. Are you considered a controller or processor? This determination will impact your GDPR compliance efforts.
- Identify how lawful processing of personal data will be accomplished. There are six ways an organization can lawfully process personal data under GDPR: explicit consent, performance of a contract, legal obligation, vital interest, public interest or legitimate interest (refer to Article 6: Lawfulness of Processing for a detailed explanation). Identify how lawful processing will be accomplished for each type of personal data collected and processed.
- Identify how the rights of the individual apply to your environment and ensure the right processes are in place to respond to data subject requests. This includes preparing for requests such as erasure or rectification that may involve controller-processor process integration. As previously stated, all rights are not absolute.
- Address security of processing by aligning security controls to manage the risk associated with personal data processing activities. To be clear, GDPR is not a security regulation. It doesn’t prescribe specific security requirements or controls.
- Establish accountability and governance to implement the controls needed for GDPR compliance.
- Address data protection by design. Develop and implement GDPR principles (includes supporting security principles) to build the right privacy and security culture. Perform privacy and security reviews early in the design process – update product design and SDLC processes to ensure this happens.
- Create and maintain inventory of personal data processing activities.
- Perform data protection impact assessments (DPIAs) as required by the regulation. This is critical to ensure compliance is maintained. The DPIA enables effective data protection by design practices.
- Assess third parties/processors to ensure they are compliant with GDPR. This includes updating contractual language to ensure data protection requirements are addressed.
- Establish a Data Protection Officer (DPO) role. This can be a consultant or assigned to an internal team member that’s comfortable interpreting and applying privacy regulations. All organizations aren’t required to have a DPO, but this role is helpful to get the ball rolling with compliance.
This list provides high-level guidance to get started with GDPR. Keep in mind this is not a one time event as protecting personal data is a journey that never ends. High-performing organizations build and integrate responsible collection and processing of personal data into the fabric of their business. I authored a white paper that provides additional insight into GDPR and what should be done to prepare.
GDPR is not going away. It’s time to get to work and focus on implementing an effective data protection framework. Your customers will thank you for it!