Even though the GDPR may look complicated, there is a simple way of creating a roadmap of becoming compliant with the GDPR and avoiding future problems.
The EC has introduced the General Data Protection Regulation (GDPR), a new regulation unifying rights, responsibilities, reports, protection and, unfortunately, also penalties regarding personal data handling.
Even though the GDPR may look complicated, there is a simple way of creating a roadmap of becoming compliant with the GDPR and avoiding future problems. The EU values personal rights and therefore takes handling of personal data seriously.
Abuse of personal data or not protecting them may lead to significant fines up to 4% of the company’s annual income or 20 million EURO.
First of all, GDPR is a strong regulation affecting every business and organisation dealing with personal data of anyone living in the EU.
Thus it also affects businesses operating outside the EU territory which, for some reason, process data of persons living in the EU.
GDPR could be divided into three main areas – security, personal data accessibility and legal.
This requires adding controls and, most probably, reorganisation of your data structure and storing process.
What is the goal:
Personal data accessibility and structure
Personal data is each one’s personal possession – one can always ask to receive information about what data is stored about him/her, how the data is used or ask to remove it completely.
Personal identifiable information (PII), information that can lead to identification of a person, is also considered as personal data.
Full visibility
Your organisation must be able to trace and locate all personal information on request. In many cases, this will require adjusting the information storage and handling system and structure.
Successful implementation can actually give your organisation the advantage of using the information for better analyses of your business which could lead to a more precise planning.
Our company can help you to implement some mapping tools that, in the need of future handling, will give you an overview on where in your organisation this private data is stored.
- Removal
In case of a request, your organisation must be able to remove and discard all personal information.
This may seem simple, but much of this information may stay on various media or backups.
- Informed consent
Each organisation that stores personal data is obliged to have an approval from the owner with exact specifications how this private data will be handled and disclosed.
- Private Data portability
The owner of the information has right to receive and move his/hers personal data stored in your organisation. And you must be able to provide it.
In case you store a high amount of data that a great number of owners can request, your organisation may face significant workload.
Thus it is absolutely essential to have the best automated systems available.
Security
GDPR requires personal data processors and controllers to protect this data against unauthorized disclosure.
If personal data is stolen or disclosed, and if investigation reveals that the organisation did not take enough effort to protect it, significant fine of up to 20 000 000 EURO could be given.
GDPR does not particularly contain a full list of controls.
Information protection is based on good practice and standards.
- Access control
Your organisation should possess systems that record and control every access to the data.
An installation of an appropriate Data loss prevention tool is strongly recommended.
A sufficient tool will fully control what data and in which way is extracted from your organisation.
Our company has extensive experience with DLP product implementation into diverse environments, helping to protect against various threats, including corporate spying.
- Monitoring
An appropriate control over the systems is recommended. All logs from the systems should be collected to some central place, assessed, correlated by SIEM and monitored 24/7.
- Reporting
Security incident when personal data are disclosed to unauthorised person must be reported to national authority within 48 hours.
For this purpose, our company is offering SOC as a service that save significant amount of budget compare to in house SOC.
- Vulnerability management
Abusing unpatched vulnerabilities are one of the easiest way to breach the environment and still data. It is recommended to regularly assess your environment for vulnerabilities. For this purpose, our company is offering our vScan solution that is easy to implement and cost friendly.
- Full information security standard
Above are mentioned minimum controls, but implementation of full information security standards is for big processors of private data inevitable.
Legal requirements
Processing of personal data must be fair and transparent in relation to the corresponding person. It’s the responsibility of the company to inform the user what personal data has been collected and for which purpose.
The owner must agree to the intended purpose and to the fact, that the data is being collected.
- Informed consent
The conditions for consent have been consolidated, so that the companies will no longer be able to take advantage in long illegible terms and conditions full of legalese.
Now the request for the consent must be given in an intelligible and easily accessible form, together with the information about the intended purpose of the processed data – meaning it mustn’t be ambiguous.
- Opt-out
GDPR stipulates that the data owners must be given an opportunity to opt-out processing of their data and they must be informed about this right of rejection (opt-out) upon the first contact with the data controller.
- Persons under 16 years
In case data of a person younger than 16 is being processed.
- Responsible person or DPO
Assigning one responsible, skilled and knowledgeable person for this task will make the GDPR compliance process much easier and smoother.
Our company can offer the service of one of our Information Security Consultants who operate as data protection officer as it is required by the GDPR.
DPO is responsible for evaluating and enforcing adequate GDPR processes as well as for monitoring company’s compliance with GDPR and advising company on legal requirements to comply with GDPR.
DPOs must be appointed in the case of:
- public authorities,
- organizations that engage in large scale systematic monitoring, or
- organizations that engage in large scale processing of sensitive personal data.
4 steps how to achieve GDPR compliance
- Accountability and Responsibility
Each data controller must adhere to 6 principles of GDPR accountability for personal data processing (Lawfulness, Purpose and Storage Limitation, Data Minimization, Data Accuracy, Security and Integrity), must fulfil requirements of transparent, secure and fair processing for rights and freedoms of data subjects, fulfil requirements of data subject rights, maintain Records of processing activities and implement adequate technical and organizational measures to prevent Data Breaches.
- Assessment – Analyse your systems and processes
Each project dealing with private data shall include:
- Data Mapping
Each project dealing with personal data processing should start with analysing company’s systems and processes by Data Map evaluation. Data mapping process helps organization to obtain 360 view and complete lifecycle of personal data flows from the point of collection up to the point of data erasure including all processes, processing points and processing assets.
- Gap Analysis
Each project dealing with personal data processing should include Gap Analysis. Gap analysis determines whether the technical and organizational measures already in place can achieve the GDPR objectives and compliance and what needs to be implemented or improved in order to achieve the GDP compliance. Gap analysis is a technique used to determine steps needed to move from current state to a desired future state and to compare current performance of measures and controls for GDPR compliance.
- Data Protection impact assessment (DPIA)
Each project dealing with personal data shall process a DPIA. The DPIA is classification and assessment of private data from Data Mapping and evaluating compliance and privacy risks from the legal, technical and security perspective.
Our company provides you with DPIA and with following solution proposal.
- Design solution
After the assessment an appropriate technical and organizational solutions and measures should be designed.
To meet the GDPR requirements this solution should include legal adjustments, training, processes, documentation, technical and organizational solutions and information security implementation.
Our company consultants have vast experience in designing solutions for large environment, including fortune 500 companies, and they are available to support or fully design your GDPR solution.
- Implementation
The last step is the implementation of these designed legal, training, technical and information security controls and measures. Our methodology steps for GDPR implementation are Plan – Do – Check – Act.
These implemented solutions should be subject to a regular compliance audit in order to reveal and prevent any possible gaps.