By now, the majority of business and individuals concerned have probably heard about GDPR, the General Data Protection Regulation.
This is a new piece of EU legislation that will be the legal framework for data protection across Europe. The UK’s decision to leave the European Union will not affect the commencement of GDPR, which is 25th May 2018.
So, what do businesses need to know about GDPR? Well, many companies have started looking at the implications. As they’re finding out, it is a complicated piece of legislation, with a multitude of options that may or may not apply to them.
Clearly a structured, formal approach is required. If a company has implemented ISO 27001 or similar, then it should be possible to include GDPR as part of their wider compliance activities.
If an organisation not considered a framework such as ISO 27001, then GDPR may be a good reason to look at implementing such a scheme for wider information assurance reasons.
Don’t fall into the trap
The trap not to fall in to is to consider GDPR to be solely a legislative exercise and therefore assume, the effort to implement the changes should be run by the legal department.
GDPR requires a top-down approach with board level recognition and sponsorship. A project team should be formed that represents the whole of a company and all its major departments.
GDPR is wide ranging and it is essential all areas of your business understand their responsibilities. Education and information are the key to success.
Board level executives must clearly understand their responsibilities and staff must be made aware of the potential changes to their working practices. GDPR may, in many cases, require a change in attitude or company culture and this may prove to be the hardest thing to achieve.
Assess the risk
Once you have your committee, a review of existing policy and procedures relating to data protection and how you handle data breaches should be undertaken.
If not recently completed, a risk assessment may be required to identify those areas of the business that will be impacted by GDPR and to identify the personal information that you hold.
Where the risk is deemed to be high, then a privacy impact assessment, often referred to as Data Protection Impact Assessment, will need to be completed and suitable steps taken to protect the data.
As is often the way with assessments of this type, what information a business thinks they hold and where it is stored, as opposed to what is actually held, are often very different things.
It also worth noting that the supervisory body, in the UK this is the Information Commissioners Office (ICO), will be legally entitled to see the personal data that you hold, so it is important that you ensure you have accurate records of all personal data.
A fundamental step in complying with GDPR: understand what data you hold and what you must protect.
There are parallels with this approach that will be familiar to anyone who has completed a full PCI DSS assessment. There will be a lot of upfront work in the first year, leading up to the initial assessment, but the following years should require much less effort as processes are embedded and become part of standard business-as-usual procedures.
On the whole, the individual’s rights to request information from a company are broadly similar to the existing Data Protection Act, but there are enhancements.
Included are changes to data portability; you must now provide subject data in electronic format, rather than in the form of a letter and changes to the time to comply with a request, which has been reduced from the current 40 days to one month and no charges can be levied.
Just the need to comply with the data portability requirements may need a separate project, for instance, you must consider how the information could be provided to the requester in a secure fashion.
If businesses store information on children, then GDPR introduces additional controls and restrictions on the storage of such data. It is essential that a company identifies this information and fully understands its responsibilities.
If you are a public authority, or process significant amounts of personal data, then the organisation will need to appoint a data protection officer.
The nature of GDPR and the potential implications of not complying with it means this will become an important and senior role within many organisations. However, given the expected demand for such personnel, recruiting a suitable candidate may not be a simple task.
Other areas, such as breach notifications and the potential fines that can be faced, have been widely reported and should not be underestimated either.
There is a lot to take in and further reading from sources such as the Information Commissioner’s Office and the EU Article 29 Data Protection Working Party are highly recommended.
Sourced by Chris Leppard, head of advisory, CNS Group