The GDPR – General Data Protection Regulation will enter into force in all countries of the European Union, in about nine months – that is, on May 25th, 2018. From that date, compliance with the provisions of the regulation must be supported with evidence. In previous posts we have already explained that non-compliance is threatened with sanctions, such as for instance draconian high fines. But what do you have to do concretely, to achieve compliance? Which is the best way? This checklist serves as a guidance for you to achieve the target, avoiding the stress.
1 ‒ Management Awareness is your first target
Make your senior management and key persons aware of the GDPR, and especially of the tight schedules. May 2018 can seem far away; but you do certainly know yourself how time can run. All plans you might need, must be laid out and started well in time, if the implementation must end within the deadline – and with success. Take the opportunity to think of a possible organisational structure for data protection issues, of how it might look like in your company. Are any of the roles and functions, connected to data protection and information security, already available? Can you lay down an ideal organisational structure in your enterprise?
2 ‒ Analyse your data
Do not take undue time in making an inventory of all data relating to persons, which are processed in your company; this should include information about the origin and possible (external) recipient of the data. The activity of making the inventory in itself is not complicated; however, because of the huge volumes of unstructured data that are typically available in most enterprises, the survey can require considerable time and effort. And without an inventory, you lack the fundamentals for any further step. Our suggestion: for this activity, ask for support from your colleagues of internal audit.
3 ‒ Check your own data protection terms and conditions
Take a look at the terms and conditions of data protection, which you include in contracts, your website, your products and general conditions: do they already comply with the new regulations? The GDPR has introduced specific changes on this topic, which must be reflected in the appropriate documents.
4 ‒ Learn the rights of the involved persons
Analyse the rights of the involved persons, such as clients, employees etc., with respect to their personal data, and to what extent these rights are already defined in your processes and guidelines. Seize the opportunity to teach the new regulations to your employees, so that interested people can exercise their rights when they ask to. You also need to define and describe a process through which personal data can be delivered or deleted on request. A further process must be also available, to deliver an appropriate, complete and timely answer to any request.
5 ‒ Learn the legal conditions for processing data abroad
If your activities span over several countries, in the EU or otherwise, it is possible that processing personal data is subject to different regulations. Perform a survey and check what knowledge is available in your enterprise, and what controls are currently in place to support compliance with said regulations. The GDPR gives you the opportunity to designate one Data Protection Authority in one EU country as your main interface, which will then co-operate upon your request with Data Protection Authorities in other EU countries.
6 ‒ Obtain the interested persons’ consent
If you have not yet collected the interested persons’ consent to the processing of their personal data, now is the right time to see if you need to. This is another issue to which the GDPR brings changes, which may require corresponding changes in existing documents and contracts.
7 ‒ Do not forget children and youth
Do you process personal data of young people under 16 years of age? In this case you need the consent of parents. Assessing the adequacy and completeness of security controls for the protection of the special categories (children and youth) is part of what the regulation imposes as duty of care.
8 ‒ Data Breach Notification: Report Incidents
The new regulation introduces the requirement to notify incidents, such as loss or theft of personal data. Reports must be handed in to the competent authority within 72 hours of the event. You need to make sure that your enterprise is in the condition of performing an analysis of a possible incident within the delays established by the regulation. Keep in mind that you will have to write a comprehensive report, better if supported by a legal expert, and that the communications department must be involved in the activity. In case the incident should imply risks for the interested persons, you will have to inform them too.
9 ‒ Perform Privacy by Design and Privacy Impact assessments
Every time a new plan or project takes off, you need to do a so-called PIA – Privacy Impact Assessment, to identify and evaluate possible risks, which must be addressed by appropriate controls. To provide evidence of the implementation of the controls, and make them clearly understandable, they need to be documented in the PIA.
Any service or product you provide, must be equipped with data protection controls “by design”, and any baseline configuration required must be guaranteed to be privacy-oriented “by default”. Of course, this applies especially to software or web applications. The availability of “security development processes” will provide a strong impulse to the implementation of “privacy by design”; however, it must be kept in mind that planning and implementing such processes, for the implementation of secure software, in our experience is a laborious and resource-intensive task, and it also takes a lot of convincing: not only the developers, but also their managers need to be convinced, and usually these people are already burdened with high requirements even without having to fulfil security requirements.
10 ‒ Appoint a Data Protection Officer (DPO)
Under specific circumstances, for instance when you need to process or evaluate large volumes of personal data, or when you process sensitive personal data, you will have to appoint an operational Data Protection Officer. This person will coordinate all issues and requirements concerning data protection across the enterprise, and act as contact with the relevant data protection authorities. To perform the duties of a DPO correctly, the role must be given to a person with specific competence and experience; moreover, the DPO must not be restricted in the pursuit of his or her duties, and must be provided with sufficient resources.
As you can see, if things are done right then fulfilling the requirements of the GDPR is not half as bad as you may think. We hope that this checklist has given you a couple of tips that can help you start on the right foot. For any question you may have, our experienced InfoGuard cyber security specialists are gladly at your disposal. Together with our partner MME, we can offer a complete solution to you, which includes answering legal questions with full competence. We look forward to receiving your calls and assisting you!
PS: In our Cyber Security Blog you will find yet more posts on the GDPR, as well as on further issues on cyber security and cyber defence. Click on the link below, or better still, subscribe to our Blog Update right away, and never miss a new post!