Kris Lahiri, Chief Security Officer for Egnyte, in the second of a monthly series, takes an in-depth look at how organisations should be preparing themselves for the upcoming General Data Protection Regulation.
A report produced by the Close Brothers, June 16, revealed that only 4% of British small to medium sized companies (SME) understand the impact of the European Commission’s upcoming General Data Protection Regulation (GDPR). A staggering 82% of companies surveyed have either not heard of GDPR or don’t understand its importance. The remaining 14% are seeking further advice on how it will impact their workflows.
The good news is you are going to find it easier to adjust to the new rules if you have been complying with the EU Data Protection Directive 1995 since the GDPR draws on the ECs Directive. EU businesses will have to ensure that they are ready to guarantee the updated rights hallowed in the GDPR and prepare for the new ones, such as the right to data portability and, where applicable, the right to be forgotten. In a nutshell, companies operating under the current regime will have to make sure they have their shop in order between now and the beginning of 2018.
On May 25, 2018, new rules concerning the accumulation and usage of data will come into effect. In this post-GDPR world, you’ll have to gain unambiguous consent before collecting personal information, you’ll need to wipe it after a predetermined period, and in the event of a breach, you’ll have to notify the relevant authorities and the appropriate individuals within 72 hours.
What’s more, not being based in the EU won’t save you. If you market products to any of its member states, and if you handle the data of any one of the bloc’s 508 million residents, it doesn’t matter if you’re based in Brussels, the US, or an Antarctic weather station: you’ll be expected to comply. If you don’t, you could end up paying €20 million in fines, or 4% of your annual turnover (the larger amount, naturally).
So what are the steps to prepare for the GDPR?
Phase 1: Awareness
By now you should have raised awareness of the GDPR within your organisation. Develop an approach that your organisation will take, collect information on your current policies and practices, and create a project plan. Gather the appropriate personnel to form a steering group and inform decision-makers on the impact of the GDPR. Understand whether you are a data processor or data controller; maybe you are both.
Egnyte is both a processor and a controller. We control the personal and sensitive data of our EU employees. We are also a processor as our file share sync solution, Egnyte Connect, processes clients’ data. However, we do not have access to that client data; our technology simply processes their data for them.
The next step in Phase 1 is to get a complete information audit off the ground and fully understand your personal data processing protocols, as well as how you process your customers.
Ask the following questions: –
• Where is personal data stored?
• How secure is it?
• Who has control?
• Is it shared?
• Do you hold data of non-UK EU residents?
• Is data transferred across borders or outside the EEA?
What is your process for maintaining internal records? If you don’t have one, you should create a template for recordkeeping as this is a requirement under the GDPR. Understand the legal grounds on which you currently collect and use data. In particular, examine how consent and legitimate interests are used as the basis for processing personal data and document these.
Get your IT department involved and conduct a review your IT systems and procedures. Can they cope technically with new individual rights in a timely manner? If your organisation suffered a breach or if a subject requested access, can you adhere to the response timelines? Can you also comply with subject access requests, data portability, right to be forgotten, recording objections or withdrawal from processing, and deletion of information? Has your HR department review staffing requirements for data protection compliance, and work through the questions above if you have employees in the EU?
Phase 2: Planning
By now you should have a steering committee in place, meeting regularly to develop the plan. That steering group should include the following personnel: Legal Counsel, HR, IT, CISO/ Head of IT Security and Operations. It’s time to start to prioritise key areas, appointing a Data Protection Officer (DPO) and identifying areas with the highest risk and biggest potential impact.
The DPO is required to act independently and report to the highest level of management. Smaller organisations can outsource this function to a consultant or firm. They will be responsible for understanding the legal basis for processing and the new requirements on getting consent:
– Processing of sensitive personal data
– Compatibility of systems with new rights such as data portability
– Shorter time frames for subject access requests.
Once you have appointed the DPO, have them conduct a Data Protection Impact Assessment (DPIA). This is required for controllers where the processing of personal data is likely to be under much more scrutiny due to the involvement of inviduals’ rights and freedoms, DPIAs will particularly be required when they are dealing with automated processing of data or processing data on a large scale .
Now that you have outlined your processes and appointed the DPO, next is to review and strengthen technical security measures and prepare for data breach notifications.
Set up internal procedures/strategy for data breach identification; establish the process for notification to the Information Commissioner’s Office (ICO) and affected individuals; explore what “risk” to individuals means; build in effective ways of detecting breaches.
Phase 3: Implementation
Now you are on to the changing and implementing of a new processes, updating old policies, revising contracts and methods of collecting data. Ensure privacy is integrated by default – collect the minimum amount of information and consider privacy from inception of the product, service or project.
Review and improve the transparency and legibility of all public facing documents. Review and audit supply chain and update contracts. Review and revise legacy contracts to consider mandatory terms; examine the adequacy of mechanisms for cross-border transfers, i.e. contracts with cloud providers. Controllers need to review selection criteria for processors and update contracts; Processors need to understand new obligations and assess impact.
Phase 4: Training
Keep up-to-date with GDPR and UK plans for data protection reforms through the Information Commisioners Office (ICO). Implement the appropriate processes and policies in order to effect culture change and demonstrate compliance with all obligations under the GDPR – including training for staff across the organisation. Understand how codes and certifications can help with compliance on security. Investigate the possibility of having data training be part of your onboarding programmes.
Consider registering with Fair Data and receiving accreditation that enables you to demonstrate mastery of best practices. Check out their top ten tips for GDPR.
While the GDPR may appear overwhelming, it presents an opportunity for organisations to approach data privacy and compliance more strategically. The Information Commissioner, Elizabeth Denham says in her“The digital economy is primarily built upon the collection and exchange of data, including large amounts of personal data – much of it sensitive. Growth in the digital economy requires public confidence in the protection of this information.
Fifteen months may seem like a long time to get your house in order, but the months will move quickly and you will be much better off taking this phased approach to make sure you are prepared come 25 May 2018.