The GDPR (General Data Protection Regulation) will come into force in May 2018 covering any organization collecting or processing data on individuals living in the European Union. With just over a year to go, here’s a quick top ten list to check how well your plans are shaping up for conformance.
This list is part of a longer list of 26 questions available in the 2017 edition of the e-book “GDPR – An Action Guide for IT”.
1. Does senior management understand the importance of GDPR?
GDPR can cost you up to 4% of global turnover in fines (or $20,000,000, whichever is higher), along with bad publicity and class action lawsuits. It affects everyone worldwide, not just organizations based in the EU, so senior management needs to take it seriously.
2. Do you know where your data is today?
The regulation covers all existing data as well as new data collected after it goes into effect, so the best place to start is finding out where all your current data is housed, the type of data being kept and the processes for access, safe storage, backup, and control.
3. Do you have a process to provide data to individuals who ask?
The GDPR provides users (data subjects) with the right to demand data controllers (the organizations holding the data) provide their data back to them, in machine readable form. Are you ready to respond to requests, to collect together all data from all sources on the individuals, and deliver it back?
4. Do you have a process to delete data if demanded?
Data subjects can demand that their data be deleted, do you have a process for this when asked?
5. Do you understand the consent rules?
There are many areas that cover data collection, consent, data use and the length of time data is kept. Often, marketing departments are not sure of the rules. You need to be able to answer a regulator asking “where did you get the data and how did the data subject agree to it being collected?”
6. Do you know which outsourcers have access to the data?
Assuming you are a data controller (someone who collects data, such as through a web site), you are responsible for the safe keeping of that data no matter who is handling it. You are ultimately responsible if a data processor (outsourcer or cloud provider) loses that data. Are you sure of their policies, procedures, and technology to keep it safe?
7. Are you sure you can detect data breaches?
You don’t want to be informed of a data loss incident from the users themselves or from the data protection authority. Do you have technology that can detect breaches that have taken place, forensics available to investigate how the data was lost (or changed), and can you go back in time with full user logs and identify the incident to understand its scope and impact?
8. Do you follow privacy by design and privacy by default principles when designing new systems?
Privacy should not be an afterthought, a bolt-on sometime between the initial coding and delivery of a new system. It should be designed in from the start, peer-reviewed, tested and the data controller needs to be able to show that adequate security is in place, it is monitored, and that the strictest data protection policies will apply by default. If you design your own custom apps, are these the standards you work to? When deploying purchased systems, is privacy set at its tightest by default?
9. Do you have a communication plan ready to go after a data breach?
One day, you may be the victim of a data breach and need to answer questions from customers and the press immediately. Are you ready for each possible scenario, have you decided on a communication plan that reduces the impact on your support team while giving the most accurate information to the data subjects? Who is your company spokesperson and will you be ready even if the breach becomes public out of usual office hours?
10. Have all processes and data flows been documented?
If a breach occurs or the regulator investigates the organization, you need to have documents to explain the complete data flows. Are you ready to answer those questions as the level of fines will take into account the processes, technology, and documentation that describes the systems and flow of data. Are you ready for that?
It was very difficult to cut this down to ten questions, no doubt we could argue whether these are the top questions until the regulation comes into force, but if you can’t answer all of these then you only have a year to work on them. If these questions were all easy to answer, well done, you are well on your way – feel free to read the book for the rest.