As it has passed the first anniversary of the General Data Protection Regulation (GDPR), you should have a good idea of how to be GDPR compliant, especially since the amnesty period is essentially over. As we come into the second year, the focus will be on whether those companies who have attested to compliance can maintain it. If your organization is asking how to be GDPR compliant, or how to remain compliant, this list of 4 tips will help.
Step 1 – Perform Data Mapping and Risk Analysis
The best first step to GDPR compliance is easy to explain, but challenging to complete for many organizations. You must know your data.
- What personal data does your organization hold?
- Is the personal data sensitive or non-sensitive?
- If the personal data is sensitive:
- Why do you have it?
- How/where did you get it?
- How/where is it used?
- How/where is it stored?
- Who can access it?
- How is it transported, processed and/or modified?
- How do you secure it?
- How is erasure/destruction of data completed?
To best know your data, you should complete a data mapping and risk analysis exercise. This requires input from all aspects of an organization, since data is often held or shared across groups or verticals. Consider not only obvious data sources, such as databases for software applications, but also sources of data that you may not think of as “personal data,” such as CCTV footage, front desk sign in sheets, or biometric data. You must know your data’s “journey” through your organization, from the moment you obtain it to the day you destroy it.
When determining the risk associated with sensitive personal data, ask yourself this simple question, “How concerned would I be if this information about me was released?” You can also take a Marie Kondo approach to personal data – if you do not need it, get rid of it. Nothing brings joy like lessening the burden and cost of storing and protecting sensitive personal data.
To maintain GDPR compliance, an organization needs to complete this exercise whenever a change occurs to the data – new data is brought in, existing data is retired, data is paired together in a different way, processes for handling data change, etc. Reviews should be completed at least annually.
Step 2 – Do a Technology Map and Risk Assessment
Just as your organization needs to know its data, it must also know its technology. A review of the technologies (hardware, software, networks) used to obtain, collect, store, alter, erase, process and transport personal data is crucial to visualizing your data’s journey. These systems and their related processes must be properly configured, hardened, maintained and retired to ensure that personal data is properly handled under GDPR.
Process mapping with a focus on technology and data is recommended for achieving that single view of your data and technology ecosystem and for meeting the Privacy by Design requirements of GDPR. These flowcharts allow you to see which systems are used with which data processes. This allows you to determine the best configuration for security controls. Be sure to include all relevant technologies from across the organization, even ones that may not seem as obvious – cameras, door access systems, firewalls, etc.
Based on the first year of GDPR and the fines that have been issued, here are some specific technological issues you should address when placing controls around personal data:
- Enable 2 Factor Authentication (2FA)/Multifactor Authentication (MFA), when available
- Enable end-to-end encryption, when available
- Enable strong password encryption
- Have strong access controls (who can access what data) in place
- Have a system for capturing and tracking user consent
- Complete regular vulnerability scans and penetration testing of web sites, web applications and web services.
To maintain GDPR compliance, an organization needs to complete this exercise whenever a change occurs to technology – new technology is purchased and brought online, existing technology is retired, technology processes for handling data change, etc. Reviews should be completed at least annually here as well.
Step 3 – Identify and Document Data-related Business Processes
Your organization must have documented business processes related to the handling of personal data. More importantly, you must test these processes on a regular basis to be assured that they are optimized and meet the requirements of GDPR.
Common data-related business processes an organization should document, test and keep up-to-date include:
- Privacy Policy
- Information Security Policy (ISP)
- Incident Response Plan (IRP)
- Business Continuity and Disaster Recovery Plan (BCDR)
- Data Privacy Addendum (DPA)
- Clients
- Third Party Vendors/Service Providers
- Processes for the handling of GDPR individual rights requests (informed, access, rectification, erasure, restrict processing, data portability, objection and automated decision making and profiling restriction)
- Process for data transfers
To maintain GDPR compliance, an organization needs to complete testing and documentation updates whenever a process change occurs. Be sure to schedule annual reviews.
Step 4 – Provide Education and Training
GDPR requires persons in an organization to complete privacy awareness training. Training in how to be GDPR compliant should make employees aware of the regulation, how it impacts their day-to-day job, and the role they play in data and privacy security. To be effective, the training should be continuous, and preferably supplemented with role-based training which addresses unique functional requirements. Your goal should be to create Security-Minded Employees who work to protect the organization.
The biggest news in GDPR compliance in its first year was the €50 million fine imposed on Google by the Commission nationale de l’informatique et des libertés (CNIL) due to a failure of transparency and the company’s vague consent agreements. To avoid this type of situation in your organization, you must obtain and maintain GDPR compliance if you hold or process personal data of “data subjects” from the EU. Be aware that responsibilities under GDPR change as your organization changes – it is never a “one and done”.
Summary
One year into GDPR organization need to know if they are compliant and how to stay compliant.
Understand what personal data does your organization hold, is the personal data sensitive or non-sensitive?
Maintaining GDPR compliance organizations should complete exercise to ensure data is involved and review technology maintenance and configuration.
If your organization is asking how to be GDPR compliant, or how to remain compliant, this list of 4 tips will help.