In late May, the European Union’s new General Data Protection Regulation (GDPR) takes effect, changing the manner in which companies all over the world – not just those in the EU – store and use Europeans’ personal data. GDPR requires any company that collects personal information of European citizens to comply with its data privacy requirements, including:
- Keeping all records of all personal data processed.
- Performing data protection impact assessments in cases of high-risk processing activities.
- Collecting personal information only through opt-in consent of individuals and deleting an individual’s personal data upon request.
- Notifying individuals within 72 hours of a data security breach.
In order for U.S.-based companies to adequately prepare for GDPR compliance – and avoid massive fines – it is critical to conduct a detailed assessment of the extent to which your organization collects personal data and ensure that proper safeguards are in place throughout all divisions of your organization.
So, with three months to go, where should you be in the process?
Prepared organizations have likely conducted internal audits to determine the type of data they collect, the manner of collection, whether they’ve secured consent, and their current data protection and destruction practices. Data mapping software is available but not required to be purchased; mapping can be accomplished through a coordinated effort across an organization’s various departments – IT, business development, human resources, etc. – to determine the ways in which the company collects and processes data.
It is critical that every organization has the following:
- An enterprise policy for systems configurations and monitoring to identify deviations.
- Security controls in place to detect, manage, and mitigate a data breach. This is the “adequate measures” standard in the GDPR that looks to the confidentiality and integrity of an entity’s processing systems and the information stored there.
- Continuous monitoring of log files to determine attempted and actual beaches.
- A policy in place to detect, respond to, and remediate a breach.
- Secure use of cloud services.
- A breach plan that includes notification.
- A strategic plan that ensures active consent, minimalizes the amount of personal data collected, and limits access – both internally and externally – to the personal data collected.
- A designated data protection officer that has knowledge of the data protection laws and is independent and autonomous, with a direct reporting relationship to senior management.
With luck, you have been working on just those types of policies and procedures regardless of the GDPR. But if not, the GDPR should leave no doubt that you must have a buttoned-up cybersecurity program.
The checklist above is just a start; there is so much more to advance cybersecurity and data protection hygiene generally. GDPR puts the burden on the company to shore up the risk of its personnel. You cannot detect a breach incident quickly enough if your own people are not ready, willing, and motivated to do so.
A successful GDPR-compliant organization will emphasize extensive personnel training and demand internal reporting of security incidents. It truly comes down to your culture, your people, and whether they are trained to speak up about an IT security incident and will do so without fear of retribution. When you consider that employees reportedly hide an IT security episode in 40 percent of businesses worldwide, your greatest vulnerability may not lie within the cloud or your configurations but rather with your hardworking, well-meaning employees.
Regardless of where your organization is on the spectrum of GDPR preparation, the resources below can help during the final months of preparation for GDPR compliance. And keep in mind that you don’t have to go it alone: contact Parker Poe’s Cybersecurity & Data Privacy team for more information.
European Resources
- Infographic outlining an organization’s responsibilities in collecting personal data under the GDPR.
- Examples and explanations of GDPR’s requirements from the European Commission, including:
- Principles of GDPR
- The type and methods by which personal data can be collected
- The amount of personal data that may be collected
- The information an individual must be provided in order to adequately consent to the collection of his or her personal data
- Obligations imposed on an organization by the GDPR
- Use of a risk-based approach to data collection
- Procedures following a data breach
- Data protection by design and default
- The role of data protection officers
- The rights of European citizens
- The right to have personal data deleted
- The right to have personal data transferred
- Affirmative consent, eliminating opt-out consent
- Enforcement and sanctions under the GDPR
- Levels of oversight
- Significant monetary penalties
- The United Kingdom’s Information Commissioner’s Office Guide to the GDPR
- Guidance from the European Commission’s Data Protection Working Party on:
- The right to data portability
- Data protection officers
- Determining high-risk data processing and the data protection impact assessment
- Consent
- Transparency
Key Provisions of the GDPR
- Ability to lawfully and fairly obtain consent and process personal data
- Article 5
- Article 6
- Article 7
- Article 9
- Article 10
- Chapter 9 (Art. 85-91)
- Ensuring proper emphasis on compliance within an organization
- Article 5
- Article 27
- Article 37
- Article 38
- Article 39
- Collecting employees’ personal data
- Article 10
- Article 12
- Article 13
- Article 14
- Providing transparent data collection policies and consents
- Article 12
- Article 13
- Article 14
- Obligations of Controllers and Processors
- Developing and implementing data breach procedures
- Article 32
- Article 33
- Article 34