Have you been receiving a number of privacy policy updates in your email from services you use? Did you wonder why all of a sudden you were getting these all at the same time? Well, it is all because of the General Data Protection Regulation (GDPR).
On May 25th, the GDPR train arrived at the station for organizations around the world. While the GDPR is a European Union Regulation, its tentacles stretch to countries around the globe. Essentially, if your organization transmits, receives, processes, or stores data relating to European Union (EU) citizens, you are impacted by the GDPR. If you’re not ready, you’re actually in the majority.
Now, this is not something to be proud of, especially since the impact of non-compliance could be significant financial fines. This blog post will outline a high-level GDPR compliance checklist and provide some practical advice to get your GDPR compliance program on the fast track (if it is not already).
What Are the Key Tasks to Complete for GDPR Compliance?
There is a lot to digest with the GDPR, especially since we as Americans rather liberally give out our personal information without a second thought. To me, the GDPR is a good thing, especially when put in context of the seemingly continual breaches that involve individuals’ identifiable information.
As stated in the first paragraph of the regulation, “The protection of natural persons in relation to processing of personal data is a fundamental right.” This is the context in which the entire regulation is framed.
To assist in providing an elemental understanding of the GDPR requirements and a vector for your compliance activities, below are some of the key areas in which to direct your focus.
High-Level GDPR Compliance Checklist:
- Determine how your organization is categorized with regard to the GDPR. There are three primary categories into which organizations fall — controller, processor, or third party. Below are the definitions provided in the GDPR:
- Controller: “…the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.”
- Processor: “…a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.”
- Third party: “…a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.”
Understanding how your organization is categorized will help you focus your efforts and not waste precious time and resources addressing areas that are not applicable to your organization. If your organization is a controller or processor, then you will likely have to appoint a Data Protection Officer (DPO).
2.) Understand how personal data flows through your organization. This task is a key element in comprehensively protecting the personal data in your organization and decreasing the risk of non-compliance with the GDPR. This task, though, is not an easy one as an organization should map how personal data is received into the organization and everywhere it flows through the organization. In addition, an organization must understand if the flow of personal data through the organization is authorized at each step and who has access to that data as it flows through the organization.
3.) Communicate to the individuals that are giving you their personal data. Tell them the who, what, when, where, why, and how regarding the collection and use of their personal data. For example, inform individuals how personal data is collected, why it is collected, how it is used, how long it is stored, who has access to it, etc. This is primarily accomplished through an organization’s privacy policy. Be clear in your privacy policy and avoid “legalese.”
4.) Provide the ability for individuals to consent, opt out, access, and correct their data. The important point to remember is that personal data belongs to the individual, not your organization. Consent by a data subject (a.k.a. a person) is defined in the GDPR as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.” Consent is also described as a “clear affirmative act” and “a true choice.” This is an important element of consent – individuals must participate in an “affirmative act” and “clearly choose” to share their data. An “affirmative act” or allowing individuals to “clearly choose can be providing a checkbox for individuals to click in order to consent to the use of their data.
As depicted in a recent privacy policy I recently received from a service provider, merely stating “By using <company name here> Products and Services, you consent to the privacy practices described in this Policy” is not appropriate and does not meet the threshold of providing an “affirmative act.” In addition, the first paragraph of Article 7 states that “where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.” In the example provided, the controller would not be able to demonstrate consent through just the use of the products and service offered. The ability for individuals to opt out of the use of their personal data must be as easy as it was to originally consent to the use of their data. In addition, if personal data is processed for multiple purposes, consent must be obtained for each purpose.
If requested, an organization must be able to provide all personal information about the individual in its possession without undue delay. In GDPR parlance, this is called the “Right of access by the data subject.” Termed the “Right of Rectification,” organizations must also provide a way for the individual to correct any personal information in the possessed by an organization. It behooves organizations to think through how they will ensure all personal data in its possession will be securely shared with the requestor and how it will incorporate corrections supplied by the requestor.
5.) Provide the capability for individuals to port their data. Known as the “Right to Data Portability,” individuals have the right to request and receive their data from a controller in a “structured, commonly used, and machine readable format.” As a result, organizations, specifically controllers, must have the capability readily available to meet this right of the data subject. This will require controllers to potentially convert data from native formats they use to a format such as comma separated values (CSV).
6.) Provide the capability to completely erase an individual’s data. This data subject right is probably one of the most discussed of all the data subject rights in the GDPR. This “Right to be Forgotten” has technical impacts to processors and controllers in that they must erase all personal data relating to the data subject. Now, that is easier said than done and will depend heavily on the technology in use. One especially sticky issue is with backups and log files. One key element to remember is whether or not the backups and log files are online. If they are offline and not searchable, then you may have more wiggle room to not have to comb through the backups and log files to delete references to a specific data subject. The important thing to remember is whether or not you feel your actions with regard to erasure of data subject personal data will stand up in court. If there is any concern that it won’t, then rethink your approach to erasure of data. One other important element is that parties responsible for erasure of data must inform the data subject within one month about the measures taken to erase the data or provide rationale as to why the data was not released.
7.) Protect the data you have – data protection by default and design. Hopefully, this is nothing new. Organizations should already have controls in place to protect the data that they have and the ability to monitor and understand the operating effectiveness of those controls. Essentially privacy and data protection should be considered throughout an organization’s processes and technical implementations. We all know that “bolt on security” is ineffective. The same goes for considerations of privacy and data protection once software is developed or technical solutions are implemented. Privacy and data protection should be “baked in” to every process and technical implementation.
8.) Implement an incident response and breach management program. Like data protection by default and design, this should not be a new concept for organizations. Independent of GDPR requirements, organizations should already have an incident response and breach management program in place that is well exercised (e.g. more than once a year) and improved upon through “lessons learned” sessions. In this category, GDPR does add specific elements regarding reporting. Controllers must notify their supervisory authority within 72 hours of the breach, and processors must notify controllers of any data breach “without undue delay.” Each member nation will have a supervisory authority.
Specific breach reporting requirements can be found in Articles 33 and 34. Communication to the data subject may not be required if specific technical means implemented maintain protections on the data (e.g. encryption). Article 34 outlines the conditions where reporting to data subjects may not be required.
What Do You Do If Your Organization is Not Compliant with the GDPR?
May 25th has come and gone, and your organization is not GDPR compliant. Now what? Well, as mentioned previously, you’re in the majority, but don’t take that as a sign to let up on the gas. Keep moving forward with your GDPR compliance plans, especially since there are GDPR penalties for non-compliance. You can find a summary of the GDPR penalties here. Focus first on the low hanging, but important, fruit such as the following:
- Update your privacy policies.
- Ensure consent is obtained via an explicit action by the data subject before processing of personal data.
- Appoint (or hire) a DPO as applicable for your organization.
- Review internal controls to ensure depth and breadth of coverage to protect personal data. Develop a plan to address any shortfalls.
- Update your Incident Response Plan according to GDPR requirements and then exercise the plan.
Then continue working off items on your GDPR checklist. While there are penalties for non-compliance with GDPR requirements, the courts are already working on lawsuits brought against Google and Facebook. It will be interesting to see the outcome of the lawsuits.
Summary
Like it or not, the GDPR is here to stay. If your organization collects, stores, transmits, or otherwise has access to personal data of EU citizens, then it applies to you. Hopefully, the term “GDPR’ is not foreign to you and your GDPR preparations are well underway, if not complete.
While there are many nuances or exceptions to the various requirements, the foundational GDPR requirements are relatively straightforward. If you have any questions regarding GDPR compliance, please contact Linford & Company.
Looking for additional information? This web-based version of the GDPR that has a great layout and search capability.
Ray Dunham started his career as an Air Force Officer in 1996 in the field of Communications and Computer Systems. Following his time in the Air Force, Ray worked in the defense industry in areas of system architecture, system engineering, and primarily information security. Ray leads L&C’s FedRAMP practice but also supports SOC examinations. Ray enjoys working with clients to secure their environments and provide guidance on information security principles and practices.