GDPR Readiness - Three Steps to be Ready
By: Karen Hornbeck
With the General Data Protection Regulation (GDPR), or EU 2016/679, going into effect on May 25, organizations globally are taking various steps to be ready. The GDPR is a regulation in EU law on data protection and privacy for all individuals within the European Union (data subjects), with broad-reaching impact for organizations both within and outside of the EU.
Working with multiple clients on GDPR readiness, a few key focus areas have arisen several times. First, organizations must understand their specific roles and responsibilities as either data controllers, data processors, or in many cases, both. The GDPR states that the data controller must exercise control over the processing and carry data protection responsibility for it. The data controller determines the purpose for which data are processed. However, the data processor processes data on behalf of the data controller. So organizations must understand what data they control (HR-related internal personal data for EU data subjects that are employees, for example) vs. what data they process on behalf of a controller (eDiscovery processing on behalf of a client, for example). They must also understand, if they are a data controller, what guidance they provide their data processors on how to handle and process the personal data, and ensure the processors are heeding their direction.
Second, many organizations are employing technology to more effectively map how data flows through their organizations. The GDPR expects organizations to maintain extensive and current internal records of their data processing activities, as is specifically cited in Article 30. The Article states that organizations must maintain a record of processing activities under their responsibility. And, that records shall contain all of the following information (only highlighting sections c, d and e for this blog):
- c)a description of the categories of data subjects and of the categories of personal data;
- d)the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organizations;
- e)where applicable, transfers of personal data to a third country or an international organization, including the identification of that third country or international organization
Data mapping technology helps an organization understand and document the purpose, type and process by which personal data is being collected, and how it is used, stored and transferred. Many technologies previously used in the forensics and E-Discovery worlds are also being used with great success to develop a data inventory of the potential EU data subject personal data that lives within structured systems and unstructured data stores across an organization. Thoroughly understanding both where the data subject personal data they store lives, and how it moves within and out of their organization is a critical step that all organizations should take.
And third, although the GDPR is widely thought of as a privacy-focused regulation, there is no escaping that properly securing data subject’s personal data is a critical tenet of the regulation. Article 32 requires data controllers and data processors to implement technical and organizational measures that ensure a level of data security appropriate for the level of risk presented by processing personal data.
And while the GDPR does not specific a particular methodology for securing data subject’s personal data, some basic steps should be taken. From the technical perspective, among other steps, organizations that process personal data should have a penetration test of their network, and a vulnerability assessment of their infrastructure. The firm performing the penetration test and vulnerability assessment will provide the organization with a list of issues and vulnerabilities found, generally grouped in critical, high, medium, low and informational categories. The organizations can then take these results and understand what technical fixes require their most urgent attention. From the organizational perspective, organizations need to ensure their incident response processes are thorough and practiced, that there is effective management oversight, and that they provide security awareness and training more than just once a year (among other steps).
GDPR compliance is a large undertaking for most every organization impacted. However, many of the policies, programs and technologies that organizations will implement support basic privacy and security best practices. Organizations that take the time to fully understand what data they gather, store, and process will inevitably gain multiple additional benefits outside of just regulatory compliance. The data mapping exercises can drive improved decision-making and more efficient and effective information security controls. The retention requirements will help organizations further promote their Records Management programs, resulting in storage savings and increased compliance with a myriad of other regulations. And the increased awareness among the organization’s employees on proper data access and handling could help minimize various cybersecurity threats and drive a culture where all employees actively understand their role in securing sensitive and confidential information.
Please continue with Part 2, and Part 3, of our 3 Part GDPR Blog Series