On May 25th, 2018, The European Union’s General Data Protection Regulation (GDPR), designed to reform data protection in Europe comes into force worldwide. This particular regulation is the result of over 4 years of collaboration between the European Council & Parliament, who desired to make a more clarified stance on the protection of citizens’ personal data. The GDPR includes directives to protect citizens’ fundamental rights, gives data subjects a wider range of rights, and specifically includes the personal data of victims, witnesses, and suspects of crime.
The projected penalties for noncompliance are very steep, yet Gartner predicts that over half of all businesses are not prepared for the legislation. To help IT teams understand which GDPR requirements will affect their organization, below are 5 questions to ask the Chief Information Security Officer about company compliance.
5 questions to ask the CISO about company compliance.
Do where know what personal data we hold and where it resides?Going forward, organizations will need to generate a Data Protection Impact Assessment (DIPA) to clearly document and analyze areas of high risk data processing. During the DIPA, organizations must actively locate the personal data being collected from their end users, and surmise why the data is being collected. This self-reported assessment must always be on hand and ready for randomized regulatory inspection or compliance audits.
Who has access rights to the personal data?The GDPR plainly calls for limiting unnecessary access to personal data, and ensuring all access Is authorized. Organizations must analyse policies on data handling, data retention, data manipulation, and data destruction.
Who actually accesses the personal data, and why?Organizations need to know exactly who, when, and why users are accessing personal data, and ensure that there is a legitimate reason for it. Privileged access to personal data should be nominative – just having a senior position in a company should not ensure endless access to personal data.
Could we quickly detect and investigate a breach?Under the GDPR, breach notification will become mandatory in all member states where a data breach is likely to “result in a risk for the rights and freedoms of individuals”. Organizations must notify the local Data Protection Authorities (DPA) within 72 hours of first having become aware of the breach. Data processors will also be required to notify their customers, the controllers, “without undue delay” after first becoming aware of a data breach. This doubles down on the need to know which personnel access the data, what activities they performed, and when it occurred.
How can we minimize the volume of personal data?Under GDPR, businesses are required to minimize the personal data that they retain, especially if it is not necessary for daily operations. If data is not necessary for the business to run, then the GDPR states that the data should be pseudonymized or eliminated.
How can we prevent database data from being accessed outside of the country/EU?The GDPR strictly restricts the transfer of personal data outside of the European Union to countries or international organizations that lack adequate data protection laws. This clause insures the continual level of protection afforded by GDPR to European Citizens globally. Going forward, organizations must know where they are transferring data.
Do we need to appoint a Data Protection Officer?A Data Protection Officer(DPO) is an enterprise security leadership role required by the GDPR. DPOs are responsible for overseeing data protection strategy and implementation to ensure compliance with GDPR.
Your organization is required to appoint a Data Protection Officer (DPO) for your business if the core activities of your company consist of:
- personal data processing which requires regular and systematic monitoring of individuals on a large scale; or
- is about special categories of data on a large scale and data relating to criminal convictions and offenses. ‘Special categories of data’ is the type of data which reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership; genetic data, biometric data or data concerning health or sex life and sexual orientation.
Tip: Use this diagram to figure out if your organization is required to hire a DPO.
Figure 1 - Data Protection Officer Decision Tree
Click here to see a high-resolution version.
Use your EA practice to prepare for GDPR now.
GDPR will gravely impact the way businesses collect, handle, store, and transfer personal data. For large organizations, finding out where data is stored, and who has the right to access it will take a lot of ground work. Consider using a EA dashboard to prove GDPR compliance. Learn more below.