Time is quickly running out for businesses not prepared for the May 2018 introduction of the European Union’s General Data Protection Regulation (GDPR), which has the potential to impact any business that interacts with customers that are members of the EU.
Preparing for compliance means that CISOs (or other IT professionals) will have to act quickly to prevent their businesses from racking up large fines, which www.eugdr.org states as “organizations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater).
Where to begin
One of the first steps taken on that path to GDPR compliance is to determine if the regulations will impact your operation. That means, you must have a complete understanding of the term personal data, which lies at the heart of the GDPR. According to the European Commission, “Personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.”
With that understanding of what personal data is, it becomes readily apparent that If you create, process, store, or transmit data about an EU resident, your operation will fall under the auspices of GDPR. In fact, research firm PWC states that 92% of US businesses list GDPR as a priority because they are working internationally or have EU students that visit. More simply put, countless healthcare consortiums, financial institutions, and retail businesses are among the organizations that conduct business globally or store EU citizen data in their IT systems. More simply put, compliance officers may need to ask:
- Do we collect or manage data about EU citizens?
- Do we offer products or services to EU citizens?
- Are any of our employees EU citizens?
- Do we accept job applications from EU citizens?
If the answer to any of those queries is yes, then GDPR compliance is a must.
Recommendations for compliance
O’Neill recommends that businesses, at a minimum, should execute the following for all digital properties, including websites (desktop & mobile) and mobile apps:
Communicate privacy policy:
- Write a clear privacy policy explaining use of third-party code and data collection activity
- Post policy banner on homepage
- Deliver internal training
Provide easy-to-use opt in/ opt out mechanism:
- Explain need for tracking and how cookies drive digital operations
- Share links to individual privacy policies of all in-scope vendors on your site
- Allow individuals to explicitly agree and/or refuse tracking
Understand how website/ app-generated data is acquired, used and stored
- Identify data: Registration, Cookies, IP address, device ID
- Assess the legal basis to collect data and determine if consent is necessary, e.g., Personally Identifiable Information (PII) vs. transaction functionality, etc.
- Evaluate need for a specific policy regarding data of minor activity (16 years old in GDPR; under 13 years old in U.K. and U.S.)
Support data portability:
- Provide mechanism to easily satisfy a data subject’s request for personal data in a commonly used format.
Incorporate website intrusion to data breach reporting process:
- The GDPR mandate for websites has been clearly laid out.
- InfoSec must work with internal risk and compliance professionals to ensure all data elements are documented, assessed and controlled.
While the above is only a brief outline of what must be done, IT professionals should clearly see that a plan is needed to meet the needs of GDPR and that plan must include several stakeholders, ranging from those who create code to those that manage data to those that execute on that data.
Build a comprehensive GDPR plan
The European Union’s (EU) General Data Protection Regulation (GDPR) creates additional security and privacy obligations for organizations to comply with. All organizations, including those outside of the EU that hold data on European citizens, need to review their obligations under GDPR. The eSentire GDPR workbook details the framework requirements, enabling you to map your current approach and gain an understanding of your areas of risk.
With this workbook, you will:
- Understand the key requirements of GDPR;
- Determine how GDPR applies to your company;
- Map your current approach to GDPR and evaluate your areas of risk.