Is your information security strategy ready for GDPR?

The EU’s General Data Protection Regulation (GDPR) will fundamentally change how organizations approach protecting their customers’ data.  It will have important implications for enterprise identity governance programs and security strategies.

The crusade for personal data privacy is about to take a huge leap forward. As of May 2018, any organization handling the data of EU citizens must comply with the EU General Data Protection Regulation (GDPR) – at its epicentre is the fundamental right to data privacy.

GDPR is dramatically broadening the definition of personal data. Under the legislation it refers to any information under which a person can be identified, directly or indirectly.   As well as personal data, it also includes the physical, psychological, genetic, mental, cultural, economic social and online identity of the person.  At the same time, GDPR has moved the goal posts and expanded the liability of data beyond data controllers.  It will be applicable to all organizations who collect, obtain, store, process and transmit data belonging to EU citizens.

The legislation, which comes with razor sharp teeth, will radically change how organizations protect and secure their customer data, giving EU citizens better control over their personal information and how exactly it is collected and utilized. 

Organizations that fail to comply will run the risk of hefty fines – up to 20 million euro or 4% of their global annual turnover – whichever is the highest. While the legislation applies to EU citizens’ data only, all organizations that operate in the EU must comply, in essence making it a global data protection law.

There is, however, a silver lining.  Under GDPR, organizations will now have to deal with one supervisory authority instead of one for each member state.  This will streamline the process and should cut down administrative costs.

The key points

GDPR incorporates a number of new data security elements that will necessitate organizations’ changing their compliance requirements.

Under GDPR, all organizations collecting personal data must demonstrate clear and affirmative consent to process that data.  Silence, inactivity or the use of pre-ticked boxes will not be viewed as consent. Without valid consent from users, any personal data processing activities can be closed down by the regulatory authorities. In addition, the legislation extends the user’s right of access, allowing them to obtain from the data controller confirmation of whether or not their personal data is being processed, where it is being processed and how it will be used.

GDPR also introduces the concept of data portability, giving a data subject the right to obtain personal data in a “commonly use and machine readable format” and, if they so wish, transmit the data to another controller.

Individuals will also have the right to be forgotten, requesting data controllers to erase their personal histories, cease using their data and also potentially stop third parties processing it. 

Confess or be damned

Much onus is also being put on organizations disclosing that they have experienced a data breach. If an organization suffers a personal data breach, it must be reported to the Information Commissioner’s Office (ICO) where possible within 72 hours.  If the breach is likely to affect the rights of data subjects, they must also be notified.  Where data privacy breach risks are high, organizations will be required to carry out mandatory Privacy Impact Assessments (PIAs) to ensure compliancy.  Privacy audits and PIAs will become a routine part of ongoing security strategies.

Some organizations will need to hire or train up data protection officers (DPOs). GDPR outlines circumstances where data controllers and processors must appoint a data protection officer.  This will be where “core activities” require the “regular and systematic monitoring of data subjects on a large scale” or process “on a large scale of special categories of data”.  

DPOs will be required to liaise with the ICO and monitor compliance and staff training.  A study by the International Association of Privacy Professionals (IAPP) estimates that once GDPR takes effect, at least 28,000 DPOs will be needed in Europe and the United States alone. It estimates that 75,000 DPO positions will be created in response to GDPR globally.

Getting GDPR fit
May 2018 is not far away, and companies who are not prepared for GDPR need to get their house in order, or run the risk of a large fine.  Organizations need to be integrating GDPR into their information security strategies now.

Organizations, if they haven’t already done so, need to run an audit of their data to get a complete picture of what they hold and what needs to be protected under GDPR.  Outline exactly who needs to have access to this data, both internally and via third party stakeholders.  Ascertain exactly how well this data is protected.  At the same time, making sure there is a GDPR compliant mechanism for informing and obtaining the data consent of data subjects.

Record management will need to have a retention policy for the lifetime of documents, avoiding any duplication, and ensuring they can be tracked back to their creation.

Fire drills will need to be put to address security breaches.  Organizations will need to run an impact assessment to highlight any possible risks associated with processing data – and in the event of a breach – a mechanism for notifying the authorities and affected users.

GDPR – a pillar for privacy
Moving forward GDPR will be an important pillar both for data privacy and governance. Safeguarding data in the future will undoubtedly be on a ‘need to know’ basis and information security and privacy strategies will need to be re-assessed to ensure GDPR compliance.

Find out more about GDPR and how to prepare in our whitepaper here

Jan Howells

Jan has been writing about technology for over 22 years for magazines and web sites, including ComputerActive, IQ magazine and Signum. She has been a business correspondent on ComputerWorld in Sydney and covered the channel for Ziff-Davis in New York.