The European Union will begin enforcement of its General Data Protection Regulation (GDPR) on May 25. Is your organization ready?
"The thing about GDPR is you never know when a breach is going to take place," says Steve Durbin, managing director of the Information Security Forum (ISF), a global, independent information security body that focuses on cyber security and information risk management. "One of the biggest challenges that I think comes with the GDPR is how do you enable an ongoing program within the enterprise? It's not a tick-box exercise. There is a fundamental change required in an enterprise in order to comply on an ongoing basis with the GDPR."
The GDPR was adopted by the EU in April 2016 after more than five years of work to modernize the EU's data regulation. It applies to personal data relating to EU residents regardless of where that data is processed. It also defines the scope of EU data protection legislation. And GDPR gives regulators serious teeth — compliance costs and fines can reach up to €20 million or four percent of global annual revenue for the preceding financial year, whichever is greater.
"Nobody really knows what's going to happen when the clock strikes midnight on May 25," says Dan Frank, principal with Deloitte Risk and Financial Advisory Cyber Risk Services. "I have heard, speaking to a lot of my EU-based colleagues, that it's going to take a while for regulatory authorities to conduct their investigations. We may see it take six, eight-whatever months in order for these regulatory actions to come out. Until there's an incident, you don't necessarily have a problem."
In other words, even if you're late to the game with your GDPR compliance program, you should still get started.
GDPR personal data processing principles
The GDPR is founded on six principles for the processing of personal data. The regulation specifies that personal data shall be:
- Processed lawfully, fairly and in a transparent manner
- Collected for specified, explicit and legitimate purposes
- Limited to what is necessary to meet the organization's need
- Accurate and, where necessary, kept up to date
- Kept in a form that permits identification of data subjects for no longer than is necessary
- Processed in a manner that ensures appropriate security of the personal data
"GDPR is about forcing organizations that have the personal data of Europeans to treat that data in a reasonable manner and to be good custodians of that data. It's about making sure the way they use that data aligns with the expectations of European citizens," says Crispen Maung, vice president of compliance at cloud file sharing service Box. "We have seen the concept of GDPR spread more globally than expected. GDPR is, in terms of its concepts and what it tries to do, now being consumed by regulatory bodies in the far east. It's a line in the sand in terms of how they expect their nationals' data to be handled and used."
"Everybody's preparing," adds Mark Settle, CIO of cloud-based identity management provider Okta. "Businesses need to care about where the data is physically from a data sovereignty point of view. Financial institutions, healthcare, even oil and gas are dealing with this."
Is your organization subject to the GDPR?
If you don't already have a GDPR compliance program in place, you should consider whether you're subject to the regulation. Even if your company doesn't have a presence in the EU, you're not necessarily in the clear. The GDPR covers the personal data of EU citizens, and if your company handles that data, it must comply with the regulation. This would apply, for instance, to a hotel in the U.S. that stores information like the names of guests who are EU citizens.
"GDPR applies to potentially every company in the world if they gather personal data of EU residents," says Peter Tsai, senior technology analyst with IT professional network Spiceworks. "Any company that does any sort of business in Europe or with European citizens really needs to pay attention to this, especially if they haven't started preparing. A lot of companies are not doing anything because they're not informed on the issue."
According to the ISF's GDPR Implementation Guide, the regulation applies to any organization established:
- In the EU
- Outside of the EU, but targeting goods or services at data subjects in the EU
- Outside of the EU, but monitoring the behavior of individuals in the EU
Identify a lead supervisory authority
If your organization is subject to the GDPR, you need to identify a lead supervisory authority within the EU. According to the ISF's GDPR Implementation Guide:
- Organizations established in the EU should identify their lead supervisory authority based on the location of their headquarters, or, if the headquarters are not in the EU, the lead supervisory authority should be in a member state where either the majority of data subjects are located or personal data processing takes place.
- Organizations with no establishment in the EU, but with personal data processing applicable under the GDPR, must appoint a representative (established in a member state) where either the majority of data subjects are located, or personal data processing takes place.
Preparing for GDPR compliance
The first step in your compliance program is discovery. You need to identify the extent and nature of the personal data your organization is processing. What personal data is your organization working with that falls within the territorial scope of the GDPR?
According to the GDPR:
- Personal data is "any information relating to an identified or identifiable natural person (data subject)."
- Special categories of personal data are: "data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data processed for the purposes of uniquely identifying a natural person, data concerning health, or data concerning a natural person's sex life or sexual orientation."
The next step is to maintain records so you can provide accurate, up-to-date details of all personal data processing. This requirement only applies if:
- Your organization employs 250 or more people
- Your organization employs fewer than 250 people but its personal data processing is likely to result in a risk to the rights and freedoms of data subjects, the data processing is not occasional, or the data processing includes special categories of personal data or relates to criminal convictions and offenses.
The requirements differ based on whether your organization is a controller or processorof personal data (many organizations are both). Controllers are entities that determine the purpose and means of processing personal data. Processors are entities that process personal data on behalf of a controller. In general, the GDPR puts the onus on data controllers when it comes to collecting consent, managing revocation of consent and enabling the right to access personal data. Data controllers are also responsible for choosing data processors that comply with the GDPR.
Once you've identified the data and determined what records you need to keep and how and where all the data is processed, it's time to perform a GDPR requirements gap analysis to establish your current level of compliance. This will help you identify the scope of your GDPR compliance program and the key activities you need to undertake to reach compliance.
In its GDPR Implementation Guide, the ISF suggests organizations determine the priority for addressing gaps in its GDPR compliance by considering:
- Personal data processing that is likely to be high risk (e.g., special categories of personal data, data relating to criminal convictions or offenses, and personal data relating to children)
- Non-compliance in specific areas that would attract large penalties from your supervisory authority
- Changes that may require a long time (e.g., system development must be performed, new IT services procured, and significant changes implemented)
- Practices that do not align with your risk appetite
Steps CIOs need to take to prepare for GDPR
Deloitte's Frank notes that many parts of the GDPR have been around for a long time. After all, it builds on (and supersedes) the 1995 EU Directive on Data Protection. The areas of biggest concern, he says, are the net new GDPR requirements.
One of the big ones, he says, is personal information processing inventory.
"You need a record of all the information you collect from EU residents, how you use it, who you share it with, how you're transporting it, how you protect it," Frank says.
Additionally, the portability and erasure requirements are a big concern. If an EU citizen requests it, you must produce a single data file of all personal data on that citizen that your organization holds. That file must be portable to another entity, and you must be able to delete all of that citizen's personal data on request. That includes employee data, adds Okta's Settle.
"How do you respond to an employee who asks: 'What do you have of mine? I need you to delete that. Can you prove to me that you've done that?'" Settle asks.
Frank says there are 4 key things that CIOs and CISOs need to think about:
- An inventory of personal information processing. "A lot of the data that organizations need is kept in structured and unstructured data repositories. IT plays a key role in inventorying where that data is," Frank says.
- Third-party risk management program. "If the information security function doesn't have a good process for performing third-party security assessments, you're going to have to scramble," Frank says.
- Portability and erasure. "CIOs need to think about to what extreme they're going to take this. You can probably identify dozens, if not hundreds of places where [personal data] is stored," Frank says. "Can you document a procedure to receive those requests, to intake those requests, and respond to that individual? Do you roll the dice and say I'm not going to get a lot of these? The second end of the extreme is to put the technical means in place to create that data file from all of those disparate sources or the ability to delete from all those different sources."
- Privacy by design. Frank says CIOs need to make sure IT change management processes have steps to make sure privacy is implemented by design. That includes data protection impact assessments, he says.