The final countdown to GDPR

Aug 02, 2017
With less than 10 months to implementation, General Data Protection Regulation should be high on the agenda of every business and board.

After many years of negotiation, the General Data Protection Regulation (GDPR) was adopted into European law in May 2016. This new cybersecurity and data protection legislation will affect customers in Europe and also, those around the world who do business with Europe-based companies.

It is important to point out that most of the articles in the regulation already appear in the legislation of individual countries. The aim of GDPR, however, is to harmonise data privacy laws across Europe and create a level playing field.

EU companies now have until 25 May 2018 to implement and conform to the new regulations, or face large fines. So if you have not considered GDPR thus far, now is the time to act.

A parallel directive affecting the processing of data by law enforcement authorities was agreed at the same time as GDPR, so the EU authorities are clearly taking a serious stance on this topic. However, recent surveys of Irish firms concluded that many are significantly unprepared for the new EU data protection law, with over half of organisations surveyed unlikely to detect a sophisticated attack.

In this article, we will provide you with strategies and ideas to implement in your own company as you work towards achieving compliance.

Major knock-on effects

GDPR brings significant changes to how firms must handle and process personal data. Your organisation’s existing processes – which may include collection, retention and deletion, general inputting and so on – must be revised so that they comply fully with the new data protection rules, which are stricter than ever before.

When legislation of this nature is announced, one can take a benevolent or malevolent view of the task at hand. If you take a malevolent view, you will see it as more bureaucracy, more cost and so on. If you take a benevolent view, on the other hand, you will view GDPR as a fantastic opportunity to tidy up your data, reconnect with your customers and build better and more solid relationships.

Let’s take the benevolent view and state that, first and foremost, GDPR is for all EU data subjects and their protection. Customer data belongs to customers and GDPR makes this clear. You might provide data to a company, but this does not mean that they now own it. They merely borrow it and under GDPR, they will need to protect and explain more clearly why they have it.

Your organisation’s internal governance processes should now be reviewed and, more than likely, altered ahead of the GDPR implementation date. For example, if you process data, new data governance obligations will apply and records of how you prepare and keep records of processing activities will come into force. You will also be required to demonstrate how decisions to use data for further processing are reached.

Transparency will be more important than ever before. Personal data must therefore be processed in a transparent manner (i.e. collected for explicit and legitimate purposes), limited to what is necessary in relation to the purposes for which they are processed, and must be accurate and kept up-to-date.

New rights for data subjects

A data subject is the living person to whom personal data relates. Under GDPR, data subjects will have far more control over their personal data and, quite significantly, the right to be forgotten. This means full erasure of their personal data.

Data subjects will also have the right to data portability (i.e. the ability to obtain and reuse their personal data for their own purposes across different services) and, if they require more information on their data, organisations must make it easy to request such data and provide a comprehensive response within one month from the date of request.

All of this will inevitably lead to a major increase in the administrative burden for organisations, and that burden will be particularly onerous for those companies who store data on paper.

New responsibilities

First and foremost, consider your new responsibilities from the perspective of protecting people’s digital data. Data protection is not linked to a specific technology, and GDPR is principle-led for the protection of EU data subjects in general. A new concept of joint liability for both data controllers (the entity that determines the purposes, conditions and means of the processing of personal data) and data processors (the entity that processes personal data on behalf of the controller) will come into force under GDPR. The data processors will be jointly liable to data subjects for damages unless they can prove, for example, that a data breach was not their fault. Punishment for breaches will not be extreme and will be related only to how sensitive the data is that you hold, and what steps you have (or have not) taken to protect it. The implication here is that previous contractual obligations may need to be revised and new contracts will require appropriate stipulations.

Data controllers will have far more responsibility to provide accurate information on how data is processed. They will, for example, be obliged to detail the retention period for the data and provide information about the legal basis for data processing. So, it isn’t only data controllers who will need to maintain records of their processing activities; data processors will as well.

‘Data protection by design’ is a new phrase in the data protection lexicon. It means that, in each element of designing or compiling a new data-based solution, organisations must demonstrate that the rights of the data subject were considered through encryption or pseudonymisation, for example.

Where a security breach occurs, new notification procedures must be enacted. For instance, data processors must report breaches to the data controller. Data controllers must also report security breaches to the country’s supervisory authority without undue delay and no more than 72 hours after becoming aware of it. Furthermore, privacy impact assessments will be required when firms wish to undertake certain types of personal data processing.

Transfer of personal data

Transfer of personal data provisions remain largely the same as was outlined in the previous Directive. However, data transfers under the mechanisms of ‘safe harbour’ are no longer permissible. The EU/US Privacy Shield agreement was adopted by the European Commission in July 2016 and contains far more stringent rules than the previous ‘safe harbour’ agreement. It will, for example, offer more channels for the data subject to seek redress.

Next steps

To get your preparations under way, we suggest that you:

• Identify the areas of your business that may be impacted by GDPR;
• Seek help to design, develop and implement solutions in line with data privacy requirements. You should also take operational, IT and information security perspectives into consideration;
• Design systems to detect, address and prevent security breaches through integrated hardware and software solutions. This should include the discovery and classification of sensitive data, vulnerability assessment, activity monitoring, quarantining, the protection of sensitive data and so on;
• Ensure that you are compliant in how you process personal data through your internal governance processes and how you keep track of reporting data breaches; and
• Design governance structures to build confidence in the way your data is explored and managed, particularly for unstructured data.

A force for good

The GDPR preparation period is a great time to review your data – not just for the purpose of GDPR, but for business development reasons also. Ask yourself: do you really know your customers? Can you help improve their relationship with you, so that you better meet their needs while protecting the information they have given you? Consent and general usage of personal data must be assessed no matter what. That said, you can turn this requirement into a force for good and build much greater trust with your customers and employees in the process.

Look outside

Your organisation may need to employ outside expertise to build internal capabilities, next generation threat intelligence systems, and enterprise monitoring and security operation centres. Ask yourself if your company has a robust plan for the management of security incidents. If you are not confident, now is the time to assess that risk and implement the appropriate security measures that will allow you to deal with incidents within your own firm.

Conclusion

Europe’s new regulatory environment for cybersecurity and data protection is less than a year away. This will offer both opportunities and challenges, ranging from improved governance to securing application and infrastructure. In a globalised and more interconnected business world, being able to navigate the regulatory environment of the future will be a critical success factor for practically all businesses.

Your ability to deploy the appropriate security and data protection controls and procedures in a way that can be rapidly demonstrated is now a matter of good governance.

The clock is ticking, so there’s no time to lose.

Billy O'Connor is Managing Director at The Discovery Partnership and a registered IBM Business Partner.