GDPR comes into force!
by Carl Roberts, Chief Information Security Officer at SMT.
Will your CEO be sleeping soundly on 25th May 2018? How about your shareholders, customers, partners and legal department? The EU General Data Protection Regulation (GDPR) comes into force on that day. If you have embraced the concepts of an individual’s right to privacy, then may sweet dreams flow on the night..
Some companies react to the upcoming milestone by throwing it to the IT department not realising the fundamental switch in focus from previous regulations; it’s not about your company’s data it’s about protecting the peoples’ right to privacy.
It is not an IT problem
The GDPR is not an IT issue, it is a business issue involving legal, process and technological issues; as such it should be treated at a strategic level. The first question is, why are we doing this? To avoid problems such as fines, to remain in business or to gain a competitive advantage? Answering this will frame your approach.
LEGO is a good example of a company that has placed the protection of children’s right to privacy at the core of their business strategy. LEGO’s ethics-based approach goes to great lengths to guard the data with strict controls over partners, suppliers as well as a technical control. A great example is the total lack of third party cookies on websites targeting children.
If data is the new currency, the GDPR hands back control to the individuals and companies will need to gain the public’s trust to “borrow” this data. Demonstrating ethical stewardship will be key to gaining and keeping such trust. LEGO’s strategy should differentiate itself from its competitors, at least with the economic buyers, such as parents and institutions.
It’s not just about compliance
GDPR is not a one-off type event, “point-in-time” compliance is not the objective and is hard to prove currently. The demands of regulators will change, how companies deal with it will mature and a support industry will emerge over the coming years. It is important that companies are wilful in their pursuit of continuous compliance with the principles enshrined. They need to show progress in fulfilling their commitment to protecting the rights of the individuals’ privacy.
A risk-based approach accepts that on the enforcement date, there may be gaps to the management of privacy and so puts in place a process to close these gaps and demonstrate progress.
Choose a framework
Companies should start a project to initiate the entire exercise that utilises a framework which is in-line with the regulation to guide the deliverables and prioritise the schedule. Key to this is the identification of the stakeholders within the business, as this exercise will ask some fundamental questions to the business such as:
- Why do we have personally identifiable data?
- What personally identifiable data do we have?
- Do we really need it?
It may sound overly simple, but if you deal with zero personal data then you have zero GDPR risks. Recently we had a case where a customer was jumping straight to the implementation of a specific technology without identifying these issues. Their business model was essentially a B2B with employee and sales data, hardly the target for close scrutiny by the Data Protection Authority (DPA). By contrast, a company engaged in large-scale profiling of consumers is right in the crosshairs. It is essential to start the analysis at a high enough level and with the right people, taking a step back may often be beneficial.
Start with a project then an on-going privacy program
A risk-based approach, that is appropriate to the business context, will start with a project to address the fundamental questions and then move on to what processing is done to the data and why. Under GDPR, the notion of “purpose” is vital to determine and document. It will frame all the discussions on the legal basis for processing activities. The key components that need to be established as soon as possible include:
- A well scoped project with carefully selected stakeholders;
- A framework to identify what is needed;
- A list of processing activities that forms an index to the personal data inventory of your organisation;
- A deliverables roadmap and progress measures.
The project is the start, it should kick off an on-going privacy program that will be managed by the privacy office. They will respond to changing regulations and environmental conditions.
This begs the question, “what privacy office?’. Part of the project deliverables would be to answer the questions, “Do we need a Data Privacy Office (DPO)?”, “How do we do that?” and “Do we internalise or externalise it?”. An understanding of your business strategy – what categories of data you have, and what processing you do – are vital to this analysis and would be an early deliverable from the project.
Guard the data
A key element to guarding the rights to privacy is the on-going security required to protect any data controlled by the enterprise and associated third parties. Once you know where your data is, what you are doing with it and why, you need to protect it throughout the lifecycle of the data. With ever increasing cybercrime activity this is no place for amateurs. Consider the use of external security providers to provide round the clock response to threats to your business.
We have only just scratched the surface of what GDPR means, we have not yet discussed the purpose of consent, privacy notices, breach management and security. These would all need to be addressed within the project set-up, using a defined framework in conjunction with the list of processing activities delivered within the project schedule. These matters will be covered in next week’s blogpost.
GDPR has a business-wide impact and should be addressed at a strategic level if you are to gain advantage from it. The changes brought about by the regulation, lead to a business opportunity or a risk depending on your understanding, desire and strategy. Dealing with this requires a partner who understands it, who does not believe in a silver bullet, who works with partners in an eco-system to align the solutions with the company’s business model, strategy and the regulation.
To be continued…