Preparing for the GDPR: What You Need to Know

The GDPR becomes law in May of 2018. If your company does business with any EU citizen or entity, you need to be prepared for this new law, which is designed to protect and strengthen the privacy for all individuals residing in the European community.

The law applies to any business or public-sector entity that retains the personal or payment data of EU citizens. Under the law, companies will be required to be able to directly access this information for correction or deletion purposes and customers whose data is being held will have the option to “be forgotten” – meaning, if one of your customers asks for their data to be deleted, you must comply.

This is only one aspect of this very complex law, but it is a significant one. As a company looking to become compliant, it will be necessary to develop a workflow that makes it easy to accomplish these requests.

For many, this means a digital transformation will be necessary if indeed you have not yet initiated such as process. Modernization of data storage and security is absolutely crucial, especially for SMBs or enterprise, as the sheer volume of stored data will necessitate a capable data classification system in order to allow admins to isolate, manipulate, and delete data when needed.

KEY ELEMENTS OF THE GDPR

While this is by no means a complete guide to GDPR compliance, we have put together an
overview that covers the key points:

1. Data flow mapping & analysis

In order to understand what kind of data your organization processes, it will be necessary to create a data flow map to show the flow of your data from one interaction point to the next – for instance, from the supplier to the shipper, to the customer, and so on. This is meant to identify
any potential unintended use for the data and therefore requires that you consider what parties may be using the information and for what purpose.

2. Data type analysis

Your data flow maps should include the type of information being collected and how it was obtained – for instance, through a web form, direct data entry, or over the phone. Data needs to be analyzed as to the risk it may pose so that adequate measures are put in place. Being able to classify the type of data you are storing is key to assessing risk.

3. Analysis of currently implemented controls

This phase examines the legal and risk controls that you have currently implemented from a legal, organizational, physical, and technical point of view. This is primarily to control any identified risks prior to any processing of any new data.

4. Identify scope – processor or controller

The extent to which your company is liable under the GDPR largely depends on whether you are a “controller” or a “processor” of data. A data processor handles data on behalf of the data controller and so is not subject to as many obligations where the data is concerned. Though the
data controller is largely responsible for the disposition of this data, the data processor may still be liable to a degree if they are storing data on their servers, for instance, or are providing any other 3rd party service (such as a shipper).that uses the data.

5. Review of privacy policies

Data controllers will need to be more specific in crafting their privacy policies. According to the GDPR, you must provide clear information on how you are using your customer’s data. This information must be:

• Concise, easy to understand and easily accessible
• Written in plain language that would allow even a child to understand it
• Provided free of charge

6. Review of third parties’ policies

The privacy policies of any 3rd party your company does business with should be thoroughly reviewed to ensure that their policies comply with GDPR regulations. This is meant to prevent unauthorized use of customer data. Article 28 of the regulation outlines in great detail how processor-controller contractual relationships should be worded.

7. Privacy review in SDLC

In addition to all the customer-facing data issues covered by the GDPR, the law also affects software development lifecycle and processes for any IT company that seeks to do business with or provide information systems for the EU. The GDPR has technical and functional implications that require a high degree of planning in the initial phases of SDLC. The earlier in the process that these items are addressed, the less complicated and costly it will be in the long run.

8. Reviewing core GDPR issues

1. The Right to be forgotten: Article 17 of the GDPR states that customers whose data is being held have the right to ask for it to be removed.
2. Data roaming: This issue affects the transfer of data on the open internet, as may happen in a mobile computing environment.
3. User’s consent: users must consent to their data being used. This may take several forms, depending on how your organization used this data.
4. Data destruction: data destruction poses a significant risk, especially when dealing with a hard copy (paper documents). If you use an asset disposal service (classified as a data processor under the GDPR) you must ensure they are compliant with GDPR regulations to reduce your risk.
5. Review of special categories: this involves data that relates to a wide range of variables, including human resources and employee data, data relating to children, and health records for example. This area is quite complex, but it seeks to safeguard the privacy of the individuals whose data is being collected.
6. Dispute resolution: article 65 of the GDPR sets forth the process for dispute resolution by the Board if the supervisory body finds any infringement.
7. Cookie consent: the GDPR calls into question the current EU cookie consent laws. The GDPR sees cookies as a unique identifier, and so consent rules do apply. If cookie data is used for more than one purpose, there may be a need to establish separate consent for each use.

CREATION OF GDPR ALIGNMENT WORK PLAN

If you have not yet begun to map out your plan for GDPR alignment, GRSee can help. Though the law is multi-faceted and complex, as experienced auditors who have performed hundreds of compliance projects, including GDPR alignment projects, we have created an efficient and proven methodology that will get you up to speed quickly.

WHAT’S THE SMOKING GUN? FINES OF UP TO 20 MIL EUROS!

With so much at stake, it is imperative that your security practices need to be in place as soon as possible. Some of the mechanisms you can implement right away include privacy by design at the SDLC (development lifecycle) level, pseudo anonymization, opt-out mechanisms, redacting data, and destroying old or redundant data.

Boosting internal security is always a good idea as well, especially if you retain hard copies of any personal, payment, or other sensitive information that needs to be protected. Locked cabinets and file rooms are a good start, but establishing a secure digital storage solution is also important. Furthermore, for those who are ISO 27001 compliant, you’ve already fulfilled some of the requirements necessary for GDPR. For those not yet ISO compliant, it’s a great opportunity to kill two birds with one stone.

There’s never been a better time to start your digital transformation. Call GRSee today to set up a free consultation.