On May 25, 2018, the European Union (EU) General Data Protection Regulation (GDPR) went in to effect. Any organization (outside or inside the EU) that collects or processes personal data that directly or indirectly identifies EU persons (customers or employees) must comply with GDPR.
Despite being announced over 2 years ago, many organizations are still struggling with how to appropriately and reasonably comply with GDPR. Risks to personal data must be appropriately managed while, at the same time, necessary business processing of such data must be able to occur.
Many organizations are getting questions from customers and business partners about their compliance with GDPR; EU data protection regulators are likely to soon take action against organizations they believe are not complying with GDPR.
Noncompliance with GDPR requirements can be very painful. Organizations can be fined up to 4% of their annual global revenue or 20 million Euros, whichever is greater.
So how can your organization appropriately and reasonably comply with GDPR?
Point B’s Perspective
Complying with GDPR compliance requires a risk- based approach that often necessitates changes across an organization’s people, processes and technologies. It’s very important to have a comprehensive, integrated road map that shows, step by step, how the organization will achieve GDPR compliance. Most GDPR compliance projects will benefit from combining cybersecurity, project leadership and change management expertise to enable pragmatic solution design, quick iteration and full organizational engagement.
At Point B, we’ve identified four major components that any good GDPR compliance project should include:
- Understand how GDPR applies to the organization
- Thoroughly map personal data
- Leverage cybersecurity best practices
- Manage vendors effectively
Details on each of the components follow.
Understand how GDPR applies to your organization
Two types of organizations must comply with GDPR—data controllers and data processors. It’s important to understand your organizational type.
A data controller is an organization that determines the purpose and methods for processing personal data, such as a retailer that collects personal data while selling products to EU persons; the data controller owns the data. A data processor is an organization that processes personal data on behalf of a data controller, such as a marketing firm that sends emails to EU data subjects on behalf of a retailer; a data processor must carefully follow a data controller’s instructions regarding how to process personal data received from the controller.
In general, GDPR places more requirements on data controllers for personal data protection as they are the owners of the data.
Thoroughly map personal data
It’s essential that, early in a GDPR compliance project, an organization identifies all personal data that can be used to directly or indirectly identify an EU person, and fully defines how such data is processed, transmitted and stored by the organization.
Data mapping is critical so an organization can implement appropriate controls and processes to protect the personal data it collects and processes. GDPR compliance will be difficult for an organization if it does not properly identify and understand the personal data it holds and the related data handling processes that it's required to protect.
Smaller organizations may be able to manually map the personal data they have, but larger organizations will likely need to use a data mapping tool.
Leverage cybersecurity best practices
To comply with GDPR, data controllers and data processors must identify risks to the personal data they have and then implement technical and organizational security controls that appropriately mitigate the risks, while simultaneously allowing approved processing and storage of personal data. Necessary controls will vary among organizations, depending on the type and amount of personal data they collect or the process and methods they use to handle the data.
The good news is there are well-defined and respected cybersecurity best practice frameworks, such as the NIST CSF and CIS CSC. These can be used to define and design security controls, rather than having to create controls from scratch.
Another option appropriate for certain organizations is to base technical and organizational security controls on a well-established cybersecurity standard such as PCI DSS or the Gramm-Leach-Bliley Act.
Basing your security controls on an existing cybersecurity framework or standard will enable your organization to show it has implemented appropriate and reasonable controls to protect personal data, and that it follows best practices.
Manage vendors effectively
In addition to requiring organizations to protect the personal data of EU persons they directly collect and process, GDPR also requires organizations to manage the vendors with whom they share such data.
Data controllers should develop a formal process (e.g. assessment questionnaire) for assessing whether a vendor who will receive personal data from the controller will appropriately protect the data. Controllers should also create a formal contract that all vendors who receive personal data must sign. The contract should include specific methods for how the vendor will protect received personal data.
Data processors that share received personal data with other vendors should create a formal documented process for receiving authorization from the owner of the personal data (data controller). They should also create a formal contract, which includes specific personal data protection methods that all vendors who receive personal data must sign.
Both data controllers and data processors should integrate GDPR vendor management into their overall vendor risk management program.
The Bottom Line
GDPR is finally here. Any organization doing business in the EU needs to understand and comply with GDPR or potentially face large fines and reputational harm. With thoughtful analysis, planning and control design, organizations can appropriately and reasonably comply with GDPR requirements.