For GDPR late-comers, data mapping, security are key first steps
Two years after it was first announced, the European Union General Data Protection Regulation is now law as of May 25. This means that any organization, whether inside or outside of the EU, that collects or processes personal data that directly or indirectly identifies EU individuals (customers or employees) must comply with GDPR.
Despite having two years to prepare, and the deadline to do so now past, many organizations are still struggling with how to appropriately and reasonably comply with GDPR. Risks to personal data must be appropriately managed while maintaining the ability to process business data.
Many organizations are getting questions from customers and business partners about their compliance with GDPR. EU data protection regulators are soon likely to begin taking action against organizations they believe are not complying with GDPR.
Noncompliance with GDPR requirements can be very painful. Organizations can be fined up to 4 percent of their annual global revenue or 20 million euros, whichever is greater. The EU promises it will not be lenient with non-compliers.
So how can your organization appropriately and reasonably comply with GDPR at this late stage?
Meeting GDPR compliance requires a risk-based approach that often necessitates changes across an organization’s people, processes and technologies. It’s important to have a comprehensive, integrated road map that shows, step by step, how the organization will achieve GDPR compliance.
Most GDPR compliance projects will also benefit from combining cybersecurity, project leadership and change management expertise to enable pragmatic solution design, quick iteration and full organizational engagement.
The following outlines the key components of a good GDPR compliance project.
Understand how GDPR applies to your organization
Two types of organizations must comply with GDPR: data controllers and data processors, meaning it’s important to understand your organizational type.
A data controller is an organization that determines the purpose and methods for processing personal data, such as a retailer that collects personal data while selling products to EU persons. In this situation, the data controller owns the data.
A data processor is an organization that processes personal data on behalf of a data controller, such as a marketing firm that sends emails to EU data subjects on behalf of a retailer. A data processor must carefully follow a data controller’s instructions regarding how to process personal data received from the controller.
In general, GDPR places more requirements on data controllers for personal data protection as they are the owners of the data.
Thoroughly map personal data
Early in a GDPR compliance project, it’s essential that an organization identifies all personal data that can be used to directly or indirectly identify an EU person, and fully defines how such data is processed, transmitted and stored by the organization.
Data mapping is critical so an organization can implement appropriate controls and processes to protect the personal data it collects and processes. GDPR compliance will be difficult if an organization does not properly identify and understand the personal data it holds and the related data handling processes that it's required to protect. Smaller organizations may be able to manually map the personal data they have, but larger organizations will likely need to use a data mapping tool.
Leverage cybersecurity best practices
To comply with GDPR, data controllers and data processors must identify risks to the personal data they have and implement technical and organizational security controls that appropriately mitigate the risks, while simultaneously allowing approved processing and storage of personal data. Necessary controls will vary among organizations, depending on the type and amount of personal data they collect or the process and methods they use to handle the data.
The good news is there are well-defined and respected cybersecurity best practice frameworks, such as the NIST CSF and CIS CSC. These can be used to define and design security controls, rather than having to create controls from scratch.
Another option is to base technical and organizational security controls on a well-established cybersecurity standard such as PCI DSS or the Gramm-Leach-Bliley Act.
Basing your security controls on an existing cybersecurity framework or standard will enable your organization to show it has implemented appropriate and reasonable controls to protect personal data, and that it follows best practices.
Manage vendors effectively
In addition to requiring organizations to protect the personal data of EU persons they directly collect and process, GDPR also requires organizations to manage the vendors with whom they share such data.
Data controllers should develop a formal process (e.g. assessment questionnaire) for assessing whether a vendor who will receive personal data from the controller will appropriately protect the data. Controllers should also create a formal contract that all vendors who receive personal data must sign. The contract should include specific methods for how the vendor will protect received personal data.
Data processors that share received personal data with other vendors should create a formal documented process for receiving authorization from the data controller. They should also create a formal contract, which includes specific personal data protection methods that all vendors who receive personal data must sign.
Both data controllers and data processors should integrate GDPR vendor management into their overall vendor risk management program.
With the arrival of GDPR, any organization doing business in the EU needs to understand and comply with GDPR or potentially face large fines and reputational harm. With thoughtful analysis, planning and control design, organizations can appropriately and reasonably comply with GDPR requirements.