How organizations can best demonstrate GDPR compliance
The financial sector is highly regulated, so you would have thought banks would be well-equipped to comply with the EU’s GDPR (General Data Protection Regulation). But the reality isn’t that simple. In the months since May 2018, when the regulation took effect, there has been as much uncertainty among the financial industry as anywhere else.
The issue is exacerbated outside the EU, with many organizations assuming that the GDPR doesn’t apply to them. However, the regulation’s scope includes any organization provides services into the EU, no matter where that organization is based.
Another problem is that the GDPR doesn’t provide guidance on how to meet its requirements. This was to make it future-proof, as best practices are likely to change over time. But without explicit guidance, many organizations have been stumped.
That’s where IT Governance and the NCASM (National Cybersecurity Awareness Month) come in. The theme for 2018’s NCASM is “Our Shared Responsibility,” a motto that encapsulates the key to demonstrating GDPR compliance. IT Governance has extensive experience with the Regulation, particularly when it comes to helping organizations understand their compliance requirements.
Based on what we’ve seen, here are the three most important tips to make sure everybody in your organization is on the same page when it comes to the GDPR.
1. Adopt a cybersecurity and privacy framework
You need to be sure everyone in the organization is on the same page with regard to the GDPR and similar laws all over the world. You need policies and procedures that ensure cybersecurity and privacy are taken seriously and done correctly. Such policies and procedures would ideally be documented as part of a cybersecurity and privacy framework, which can also be audited and continually improved. Having a documented framework in place can also help prove compliance.
2. Make sure third parties are trustworthy
Organizations must take appropriate steps to ensure that data is always secure – whether it’s held in their systems, in transit, or shared with third parties. In the first two scenarios, organizations have full control over their defensive measures, but third-party data sharing requires a certain level of trust. After all, should a third party suffer a data breach, the organization that collected the personal data will be held accountable. (The third party might also be held accountable, depending on the nature of the breach.)
Of course, when the stakes are so high, it would be foolish to rely on trust alone. Organizations should therefore investigate third parties for evidence of GDPR compliance. Once both parties are happy, they should draw up a contract confirming how the shared data will be used and protected.
3. Educate your employees
Your organization can have the most robust cybersecurity policies and processes, but they will be useless if employees ignore them. It’s therefore essential that all employees are made aware of their GDPR compliance responsibilities. Even staff who you wouldn’t necessarily think handle personal data pose a risk. If they have a work email account, can access your intranet, or handle work documents, they process personal data and must therefore comply with the GDPR.
GDPR training comes in two forms. The first is via introductory courses, which typically last less than an hour and provide an overview of the Regulation, explain why it’s important, and briefly show you how to meet its requirements. Organizations that conduct these courses in-house should also include information on where employees can find policies and procedures and how they can contact their DPO (data protection officer).
Introductory training will be sufficient for most employees. The courses should form part of their induction and be repeated at least annually. Courses can be conducted either in person or through e-learning.
The second form of training is more in-depth and is suitable for employees who are responsible for managing the collection and processing of personal data. Certified training courses are ideal, as they will provide advice on specific aspects of the GDPR.
The GDPR is a landmark for data protection, not only because of the comprehensiveness of its requirements but also because of the influence it has on regulators worldwide. Many people have commented on the strictness of its requirements and the severe repercussions of breaches, but such measures will almost certainly become the norm in the years to come.
Several regulators, including two in the U.S. and many others all over the world, are already replicating the GDPR’s toughness. In July, California passed a GDPR-like data protection law that gives residents the power to request that organizations:
- Provide any stored personal information pertaining to them
- Disclose how they obtained the information
- Refrain from selling or disclosing their personal data
As with the GDPR, the California Consumer Privacy Act of 2018 grants individuals the initiative to challenge the way their data is collected. It also gives them the right to form a class action and seek statutory damages of between $100 and $750 per person.
Meanwhile, the NYDFS (New York Department of Financial Services) has been phasing in its Cybersecurity Requirements over the past 18 months, and these will take full effect on March 1, 2019. The Requirements intend to strengthen data handling and security processes among financial organizations with a branch in New York State. This will affect a huge number of organizations and will create a great deal of interest, given that New York City is the nation’s financial hub.
Organizations across the country should keep a close eye on these laws, as well as the GDPR, as their success will dictate how other regulators approach data protection. The need for better data protection practices is manifest, and change is already happening. By staying aware of what’s going on around you, and how others are handling data protection, you can be sure that you’ll be ready for whatever comes your way.