Starting May 25, 2018, enforcement begins for the new EU General Data Protection Regulation (GDPR) and its heightened principles and requirements regarding data privacy, data processing, and data security. The newly revised regulation applies to organizations doing business in the European Union or processing personal data originating in the EU – including data originating from both residents or visitors. A quick overview of the Regulation—actually a series of primers—can be found here.
Earlier this year, I participated in a webinar to discuss the rapidly approaching GDPR enforcement date, and how organizations around the world can finalize their compliance programs. As Senior Privacy Counsel at Imperva, I know how important it is to be up-to-date with the new EU regulations and prepare for it.
During the webinar, I was joined by Barbara Cosgrove, the chief privacy officer at Workday, Naheed Bleecker, senior privacy consultant at Trust Arc and Sue Habas, VP of strategic technologies at ASC Technologies. Dr. Branden Williams, director and SVP of cyber security at MUFG Union Bank, hosted the affair. We discussed in some depth the critical actions that needed to be implemented by data privacy, security, and compliance programs before the May 2018 deadline.
Generally, four calls to action emerged. They are:
1) Embed Privacy by Design
2) Know where your data is
3) Establish data inventory & classification
4) Implement “appropriate” Security Controls
Embed Privacy by Design
As Barbara Cosgrove noted, “What we’re really looking at is embedding appropriate privacy protection measures throughout the entire development process, whether it’s a product, a process, a service or anything that uses personal data.”
Under GDPR, it’s now critical to make sure that you’ve updated your product design processes and change management policies to include data privacy input from the very beginning of the project. “Carry out any privacy impact assessments that could possibly identify any risks,” she added. “Make sure that you’ve really ascertained how you process personal data and if that’s going to result in a high risk to a data subject.”
Know Where Your Data Is
Keeping tabs on personal data as it moves through the entire data life cycle at your organization is simply good data governance practice, according to Naheed Bleecker. “It’s critical to understand all the controls surrounding data,” he said. “Where is the data? Who has access to it? Where is it going? Who’s touching it? What specific data elements are being collected? Are you getting the kind of consent that you need? What are your storage and retention standards? These are all questions you need to ask yourself.”
Another key component regarding data governance is understanding how third parties interact with the information. Not only does GDPR provide a great opportunity to educate and train stakeholders, it can help build a solid engagement with clients and partners.
Establish Data Inventory & Classification
“More than anything,” said Sue Habas, “you’ll want to automate your business and data inventory. In addition, you’ll want the data inventory meta-data and classification centralized so that everybody has access to it.”
Along with everything else, said Habas, you’ll need to classify the information, and allow for it to be threaded to all your [internal] end users, both on the business and technical side. “The business process,” she said, “is really essential for capturing that privacy data, and for remediating and managing those issues.”
Working together with the product and business teams is critical to helping you understand and govern data, added Habas. You need to show in a transparent manner that your data state is being handled in a responsible manner regardless of technology, usage or jurisdiction. “It’s all about being able to see across data silos,” she said.
Implement “Appropriate” Security Controls
Data inventory and tracking assets consent are the foundation of every comprehensive privacy program. But that’s probably not even the first thing that’s needed. First and foremost, you need to put appropriate security controls around the personal data of your employees, customers, and end-users that you collect, process, and store.
GDPR not only expressly endorses pseudonymization and encryption as appropriate measures to protect the security of processing, it also ratchets upward the fines for failing to meet the “appropriate” security measures required—specifically, to the tune of the greater of 10 MM Euros or 2% of total annual worldwide turnover.
But what exactly does “appropriate” mean, and where should data privacy, risk, or compliance programs start? One good place to start is to look at asset management across different repositories of data, across different databases, and across different functional departments. For example, does everybody in your company have a need-to-know clearance? Maybe that’s not reasonable or wise.
You also need to implement encryption both in transit and across local storage, and create and maintain incident and data breach response programs. I strongly advise everyone to map out and document all data flows and processing within your organizations. When a data breach happens, you’ll need to know what’s going on during the first 24 and 72 hours. That response time is going to be incredibly important under GDPR.
A Best Practices Approach
GDPR represents a monumental shift in how global organizations will need to treat and safeguard personal data. Aligning your organization, and the privacy function within your organization, to GDPR in a best practices fashion is by no means an easy task. But it is the goal you should strive for. Professionals leading data privacy or security programs will have largely completed minimum GDPR compliance preparation by May 25, 2018, or perhaps shortly thereafter. Yet, after a well-deserved vacation, I encourage you to rethink and revisit your data privacy programs. Concentrate on elevating these four foundational calls to action up to a best practices standard, and your organization will be more than ready for today’s rising tide of global privacy standards—both those required by regulations like GDPR as well as by the competitive business features demanded by a rising societal awareness of data privacy.