On May 25th, 2018, the European Union’s General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) officially goes into effect. No need to panic. We got this.
GDPR has rapidly devolved into a touchstone for everything from vendor FUD to political frothing. It has been hailed as a huge step forward for privacy and assailed as the worst thing to come out of Europe since the Bubonic Plague.
Like everything we do at Anitian, let’s cut through the conspiracy and paranoia and let reason and facts rule the day. In this blog, I will outline exactly what GDPR means to you and your business, as well as how you can become compliant with the regulations. Of course, there are consequences for non-compliance, and I will address those as well.
GDPR Crash Course
GDPR is a privacy regulation that applies to the personal data of EU citizens, or in EU-speak, “data subjects.” The intent is to protect the privacy of EU citizens. There are two significant components to the regulation, applicability, and scope.
GDPR applies to all businesses based in, or operating in, the EU. It also applies to any organization that offers goods or services to or monitors the behavior of, EU citizens. That means even if your company is based in the USA, if you do business in the EU (and therefore have data from EU citizens), then GDPR applies to you.
GDPR categorizes businesses into two types: Processors and Controllers. In typical bureaucratic speak, these categories can be confusing. Controllers are responsible for how data is processed and why, whereas Processors actually process the data on behalf of the Controllers. Got that?
I like to think of the Controllers as the companies responsible for obtaining personal data in the first place, and Processors as anyone that handles the data for the Controllers.
The processing aspect of GDPR is uncomfortably broad. It is defined as: “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.” This has the potential to ensnare a lot of data.
Scope in the context of GDPR is also uncomfortably broad. GDPR scope not only includes the usual suspects, such as name, address, and date of birth, but also things like photos, email addresses, posts on social networking websites, and IP addresses. In our experience, pictures, email addresses, and IP addresses are not something that organizations typically classify as private. This has the potential to ensnare a lot of organizations who do not realize they have regulated data.
Okay, Now What?
The first big question you need to ask yourself is: “Do we have any data from EU citizens?” If the answer is yes (or even maybe), then you need to do something about GDPR.
If you are ready to travel this path, you have some big steps ahead of you.
Step One: Appoint a Data Privacy Officer (DPO)
Article 37 of GDPR requires that companies appoint a person to oversee GDPR compliance and report to management. However, it also demands the DPO role to be independent, which means the DPO cannot report to the CISO or IT manager. The good news is that it specifically allows organizations to outsource this function to a third party. And yes, of course Anitian can do this, thanks for asking.
The primary tasks for the DPO are:
- Advising the organization on data privacy obligations
- Monitoring compliance with data privacy obligations
- Overseeing the Data Privacy Impact Assessment (DPIA) <- we will get to this later
- Coordinating with supervisory authorities as appropriate
Appointing a DPO goes a long way toward demonstrating due diligence with GDPR. This step alone may keep the regulators at bay for a while. This is an “easy” step that gets you a quick win, so do this first and do it soon.
Step Two: Perform Data Inventory and Classification
Article 25 requires organizations to have a full classification and inventory of their data. This can be a difficult task.
However, do not let perfection become the enemy of good. You do not need to start a perfect classification scheme or inventory, only an adequate one. Scan your systems, assemble your data models, and do your best to identify all instances of personal and sensitive personal data of EU citizens. While doing this, use the effort to classify all data types in your organization. Even a simple set of categories, such as regulated, confidential, and sensitive, is helpful.
I strongly encourage you to integrate this process into your annual risk assessment practices. If you are not conducting an annual risk assessment, well, now is as good a time as any to start doing one. You can always go back later, such as when you get to the Data Protection Impact Assessment (DPIA), to optimize data discovery and classification procedures.
A risk assessment is also an ideal structure to guide your GDPR compliance efforts. Make sure your risk assessment results in a clear set of remediation actions based on meeting GDPR requirements.
Step Three: Get Busy
GDPR has a lot of requirements (articles). I cannot detail all of them in this blog. However, they include such gems as:
- Article 17 – Right to Erasure: At the request of a data subject, all instances of their personal data must be deleted within 72 hours.
- Article 30 – Records of Processing Activities: Among many other details, entities must document the names of all processers, their purpose, data categories handled, and protections in place. This makes vendor risk management a must-have under GDPR.
- Articles 33 & 34 – Breach Notification: Breaches must be disclosed to the supervisory authority within 72 hours of discovery (Art 33), and to data subjects under certain conditions without “undue delay.”
Of course, this is just a small subset of the 99 Articles in GDPR, but even these can require a lot of work to address. Use the risk assessment to guide your control selection. Since GDPR implementation occurs at the EU member state level, and each EU member state has its own Supervisory Authorities responsible for enforcing compliance, there will be variations in interpretation. You should model compliance program to align with the countries that have the strictest interpretations, which right now includes Germany, Spain, and France.
Step Four – Data Privacy Impact Assessment (DPIA)
After you deploy or configure security controls for GDPR compliance, you must implement a process to continually manage and assess these controls. This is where the DPIA comes into play. An annual DPIA is required for Data Controllers, but also applicable to Data Processors.
DPIA is a GDPR-specific risk assessment. It looks at the controls around protected data and assesses their effectiveness. DPIA is intended to validate that your organization is taking the correct actions to maintain GDPR compliance.
Your DPO can conduct the DPIA. Having a DPIA on file is the cleanest way to demonstrate you are GDPR compliant.
GDPR and ISO
If you are sensing similarities with ISO 27001, you are on the right path. ISO 27001 is an excellent framework for complying with GDPR. As such, if you want a shortcut to GDPR compliance, then become ISO 27001 compliant. From there, GDPR will be fairly easy.
Certification and Enforcement
Yes, there will be penalties for noncompliance. Now, the big question is, will you be penalized? Unless you work at Google or Facebook, you are probably not in the crosshairs of the EU, yet. However, the fines are real, and partially why so many people are fretting over GDPR. Fines are defined in Article 83, and under certain conditions can reach up to €20 million, or 4% of your company’s total worldwide revenue (which they affectionally call turnover). If you are a big company, you could have some big fines. Note these fines are based on revenue, not profits.
As for certification, it is up to the Member States, who have not done anything yet. Article 43 defines the criteria for certification bodies, and they closely align with how ISO defines a certification body. As such, if an audit firm can demonstrate credibility and independence, it can certify you compliant. This is another reason to include GDPR as part of your Information Security Management System (ISMS) for ISO 27001 compliance.
In conclusion of this summary of GDRP and how to handle its many facets, I’d like to leave you with a few thoughts to ponder.
- The most important task, and likely most difficult, will be creating a data inventory. GDPR’s definition of personal data is extremely broad. If you manage a lot of data, finding all instances of protected data may be daunting. Use a risk-based approach to perform the inventory. This goes a long way toward demonstrating due diligence. After inventorying all your data, classify it, and then define how it is processed, accessed, and retained.
- Once you have your data inventoried, perform a GDPR-focused risk assessment to identify gaps, define remediation steps, and develop an action plan. Again, this effort demonstrates diligence.
- Use ISO 27001 as a framework for controls. There is close alignment between ISO 27001 and GDPR. Once you have ISO compliance in place, then conduct your DPIA.
GDPR will be a lot of work. Now is the time. Because — like it or not — GDPR is coming.