Yes, you’ve all heard about it. Many companies have been raising the alarm and raising awareness about the EU’s General Data Protection Regulation (GDPR) for months now, all offering protection and silver bullets to solve anything and everything to do with GDPR. It’s caused a lot of confusion and many questions, and organizations have no idea where to start.
Many companies assume they are excluded and don’t need to do anything. Let’s clear this up and demystify the EU GDPR with the EU GDPR checklist.
Borderless – The Scope of the New Regulation – It’s All About the Data
The EU General Data Protection Regulation is not bound by any borders and is applicable to any company or organization globally—that is, collecting or processing EU Citizen’s personal identifiable information (PII). This includes services hosted outside of the EU that service EU citizens.
It is important that you identify whether are you collecting or processing any personal data from EU citizens. Many companies have assumed that since they don’t have direct EU customers or employees, the regulation doesn’t apply. This is not the case.
If you are even collecting or processing EU citizens’ PII data even via a third party, the regulation applies. If you have a system or application that you are responsible for that collects or processes data from an EU citizen, you have a responsibility to comply with the EU GDPR.
Clear Consent – Collecting and Processing Personal Information and Record Consent
This is probably one of the most important requirements under the EU GDPR. It states organizations must be clear on obtaining and recording consent from the data subject in collecting and processing personal data both on what data is being collected, how the data will be used and whether the data will be shared with third parties. Because of this, it’s better to collect only the data required, not overcollect data in the assumption you might require it later. It is critical that you record consent, how the data was obtained—directly or indirectly via a third party. If it was obtained via a third party, ensure that consent was obtained and is being maintained and updated. Also, consider the possibility if consent is withdrawn the impact to the underlying process.
Data Classification – Know the Data You Collect – Is it Sensitive?
It is important to know the type of data you are collecting or processing on EU citizens. Is it just an email address and contact details? Many organizations are simply making sure they can contact customers, market to prospects or ensure that vital information is getting to the right people. However, a Data Impact Assessment should be performed to determine if you are collecting or processing personal data and whether that data is indeed potentially sensitive in nature. Organizations should get into the routine of classifying the type of data being collected or processed to determine the ability for accidental sensitive data collection. Be clear on what type of data you accept to collect and process. Expense systems also should be considered in what type of data you are receiving from employees—e.g. receipts from expenses and how the purchase was made. Be sure to only require the least amount of personal information. These systems or processes should be private and secure by design.
Be Prepared to Respond to Complaints – Be Ready and Prepared
Make sure that after May you have a consistent and repeatable process for responding to complaints about personal data being collected or processed from EU citizens. This will likely happen, so establish a solid process to handle complaints and ensure the type of request is handled according to the EU GDPR.
Have a Data Protection Officer
This is probably an area where most organizations are still considering whether it is needed. However, it’s probably too late to determine the need if you are reading this now, so be sure to at least have a plan in place to what you need to be doing. Regardless of whether you need to appoint a data protection officer (DPO), you should at least consider following the tasks and responsibilities of a DPO to ensure that any future changes continue to comply with the EU GDPR. Remember, this is an ongoing continuous process and not a one-time check box. The DPO will help ensure that you are following and continuously being compliant with the EU GDPR.
Privacy by Design, Data Protection and Privacy Impact Assessments
If you are collecting and processing personal information from EU citizens, then you must implement privacy by design and perform privacy impact assessments. This is to ensure that have taken the right steps to determining adequate security is in place and practicing a least privileged approach to data access.
Data Breach and Incident Response – Be Ready to Act Fast
Complying with the EU GDPR does not mean you are protected from being hacked. It simply means that you’ve identified the PII from EU citizens that you are collecting or processing, and that you’ve set up appropriate processes to ensure consent, adequate security and right to removal; and that you’re not collecting excessive data or using it for inappropriately. It means you have accepted accountability over the collection or processing of EU citizens’ PII.
I believe this is probably the most important check to perform. This will likely determine whether you have done your due diligence when it comes to data protection and responsibility. If you fail at incident response and adhering to the EU GDPR breach notification requirements, then you could likely be facing strong financial penalties—so be sure to get this one right. Depending on the risk value of the information that’s been compromised—low risk or high risk—you must also notify the impacted party without undue delay. So don’t wait. Get to know your national authority now rather than trying to determine who and how you should contact when the data breach occurs.
The EU GDPR is only the beginning and we will likely see many changes and improvements in the years to come, but I am sure you do not want to be the first to test this with failing compliance. So, make sure to follow the checklist and determine what applies to your organization. Make the process changes now rather than waiting for a data breach; what is almost certain is that a data breach will occur and how you respond to it will make a big difference to whether your organization will survive a cyberattack.