Don’t worry, begin with your data.
Whether you’re someone managing data or an executive responsible for your data assets, the advent of the GDPR demands attention now. The impact is measured by the severity of the fines, but also from the expectation that all data will be controlled and processed correctly. Now’s the time to get ready because this is not going away; in all likelihood it will even become a worldwide standard. But, don’t panic, just meet the challenge.
The GDPR challenge
As the European Union’s General Data Protection Regulation (GDPR) gathers steam towards a May 2018 deadline, businesses are facing yet another data requirement to fulfill. With the threat of punitive financial penalties and disenfranchised customers, you can imagine the looming angst. GDPR changes the way that companies capture, manage and store information of EU citizens.
To date, the maximum fine handed to organizations under the Data Protection Act (DPA) by the Information Commissioner’s Office (ICO) is £400,000. Two companies have received the record penalty – Keurboom Communications and TalkTalk. Under GDPR, the fines for a data breach will either be €20m ($23.2m) or 4 per cent of global annual revenue, whichever is highest. Had GDPR been in place for the past five years, analysis from Oliver Wyman shows that FTSE 100 companies could have owed up to £25 billion in fines to EU regulators, a run rate of £5 billion a year!
GDPR is structured to simplify data management for global organizations to ensure a process and a means of enforcement. According to a PwC survey, being GDPR compliant is the top data protection priority for 54 percent of US multinationals and one of several priorities for another 38 percent. There are broad definitions of what personal data represents, and along with that come rights on how personal data is accessed, used, stored, protected and deleted. GDPR even says an individual consumer can restrict processing and enforce the right to be forgotten. Moreover, organizations must be able to show the location of data in both systems and geographical sites.
What to do?
Invest the time to prepare for a more secure way of doing business with data. Keeping the balance of regulation and compliance in perspective will be the approach of seasoned business leaders, who see the problem as a continuous plan and a starting place of implementation. Just knowing how to begin are the first steps towards sanity and risk mitigation, and it all starts – where else – with your data.
Data, like any asset in a company has value, both short and long term. CEOs understand data is every bit as valuable as the product or service that goes with it, because it represents the legacy of relationships as well as an indicator of future behavior. In fact, analytics drives data value because raw data is turned into insights and then into actionable business strategies. GDPR implementation aims to tip the scale back towards the consumer, challenging each business that holds and manages personal information.
Where is my data?
A pragmatic approach is to make a straightforward assessment on the nature, volume and location of your customer data. GDPR mandates that organizations are responsible for the physical access to stored data. In other words, where is your data? It goes even further to include very difficult data to track, such as unstructured, social or log data. Be very clear and transparent about what you have, why you have it, how you use it, and where you store it. This will form the shape of your data landscape, and allow you to start asking questions, in order to expose areas of potential risk when GDPR comes into action.
Understanding where you are either strong or under-invested in relation to the new regulations, will help inform you of what actions to take next, as well as resources and technologies to apply. Finding your data requires a commitment to governance and GDPR can now be seen as an opportunity to engage in trusted, transparent relationships, creating new services built on two-way flows of permissioned data. After all, in this digital age, data is the fuel that powers business and technology.
Controller vs. Processor
According to article 4 of the EU GDPR, different roles are identified as indicated below:
- Controller – “means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data”
- Processor – “means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”
So, the organizations that determine the means of processing personal data are controllers, regardless of whether they directly collect the data from data subjects. For example, a bank (controller) collects the data of its clients when they open an account, but it is another organization (processor) that stores, digitizes, and catalogs all the information produced on paper by the bank. These companies can be datacenters or document management companies. Both organizations (controller and processor) are responsible for handling the personal data of these customers.
The controller says how and why personal data is processed and allows the processor to act on the controller’s behalf. If your organization is currently subject to the DPA, it is likely that you will also be subject to the GDPR. For controllers and processors already operating under DPA rules, GDPR extends the obligations and responsibilities of both.
Your data assets
The gist of the regulation surrounds Personal Identifiable Information (PII) of citizens in the EU. Find out where this data came from, where it now sits and where it’s going. These assets, or even a metadata management approach to where the assets exist, can be brought together under a workflow process, alongside other data processes – sort of like a continuous audit.
In fact, data workflow might just be an important means of implementing GDPR because it tracks where the data comes from and where it’s going. The workflow becomes a map for audit and protection, and tools are available today to track how you are doing.
One thing is certain – the data assets will only grow exponentially and need to be protected. IDC, a market-research firm, predicts that the “digital universe” (the data created and copied every year) will reach 180 zettabytes (180 followed by 21 zeros) in 2025. That means greater responsibility and potentially increased liability.
What not to do
Don’t panic. Experienced IT and data professionals have been managing data regulations, such as DPA, for some time. GDPR is yet another aspect of the worldwide revolution. The best approach has always been to “roll up your sleeves” and just move ahead.
Don’t rely on online search. A best practice is not determined by typing “what to do for GDPR,” in a search engine, which produces 3,140,000 results in 0.35 seconds. Take GDPR seriously and be thoughtful about a plan with both legal and risk mitigation elements. There’s no single “how to” implementation plan; you ‘are’ the how to plan.
And, definitely don’t delay. Fortunately, most organizations seem to be taking the new legislation seriously. A recent global survey conducted on 400 CIOs by Vanson Bourne revealed as many as 67% of European companies and 88% of U.S. organizations with European customer data have a clear idea of what GDPR entails. While the numbers look promising, there’s no doubt some businesses already know they will not be ready in time – some researchers predict up to 25% will fall short.
Does ISO 27001 implementation satisfy EU GDPR requirements?
The implementation of ISO 27001 covers most of the requirements of the EU GDPR; however, some controls should be adapted to include personal data within the Information Security Management System (ISMS).
In addition to what is planned for the implementation of ISO 27001, some measures will have to be included in order for an organization, controller or processor (both of them need to perform these activities), to ensure compliance with the EU GDPR, such as:
- Procedures for ensuring the exercise of the rights of data subjects;
- Mechanisms for the transfer of data outside the EU;
- Minimum content of the impact assessment on data protection;
- Procedures to be followed in case of violation of personal data.
All of these measures can be integrated into the Information Security Management System, allowing the guarantee of legal compliance and continuous improvement – even more so if the ISMS and the EU GDPR are aligned.
Is there one toolset or methodology for GDPR?
No. it’s just data. From the hundreds of the step-by-step practices of GDPR, many seem incomplete – some focus on risk, some on governance and some, on an automated toolset. The best approach is to see IT leaders and their teams as trusted partners working on behalf of both the business and customers. They will then drive the implementation, extending themselves into another code of practice.
If you do need help, select an IT services company that provides implementation advice and expertise, but this is NOT an outsourced activity. Services companies that claim a cookie cutter pathway for GDPR are getting it wrong. It’s really much about workflow audit – start there. Next, construct a plan that is updated for governance and then share it company-wide. Without a massive amount of hand wringing, you will have started the process and will be on your way to compliance in 2018. In short, GDPR implementation is a process of protection, not a final destination or end result.