The European Commission’s plan to harmonise the EU data protection regime is likely to impact on many organisations. GDPR, which is expected to come into force at the end of this year or early in 2016, will raise the bar for compliance and could stipulate fines of up to five per cent of global turnover for data breaches.
The two core themes of the proposed regulation are responsibility and accountability while key changes will include: a mandatory three day data breach notification; consent can no longer be implied (it must be explicit) as well as mandatory appointment of independent data protection officers who will answer directly to local regulators (this requirement will be based upon either the number of data subjects processed by a company or the number of employees in the organisation).
Many companies are underestimating the potential effort in implementing these new requirements. Expert at managing and securing corporate information, Espion advises those charged with protecting their organisations’ sensitive data to make senior management aware of GDPR now, to ensure they receive the necessary buy-in, resources and budget required to adapt to the new measures. The firm is also encouraging practitioners to use the new regulation as an opportunity to drive through the robust information security measures they have long advocated.
Espion consultancy team lead, Gavin D’Alton, explains: “Information security teams will most likely bear the brunt for ensuring their organisation is compliant when the regulation comes into force. It is in their interest to ensure Data Protection is at the top of the boardroom agenda now.
Boards will need to be aware they must have an independent Data Protection Officer. Many organisations will also need to review their incident response plans, as new rules could require notification to a national authority within three days of a breach, which is a tall order in a crisis situation.
The change that’s most likely to get senior management’s attention is the proposed fines and sanctions for a breach – up to five per cent of global annual turnover. As prevention is infinitely better than cure, Information Security practitioners hold the card to drive through Data Protection best practices.”
Espion’s Gavin D’Alton suggests measures to assist Information Security & Compliance Pros in their GDPR preparations.
- Get the Board On-Board
Board buy-in is key to getting the resources and support needed to adequately address new Data Protection obligations. Ensure the impact of the new requirements is understood both operationally and financially.
- Scope your data now
Organisations need to develop a comprehensive understanding of the scope of their environment, including the types of data held and their sensitivity. Likewise, organisations need to fully understand the flows of personal data within their company and identify any potential for breaches.
- Train up a Data Protection Officer (DPO) now
With widespread reports of shortages of suitably qualified DPOs in the EU, organisations may want to consider training up an individual to act as its DPO in advance of the GDPR (For example, Data Protection qualifications can be obtained from the International Association of Privacy Professionals (IAPP)). Alternatively, organisations should consider engaging a qualified third party DPO on an outsourced basis.
- If your business is outside the EU, plan to appoint a DP representative who is based in the EU
The territorial scope of Data Protection has been extended to organisations outside of the EU who process data relating to EU citizens (including those offering services or monitoring user behaviour). This means EU Data Protection law will apply to non-European companies if they do business within the EU.
While many global multinationals have adopted Binding Corporate Rules, many SMEs will need to be aware of such codes of conduct and how best to apply them.
Companies that rely on the Safe Harbor Agreement must remain aware of developments and consider appointing a European based Data Protection representative to address their heightened data protection obligations.
- Look at what data you process – create an Information Management Policy and data registers / flows
Knowing and having up to date data sources will help to ensure its confidentiality and assist information security practitioners in applying appropriate defence techniques.
An Information Management Policy is the roadmap for how data and information is captured in an organisation. It should describe how data is collected, collated, captured and analysed as well as define data flows and the roles of each person in the information management cycle.
- Be prepared to “act fast” if breached
GDPR is likely to require that organisations notify their national authority between 24-72 hours after a breach (where feasible).
Organisations need to prepare a response plan now to ensure they can react to the incident itself while notifying data subjects and regulators within a compliant timeframe.
- Review contracts with data processors to ensure that the terms regarding Data Protection are strong enough
If your organisation engages the services of a sub-contractor to process personal data (such as a payroll company) then you must ensure Data Protection standards are maintained. Appropriate security and data protection safeguards must be enforced at a contractual level.
- Review your internal Data Protection polices & training materials
If policies and procedures do not exist, you will need to create these from scratch. If your organisation already has policies and procedures in place, these will need to be reviewed in line with the new DP regulations to ensure that the updated requirements are accounted for.
Knowing exactly how and where the new regulations apply to your business can mean the difference between full compliance and the risk of serious fine, with all the associated damage to corporate reputation that carries.
Under existing regulation all staff who handle personal data in an organisation must receive Data Protection training appropriate to their level of responsibilities with specialist tailored training for staff processing sensitive personal data. Your training may need to be reviewed and brought in line with GDPR.
- Introduce Privacy Impact Assessments to detect Data Protection risks at an early stage
Another of the key new requirements is ensuring that privacy is built in to all operations involving personal data by default; privacy can no longer be considered as an afterthought. This can be achieved by integrating Privacy Impact Assessments (PIAs) into your existing project and risk management processes. PIAs are a structured process for identifying and minimising the privacy risks of new projects, processes or policies; they will be essential to ensure and demonstrate compliance with privacy by design requirements.
- Review all consents received for direct marketing to ensure that they fit within the new definition of consent
When it comes to collecting data under GDPR, organisations will be required to get complicit consent from data subjects (either by a statement or by a clear affirmative action), which proves they are giving their agreement to process their personal data. For children under 13 years of age, the child’s parent or guardian must consent.
Sales, marketing and HR will need to be briefed that a data subject’s silence or inactivity does not constitute consent. The processes and mechanics for data capture (such as online forms or cookies) may need to be redesigned to include data processing policies in line with the spirit of the regulation which calls for more transparency via icon based privacy notes (which suggest taking an “infographic” type approach for communication of policies to end users).