The General Data Protection Regulation (GDPR) is a regulation that will enforce a stronger data protection regime for organizations that operate in the European Union (EU) and handle EU citizens’ data. GDPR constitutes the protection of personal data of employees, customers and others. In case organizations fail to comply with this regulation, they will be subject to heavy fines and damaged reputation. Considering that personal data represents critical and sensitive information that all organizations should protect, such a regulation will help put in place appropriate procedures and controls to prevent Information Security breaches. By May 2018, all organizations that operate in the EU and those dealing with EU citizens should comply with this regulation.
In this article, ten steps that will guide you to preparing for the General Data Protection Regulation (GDPR) from 25 May 2018 are enumerated.
- Awareness – Understand the GDPR, Teach Others
As we count down to the deadline of May 25, 2018, it is essential to cross the ‘Ts’ and dot the ‘Is’. You should make sure that decision makers and key people in your organization are aware that the law is changing to the GDPR. It would be useful to start by looking at your organization’s risks of failing to comply. You may find compliance difficult if you leave your preparations until the last minute.
- Identify Information In Your Custody
You should document what personal data your organization hold for customers or stakeholders especially concerning EU citizens, where it came from and who you share it with. You should organize an information audit across the organization. The GDPR requires you to maintain records of your processing activities. For example, if you have inaccurate personal data and have shared this with another organization, you will have to tell the other organization about the inaccuracy so it can correct its own records. You won’t be able to do this unless you know what personal data you hold, where it came from and who you share it with.
- Communicating Privacy Information
You should review your current privacy policy and notices and put a plan in place for making any necessary changes in time for the GDPR implementation. Currently, when collecting personal data you have to give certain information. Such as, your identity and how you intend to use their information. Under the GDPR there are some additional things you will have to tell people. For example, you will need to explain your lawful basis for processing the data, your data retention periods and those individuals have a right to complain if they think there is a problem with the way you are handling their data.
- Keep in Mind Individuals Rights
You should check your procedures to ensure they cover all the rights individuals have. This includes how you would delete personal data or provide data electronically/ in a commonly used format.
The GDPR includes the following rights for individuals:
- to be informed
- have access
- rectification
- erasure
- restrict processing
- data portability
- to object
- be subject to automated decision-making including profiling
- Put In Place Procedure For Handling Requests
It is important to review and revise your procedures on handling requests. You need to plan how you would handle requests. For example, if someone asks to have their personal data deleted. Would your systems help you locate and delete the data? Who will make these decisions? In addition, consider if your organization would be likely to handle a large number of requests. Consider the logistical implications.
- Put in Place Consent Management System
You should review how you seek, record and manage consent. As well as, considering if you need to make any changes. For example, refreshing existing consents if they don’t meet the GDPR standard. Consent must be freely given, specific, informed and unambiguous. It must also be separate from other terms and conditions, and you will need to have simple ways for people to withdraw consent.
- Be sensitive to Protection of Minors
GDPR has given special protection to children’s personal data, particularly in the context of internet services such as social networking. If your organization offers online services to children and relies on consent to collect information about them, then you may need a parent or guardian’s consent in order to process their personal data lawfully. The GDPR sets the age when a child can give their own consent to this processing at 16 (although this may be lowered to a minimum of 13 in the UK). If a child is younger then you will need to get consent from a person holding ‘parental responsibility’.
- Ensure Effective Handling of Data Breaches
You should make sure you have the right procedures in place to detect, report and investigate a personal data breach. Where a breach is likely to result in a high risk to the rights of individuals for example, discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage. You will also have to notify those concerned directly.
- Delegate Data protection Officers
You should consider whether your organization is required to formally designate a Data Protection Office (DPO). You must designate a DPO if you are:
- a public authority (except for courts acting in their judicial capacity);
- an organization that carries out the regular and systematic monitoring of individuals on a large scale;
- an organization that carries out the large scale processing of special categories of data, such as health records, or information about criminal convictions.
However, it is a good idea for any organization to designate someone to take responsibility for data protection compliance.
- International Organization, Beware!
If your organization operates in more than one EU member state, you should determine your lead data protection supervisory authority and document this. The lead authority is the supervisory authority in the state where your main establishment is. (Your main establishment is the location where your central administration in the EU is or else the location where decisions about the purposes and means of processing are taken and implemented.) This is only relevant if you carry out cross-border processing. i.e. you have establishments in more than one EU member state. Or you have a single establishment in the EU that carries out processing which substantially affects individuals in other EU states.
If this applies to your organization, you should map out where your organization makes its most significant decisions about its processing activities. This will help to determine your ‘main establishment’ and therefore your lead supervisory authority.
To meet GDPR, Mitiget helps organizations achieve data privacy and protection by design and by default. We empower teams with:
- Visibility into what users are doing and how they are handling personal data;
- The ability to anonymize all user data;
- Detection of data exfiltration, loss, and misuse;
- Investigational tools to help you notify authorities quickly about any data breaches, with full context at-hand.
We can work with you to reduce misunderstandings around GDPR, build in privacy controls, and take the stress out of getting ready for this major new regulation.
Mitiget is an integrated business risk solutions and IT assurance provider. We assist organisations in mitigating the risks associated with internal systems, business processes, projects, applications, data and third-party reliance. Our cybersecurity and data centre services are the most cost-effective in our space today. Mitiget’s ISO certification processes are tailored to embed relevant culture to business processes for continual improvement. We are experts at improving compliance postures across industries.