With only weeks left to meet the European Union’s General Data Protection Regulation (GDPR) compliance deadline, the countdown is not only on, it is in the final stages. The GDPR, which goes into effect on May 25th of this year, represents the most significant change to European privacy laws in the last two decades. Organizations should be well underway with their GDPR efforts by now, and have a clear sense of timing and remaining actions for successfully achieving compliance.
According to Gartner: “While there are fines and reputational risks at stake, global enterprises are likely to find it more economical to broadly implement a common set of operational best practices rather than try to manage a collection of local compliance measures that are constantly changing and may lack adequate safeguards. Incorporate the highest standards of data protection globally to save money and reduce compliance risk.”
It is worth reviewing the GDPR requirements and considerations:
Approved in 2016 by the EU, the GDPR overhauls and modernizes existing data laws, many of which date to an era before widespread internet accessibility. The regulation applies to any entity that controls or processes the personal data of European Union (EU) residents, whether that entity is physically located in the EU or not. Companies found in violation of the GDPR can be fined up to four percent of their global annual revenue or 20 million Euros, whichever is higher.
Organizations seeking to meet the challenges posed by the GDPR should be aware of the key changes that will come into effect once the law is implemented. These changes include, but are not limited to, the following:
- The definition of personal data. The new definition is more comprehensive and can include anything from names, emails, social media posts, medical records, IP addresses or other metadata.
- User profiling. Under GDPR, profiling of users through their interaction with a system or in the way a company analyzes their data comes under regulation.
- Rules for consent. The GDPR requires that consent can be withdrawn as easily as it is given. Further, requests for consent must be clear, intelligible, delivered in plain language and distinguishable from other materials.
- Right to erasure (“right to be forgotten”). EU residents can request that their data be erased; they can also request a halt to any further distribution of that information.
- Right to be informed. Businesses must be transparent about how they’re using the data collected.
- Lawful processing. Organizations must have a lawful basis to process personal data.
- Right to data access. EU citizens retain the right to discover how their data is being used, including where and for what purpose.
- Right to data portability. Individuals may transfer their data between multiple controllers.
- Right to breach notifications. Breach notifications – alerts issued when security lapses occur – are now mandatory, and must be issued within 72 hours of the breach.
- Transferring data internationally. Certain conditions must be satisfied before personal information can be transmitted beyond the EU.
- Privacy by design. Data protections must now be included during development processes, not after-the-fact.
To comply before the deadline, enterprises must take a data-centric, process-oriented approach to information privacy that starts with an understanding of the organization’s data landscape. The four key steps to this approach involve:
- Gaining clarity on where sensitive information resides, across every file server, database, and big data repository, both on-premises and in the cloud.
- Implementing the appropriate sensitive data protection controls to guard against external and insider threats.
- Fully automating processes for sensitive data governance. With data flows now including information from file stores, databases, Hadoop environments, and the cloud, there is simply too much information to manage manually.
- Generating sensitive data reports continuously for data at rest and in motion. The ability to monitor sensitive data will play a key role in ensuring GDPR compliance.
Organizations should work through these four steps and identify the necessary solutions to address each requirement and deliverable. Afterward, time should be spent completing the implementations needed, and asking the following questions:
- Is there a policy in place that identifies sensitive data throughout the organization?
- Has an initial discovery process been conducted to locate telephone numbers, account numbers, salaries, emails and more using automated technology to catalog what is known and unknown?
- Has an audit of the sensitive data been performed to determine the next steps in terms of which data should be encrypted, masked, etc.?
- Is there a clear understanding of what data can be posted on the Web versus what must be kept within the walls of the organization?
- Has the decision been made as to which data can be viewed by both insiders and outsiders? Are controls such as data-centric masking and encryption in place to prevent sensitive information from being viewed by those without authorized access?
- Is there a policy-based, automated approach to properly oversee the safe and compliant management of information?
- Does the solution selected indicate quantities of sensitive data in the enterprise, as well as the condition of that data, how much data has been scanned, the amount of data being monitored, and which data has been assigned with alert rules for 24×7 monitoring?
After the above review, it will be time to assess the system and do any necessary fine tuning for quality assurance.
Feeling behind schedule? Take note of an opinion piece by Paige Bartley, Senior Analys, at Ovum, a leading analyst firm covering GDPR, who observed the challenges facing the enterprise as steps are taken towards compliance.
“Many firms are realistically going to have to prioritize their GDPR compliance goals with respect to the deadline, and prioritize the data that they target for control. While this may not seem ideal in comparison to striving for full compliance, it may be more justifiable than a last-minute, uncoordinated rush to meet deadlines,” said Bartley. “The enterprise that finds itself in this position will be best served to stay the course, sticking closely to its predetermined plans, and documenting the exact steps that were taken to prioritize certain data or objectives over others. As long as good intent and systematic action can be demonstrated, the enterprise will receive a certain degree of insulation from regulatory action.”
By Manmeet Singh, Co-Founder & CEO, Dataguise