The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) becomes effective on May 25, 2018. It is an extensive and unifying regulation pertaining primarily to the privacy of personal data belonging to or derived from EU citizens and residents. With its focus on personal privacy, the GDPR is quite different from US regulations which tend to focus on requirements to secure data from unauthorized access or exposure.
In Part 1 of this series, I provided an overview of GDPR and outlined the requirements as well as some of the potential challenges. This article provides my tips for complying with the regulation.
Read the GDPR yourself – The regulation is only 55 pages long and fairly easy to read. This will help you separate reality from hype.
Determine applicability – Next, determine whether GDPR even applies to your company. The threshold question here is whether you store the personal data of EU citizens. That definition is pretty broad, though, so if you think you might be in control of such data, you probably do have to comply with GDPR.
Start your compliance process ASAP – Most compliance efforts will take some time, and with the regulation (and penalties) going into effect in May 2018, there is no time to lose.
Perform a GDPR gap assessment – Use the actual regulation as the source of requirements and not guidance from security solution providers.
Formalize and document your efforts to comply – Keep documentation on your data protection impact assessments, your efforts to achieve privacy by design, and so on. A Data Protection Authority can demand evidence of compliance at any given time, and comprehensive and up-to-date documentation will help.
Don’t jump to buying new products – You shouldn’t have to buy a bunch of new products to comply with GDPR. Every security vendor is claiming that its products help you achieve compliance with GDPR; however, many vendors misrepresent the actual requirements. Many of the most significant changes require changes to business processes, not implementation of new technology. The regulation calls for risk based implementation of data protection controls. It does not specify which controls you must deploy.
Join the EU-US Privacy Shield Program – If you are outside of Europe and will act as a data processor of EU personal data, join the EU-US Privacy Shield Program. The registration process includes a review by a privacy attorney of your privacy policy, which will ensure that you are meeting the notice requirements. The self-certification process also will help you determine if you are compliant.
Formally appoint a Data Protection Officer (DPO) – The regulation requires appointment of a DPO. This person should be independent and high ranking. Article 39 of the regulation outlines the person’s tasks.
Build a cross-functional compliance team – The GDPR is more than a security regulation, so the team assigned to ensure compliance must draw from many area of your company (Chief Privacy Officer, General Council, etc.).
Adjust your incident response plan – In the event you have a reportable incident, you will have to provide notice to the Data Protection Authority (DPA). Update your incident response plan to include this step.
Update your privacy policy to include the required notices – GDPR includes rules on giving privacy information to data subjects. There is an emphasis on making privacy notices understandable and accessible.
Determine the best ways to facilitate data subject rights – GDPR gives data subjects rights for consent, access, data portability, rectification, erasure, explanation for automated decision making, and more. These rights could require new processes and new communication methods.
In summary, GDPR potentially could have wide-ranging implications for how your company maintains and treats covered customer data. The penalties for non-compliance are stiff. Assemble your team, do your gap assessment, and begin your compliance efforts as soon as possible to be ready for the May 2018 effective date.
A good resource for additional information is the SANS Institute document: Preparing for Compliance with the General Data Protection Regulation (GDPR), A Technology Guide for Security Practitioners
Schaufenbuel holds a Juris Doctor degree and a Master of Laws degree from the John Marshall Law School in Chicago. He has a special interest in data privacy issues.