5 GDPR Questions Keeping CISOs Awake at Night

What is "processing" of personal data?

Any action on data may be considered processing — from creating or obtaining the data to destruction at the end of its life cycle, and all the actions in between. These actions include copying, changing, pseudonimizing, transferring, storing and, more broadly, everything an organization does with the data. This may include showing data on the screen of a tablet in Dubai when the data actually sits in a Dutch data center.

Who in the organization is responsible for compliance?

Setting the stage for compliance requires setting up the organization to enable the correct mutual responsibilities. The organization should therefore appoint business process owners. Part of their responsibilities will consist of conducting privacy impact and risk assessments periodically, and addressing whether the outcome is within the mandated risk appetite. Therefore, they should also have the resources and discretion to mitigate accordingly.

“ The business representative explicitly accepts the residual risk, or increases mitigation until the residual risk is within acceptable limits”

To enable any organization to make an informed decision based on the exercise dedicated to privacy awareness, security and risk management leaders must assess both privacy and business risks. They should then suggest mitigating measures to the business process owner to decide on, and implement as instructed. The business representative explicitly accepts the residual risk, or increases mitigation until the residual risk is within acceptable limits.

What personal data can I process?

With the proper controls, almost any data can be processed. However, an organization must first determine the legal grounds for processing, then document the purposes for processing that data. Once these purposes are determined, the organization can provide the reasoning behind what personal data must be processed to achieve them.

“ The sensitivity of any personal data that is processed should be observed in the processing context”

The subsequent cross-relation of data processed in connection with the purposes that data serves, is subject to the retention scheme that contains the retention periods for each purpose. A retention scheme shows what data is allowed to be used in which context. Enabling only the authorized use of personal data, brings with it inherent requirements to prevent other disclosures. This, in turn, dictates authorization and access management and the application of pseudonymization tooling. As all purposes a record serves are achieved and the retention periods have expired, organizations should delete the personal data.

Time is a critical success factor for a data breach response. Retention periods are, ideally, as short as possible and only as long as can be justified as "necessary" in the context of the processing purpose. To enable adequate protection of personal data and allow insight into relevant privacy risks, the sensitivity of any personal data that is processed should be observed in the processing context.

Is there anything special about consent?

Yes. The characteristics of consent are quite specific. For one, it should be freely given, indicating there is no coercion, cross-selling or pressure. This not always straightforward. For example, some employees might be afraid to lose their job if they don't consent to a specific processing activity. Employers should therefore tread carefully when relying solely on the agreement.

Consent, moreover, must be unambiguous, provided per purpose and "well informed," requiring absolute clarity of the information provided where consent is obtained. It is also worth adding that proper consent management lies with the data controller and includes not only administration (logging) of the consent itself, but also the conditions under which it was provided.

Will we be fined for a data breach?

Not necessarily. Barring the absence of any processing activity, 100% security does not exist. Organizations should assume a data breach will happen. They are, however, responsible for the application of sufficient preventative, detective and other countermeasures.

“ Even the lack of notification may reveal noncompliance, which in turn can be reason for regulatory action”

Although experiencing a data breach in itself is not sanctionable, a data breach — or "every unintended loss of (control over) personal data" — must be communicated to the regulatory authority within 72 hours of detection. When the breach has a potential impact on the subjects, the organization should notify those individuals as well. A subsequent investigation, or even the lack of notification, may reveal noncompliance, which in turn can be reason for regulatory action.

"It is clear that security and risk management leaders can't 'go at it alone,' and must involve a multidisciplinary team to translate all the requirements of the GDPR and prioritize risk mitigation actions," says Willemsen.