Are you ready yet? General Data Protection Regulation (GDPR) readiness has been top of mind for chief information security officers (CISOs) and privacy and risk management leaders for the past year. The regulation comes into effect, and will be enforced, May 25 2018 — which is now fewer than 50 days away.
Security and risk management leaders can’t ‘go at it alone,’ and must involve a multidisciplinary team to translate all the requirements of the GDPR
Some of you are still concerned about whether your organization will be fully compliant in time. “I receive an average of 30 inquiries a week from CIOs and security and risk management leaders who are still unsure about the steps they need to take to comply,” says Bart Willemsen, research director at Gartner.
“To enhance customer trust and avoid hefty fines, it is crucial for CIOs and business leaders to identify all business processes impacted by the GDPR, and for their security and risk management leaders to put in place a program for GDPR compliance.”
To help organizations prepare, Willemsen answers the GDPR questions that are top of mind for CISOs.
What is “processing” of personal data?
Any action on data may be considered processing — from creating or obtaining the data to destruction at the end of its life cycle, and all the actions in between. These actions include copying, changing, pseudonimizing, transferring, storing and, more broadly, everything an organization does with the data. This may include showing data on the screen of a tablet in Dubai when the data actually sits in a Dutch data center.
Who in the organization is responsible for compliance?
Setting the stage for compliance requires setting up the organization to enable the correct mutual responsibilities. The organization should therefore appoint business process owners. Part of their responsibilities will consist of conducting privacy impact and risk assessments periodically, and addressing whether the outcome is within the mandated risk appetite. Therefore, they should also have the resources and discretion to mitigate accordingly.
The business representative explicitly accepts the residual risk, or increases mitigation until the residual risk is within acceptable limits
To enable any organization to make an informed decision based on the exercise dedicated to privacy awareness, security and risk management leaders must assess both privacy and business risks. They should then suggest mitigating measures to the business process owner to decide on, and implement as instructed. The business representative explicitly accepts the residual risk, or increases mitigation until the residual risk is within acceptable limits.
What personal data can I process?
With the proper controls, almost any data can be processed. However, an organization must first determine the legal grounds for processing, then document the purposes for processing that data. Once these purposes are determined, the organization can provide the reasoning behind what personal data must be processed to achieve them.
The sensitivity of any personal data that is processed should be observed in the processing context
The subsequent cross-relation of data processed in connection with the purposes that data serves, is subject to the retention scheme that contains the retention periods for each purpose. A retention scheme shows what data is allowed to be used in which context. Enabling only the authorized use of personal data, brings with it inherent requirements to prevent other disclosures. This, in turn, dictates authorization and access management and the application of pseudonymization tooling. As all purposes a record serves are achieved and the retention periods have expired, organizations should delete the personal data.
Time is a critical success factor for a data breach response. Retention periods are, ideally, as short as possible and only as long as can be justified as “necessary” in the context of the processing purpose. To enable adequate protection of personal data and allow insight into relevant privacy risks, the sensitivity of any personal data that is processed should be observed in the processing context.
Is there anything special about consent?
Yes. The characteristics of consent are quite specific. For one, it should be freely given, indicating there is no coercion, cross-selling or pressure. This not always straightforward. For example, some employees might be afraid to lose their job if they don’t consent to a specific processing activity. Employers should therefore tread carefully when relying solely on the agreement.
Consent, moreover, must be unambiguous, provided per purpose and “well informed,” requiring absolute clarity of the information provided where consent is obtained. It is also worth adding that proper consent management lies with the data controller and includes not only administration (logging) of the consent itself, but also the conditions under which it was provided.
Will we be fined for a data breach?
Not necessarily. Barring the absence of any processing activity, 100% security does not exist. Organizations should assume a data breach will happen. They are, however, responsible for the application of sufficient preventative, detective and other countermeasures.
Even the lack of notification may reveal noncompliance, which in turn can be reason for regulatory action
Although experiencing a data breach in itself is not sanctionable, a data breach — or “every unintended loss of (control over) personal data” — must be communicated to the regulatory authority within 72 hours of detection. When the breach has a potential impact on the subjects, the organization should notify those individuals as well. A subsequent investigation, or even the lack of notification, may reveal noncompliance, which in turn can be reason for regulatory action.
“It is clear that security and risk management leaders can’t ‘go at it alone,’ and must involve a multidisciplinary team to translate all the requirements of the GDPR and prioritize risk mitigation actions,” says Willemsen.