The European General Data Protection Regulation (GDPR) will become effective on May 25, 2018, and require organisations to identify and protect sensitive personal data of EU Citizens.
The new regulations mean that any organisation, big or small, will need to comply with new rules regarding the collection, storage and usage of personal information regarding EU citizens.
But reports have suggested that many IT security professionals are either not preparing or are unaware of any changes that need to be made to their business processes to ensure compliance.
It’s crucial that organisations do not stick their heads in the sand regarding the new regulations, or believe that the rules do not apply to them without fully understanding them. After all, those that do not comply with the new regulations face potentially severe penalties.
So the question is, where do you start?
Well, consider the objectives of the GDPR. They are to 1) give citizens and residents back control of their personal data and 2) simplify the regulatory environment for international business by unifying the regulation within the EU.
Another key point to understand early on is that although the UK has voted to leave the EU, UK business will still have to comply with new regulations if the data they handle is about EU citizens, or has the potential to identify individuals within the EU. What’s more, digital minister Matt Hancock has confirmed that the UK will replace the 1988 Data Protection Act (DPA) with legislation that mirrors the GDPR post-Brexit.
The key stipulations of GDPR are:
- Firms with over 250 employees must employ a Data Protection Officer (DPO). This person is responsible for ensuring that a business collects and secures personal data responsibly.
- The requirement to appoint a DPO will also apply to small businesses employing less than 250 staff if the processing carried out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as defined in GDPR Article 9.
- Breaches in data security must be reported immediately to data protection authorities such as the Information Commissioner’s Office (ICO) in the UK. Ideally, breaches should be reported within 24 hours if possible but at least within 72 hours.
- Individuals have more rights dictating how businesses use their personal data. In particular, individuals have a ‘right of access’, ‘a right to data portability’ and a ‘right to be forgotten’.
Failure to comply with the GDPR will lead to heavier punishments than ever before. Under current rules, the UK’s Information Commissioner’s Office (ICO) can fine up to £500,000 for malpractice, but the GDPR provides for a fine of up to €20 million or 4% of annual turnover (whichever is higher). What’s more, individuals can sue a business for compensation to recover both material damage and non-material damage, like distress.
So what are the steps your business should be taking? I believe that there are three steps to getting a business ready for the GDPR:
Data management begins with discovery
Before you can implement any processes regarding the treatment of data, and requests for data under GDPR legislation, you must find the relevant data within your organisation. The advice from the UK’s ICO and other national authorities concur with this approach, identifying “identifying what data you hold” as a key step.
Given how rapidly data is collected, created and stored by organisations, it would be impossible to find this out manually. What is correct at the beginning of this year could be wildly different in 6 months’ time. Moreover, attempting this manually will result in a catalogue of where people think data is held and processed (usually the systems designed to hold the data, like a CRM system) rather than where data is held (such as in a spreadsheet extracted from the CRM system to run a regular report).
This task of creating a data inventory does not need to arduous, by using Big Data and Machine Learning principles as part of an eDiscovery and data mapping process, you have the ability to rapidly find and categorise data and to do so on an on-going basis – ensuring continual compliance for your business rather than just at a single point in time. The added benefit of a digital discovery process is that you can also uncover the unknown data resident in your organisation.
Once you’ve found your data, you need to be able to classify it. Not only for corporate governance but also for the GDPR which distinguishes between Personal Data and Sensitive Personal Data.
To make sure that your classification is applied consistently, it shouldn’t be left to people to try to remember, or a lengthy guidebook. Here, Machine Learning and Big Data make sure that nothing is left to chance and that every data point is classified as it should be every single time.
Implement Relevant Processes
Once you have identified and classified your data you have a robust platform upon which to implement your processes. This third step is where you can apply the skills of your people and any consulting teams that you engage to do the following:
- Decide which processes are required – this may include:
- Handling of requests for information
- Handling requests for deletion of data
- Managing interactions with third-parties and assessing their compliance status
- Communication of the GDPR and what it means, throughout your organisation
- Decide which processes can be automated, and which need to be handled by people.
These are the first steps in what will be an on-going process. But I believe that these steps are crucial for any organisation that wants to get it right first time. After all, understanding the type of data that will be affected under the GPDR is one thing, but having to search for where that data is held and who is responsible for it is another issue entirely and, unfortunately, without the right tools I can see many organisations running into trouble.
In a perfect world, all data would be stored securely, and processes would be in place to ensure personal data is kept separately under a security framework.
But in my experience, that’s just not the reality. Across the organisations we have worked with, there is an average of 10GB of unstructured data per employee, and 9% of that data contains personally identifiable information.
So don’t be caught out when the GDPR comes into force next year. Get a grip on your data now and understand what the new rules mean for your business.