GDPR – Starter Guide
“Data is the new Oil” – is a statement which resonates the underlying philosophy for any information security regulation in today’s world.
Securing and protecting this data is one of the most important tasks at hand for organizations as well as nation-states. Thus, we are observing a huge surge in data privacy regulations being adopted or enforced by nations including Singapore, China, Europe, UK, India, US and more.
GDPR (General Data Protection Regulation) is one of the most widely recognized privacy regulations. GDPR was adopted by EU in 2016 and was enforceable from 2018 for all the organization working in the EU (including UK) and handling data for EU citizens or residents.
In preparing their companies to comply with this regulation, the question which continues to haunt CIOs, CTOs, CISOs is “Where to Start?”
GDPR Starter Guide Checklist
This blog will act as a quick starter guide for GDPR.
Step One – Is GDPR applicable for my organization?
Personal data qualifies under the GDPR standard when any individual can be directly or indirectly identified from the information in question. This can be a single identifier or a collection of identifiers.
Assess whether your organization handles (stores, transmits, processes or controls) personal data for professional or commercial activity.
- If yes, then whether your organization operates in the EU or UK. If yes, then GDPR applies.
- If no, then is your organization operating in EU / UK and processing personal data, then GDPR applies as well.
Step Two – Are we a Controller or a Processor?
Identifying whether you are a Controller or Processor, based on the kind of business or operations that you run is also critically important.
- Controllers are entities who exercise overall control over the purposes and means of the processing of personal data. Controllers are the decision-makers when it comes to handling or processing personal data. If two or more controllers jointly determine the purposes and means of the processing of the same personal data, they are joint controllers. However, they are not joint controllers if they are processing the same data for different purposes.
- Processors act on behalf of, and only on the instructions of, the relevant controller. In most cases, processors act as outsourced partners or third-party partners for the controllers.
Step Three – Appoint a DPO
Data Protection Officers are required if you are a public authority or body, or if you carry out certain types of processing activities. However, having a DPO role is a good-to-have whether you are required to have one or not.
- DPO should be an independent role reporting directly to the highest management in the organization.
- DPO should be responsible for all matters related to data protection. DPO will be tasked to monitor internal compliance, inform, and advise on organization’s data protection obligations, provide advice regarding Data Protection Impact Assessments (DPIAs).
- DPO’s contact details should be published internally to all employees and available to everyone including regulators.
Step Four – Data Minimization
Data minimization requires you to identify the personal data being handled or processed by your organization. Additionally, you will need to identify the locations where this personal data is present. It is recommended to use an automated data discovery tool like ControlCase Data Discovery Tool.
Once the personal data location and data types are identified, you need to maintain a data matrix. All unnecessary data processed or stored should be securely removed from the environment.
You must ensure the personal data you are processing is:
- limited to what is necessary
Step Five – Consent
GDPR mandates that personal data from the customers cannot be stored, handled, or processed by the organization without written consent from customer/consumer.
Consent can be registered and archived in one of several ways:
- Countries where there is a legal requirement for hard copies, the organizations can have download links for forms which the customers can read, sign, and then share with the organizations as their consen
- The other most accepted and implemented method is have a disclaimer page covering all the necessary terms for consent regarding the storage of data or website cookies and a accept checkbox which once clicked will act as formal consent from the user.
It is recommended that the terms should include the exact personal data parameters which will be captured, processed, and stored. It should also include guidance about how the data is going to be protected and have brief outline of controls which will ensure that the data is maintained with integrity intact and without loss of unauthorized access or theft.
The organization also needs to provide assurance that the data will not be shared with any other entities without an explicit consent from the customers. The organization should have a well-documented and implemented plan to ensure the safety and security of the personal data which will be at rest within the organizational environment.
Data retention policy and guidelines based regulatory, legal, and other law of the land requirements should be documented and implemented as well.
GDPR Consent Form Download
Step Six – Privacy by Design & Security
Privacy by Design is a concept in GDPR where privacy requirements need to be an integral part of any project from the conceptualization or design stage, which will ensure that we can achieve ‘data protection by default’.
Along with the privacy aspect, the security aspect is also covered in the data protection by default. This is where a “defense in depth” approach would be an ideal methodology looking at controls for data protection from physical security down to data or endpoint security.
Some of the aspects which can be covered in this include:
- Encryption of personal data
- Monitoring of attacks on systems processing personal data – Continuous Compliance
- Vulnerability Assessments
- User Reviews
- Penetration Testing
- Application Testing
Step Seven – Rights of Individuals
Standard Operating Procedures and defined processes need to be identified and implemented to ensure rights of individuals are addressed.
These rights include, but not limited to, the following:
- Right to be informed
- Right of access
- Right to rectification
- Right to erasure
- Right to restrict processing
- Right to data portability
- Right to object
- Rights related to automated decision-making including profiling
Step Eight – Data Protection Impact Assessments (DPIA)
Post completion of all the above steps, performing a DPIA is a recommended option.
A Data Protection Impact Assessment (DPIA) is a process that will help identify and minimize the data protection risks of a project.
- This should be conducted by an independent organization with expertise in assessing or auditing data protection and data privacy risks.
- The DPO should be consulted in performing the DPIA and would be expected to sign-off on the findings documented in the DPIA.
- In case of critical high-risk findings in the DPIA, there needs to be a concentrated effort to mitigate the same, monitored and guided by the DPO.
- In case any of that cannot be mitigated and may result in a breach the regulatory body needs to be informed. The regulatory body will revert with actions to be taken prior to commencing the processing of data
The above steps are good as starting points in the GDPR journey, however this being a complex and comprehensive regulation, there are multiple nitty-gritties which will vary from organization to organization. There are exceptions which can be used for further optimizing the GDPR implementation.
For a detailed understanding of GDPR applicability for your organization or to perform a Data Protection Impact Assessment (DPIA) with the ControlCase Privacy Experts please contact us at email@example.com.