Today the European Parliament has finally published the General Data Protection Regulation (GDPR) in the Official Journal of the European Union – meaning that this new legislation will formally become law in 20 days’ time. Organizations who handle personal data should be aware of what this will mean to them.
“Keep Calm and Carry On” seems a ﬁtting theme for the ﬁnally-published regulation; however, this is only the case if you’re one of the organisations already valuing customers’ data.
An end to complacency?
Unfortunately, for too long, some organisations have “presumed” consent, worked with “implied” permission, experienced data losses which have taken months to detect and report (remember Sony and Target?) and, in some cases such as TalkTalk, have been unable to properly classify which personal data has been compromised. No CEO wants to look as ill-informed as poor Dido Harding, and customers have an absolute right to expect better. So what can organisations do to start preparing for this new legislation?
Firstly, organisations need to evaluate the personal data they have; categorising the data so they are clear where the personal and sensitive data resides and where other less important data sits in the company. Usually, drafting a data ﬂow map will help businesses to understand the pattern of data through the company, provide clarity on who has “eyes on” the data, what skills these people have and, ﬁnally, highlight where the data ends up.
Risk based approach
Once organisations understand just what personal data they have they should then ensure that regular risk assessments are completed in order to understand the degree of threat imposed on the company when processing data. Indeed, the GDPR demands a “risk-based approach” with the development of appropriate controls. This should, in a single stroke, ensure that management recognise the dangers associated with the loss, misuse, theft or any other compromise of customer data.
For organisations that pass data onto third parties, there is often a tendency to presume that they must operate to high standards of data security and protection. However, the GDPR now states that controllers must only engage with processors who can provide “sufficient guarantees”. Basically, as the data owner, you must check they have effective “technical and organisational measures to ensure the security of the processing”.
There is now also an essential need for organisations to prepare a breach notiﬁcation plan in the event that something does actually go wrong. If you’re already clear on what type of personal data you manage (categorisation) and where it is (data ﬂows), then this process will be somewhat easier. However, it’s worth being clear on who will co-ordinate the customer communication, the media response and the remedial activity - and make sure you rehearse this so you are practiced in the actual event; consider it a data breach fire drill.
So for today, organisations should absolutely “Keep Calm and Carry On” – whilst the GDPR will officially become law in 20 days’ time, organisations do have a two-year deadline to become compliment with the new legislation. However, it is vital to remember that two years can pass very quickly, and for many a significant amount of time and financial investment will be required.
Christine Andrews is managing director, DQM GRC