There are fewer than 60 days before the GDPR compliance deadline. By Friday 25 May 2018 organizations must be able to demonstrate that they are compliant or show evidence that they are working towards being able to satisfy the Articles that will govern data protection for the foreseeable future.
So, with the deadline in mind, where should businesses be right now in the process of ensuring cloud workloads will be compliant with GDPR?
Finalizing Controller/Processor contracts
Organizations that originate the collection of personal data (data controllers) and operate in a cloud environment must be able to give evidence that the data they have gathered is protected as far as possible in all instances of transit, storage and processing.
It’s commonplace for organizations to use a chain of third parties to host and process data – the cloud being an obvious example. As a Data Controller you should now be at the final stages of formulating the contracts that will commit your Data Processors (such as your cloud hosting service) to handling your data to your defined standards of security, geographic location and access required by the GDPR.
Part of this should include setting up a system of audit to actively monitor your Data Processors and ensure that they are continuously meeting your GDPR requirements.
This oversight should include visibility into the activities of your Processor through review of policies and defined audits, insight into any sub-processed functions that the Processor may be performing and assurances that those sub-processed activities themselves are compliant to the Controller’s needs. It’s also important that the contract identifies the types of personal data that will be under scope, agreements of auditory bodies to be utilized as well as the procedure of informing the controller if the processor suffers a breach of the data or the terms under which it is being processed.
Your Data Processors should be fully engaged with you at this stage, demonstrating through their own compliance procedures how they align with what you need to ensure you meet your GDPR obligations.
Educating the organization on its data protection responsibilities
The GDPR is much more than a tick box compliance exercise that can be contained within audits and contracts. It requires a full commitment by every organization to build data protection into its culture and all aspects of its operations, from Support through Accounting to Product Development. The GDPR is not specific to just IT, it must permeate all aspects of the organization to ensure a culture is built.
By now your employees should be aware of the impact of the regulation changes on their daily work processes and responsibilities. Departments will be affected in different ways and to different degrees: some will have been living and breathing the regulation for several years, for others it may be new. But being data protection-aware is no longer optional, it’s critical and regulated.
An ongoing continuous program of education – from induction through regular refresher sessions – is essential. Part of this process should include furnishing employees with their own data privacy notice, informing them of the way in which their employer will manage and safeguard their personal information. This will help make data awareness relevant for everyone from the Chairman of the Board to the customer service team and beyond.
Wrapping up data mapping, risk and access reviews
By this stage, you should know what data you hold, why you hold it and where it’s located. You should have established the level of risk associated with that data and the levels of access permitted to the data in the course of operations and mechanism to measure and oversee the effectiveness of those activities. The flow of data through your organization should be clearly understood and systems in place to identify any changes in data flow that might cause elevated data risk.
Modifications to applications, services or procedures should be evaluated through the PIA and DPIA processes noted within GDPR and overseen by your organizations Data Protection Officer (DPO). Linkage between your DPO and your Processor’s DPO should be in place at this stage with processes to ensure that Data Subject queries are handled in the correct manner and that program oversight is functioning correctly.
Data protection impact assessments (DPIAs) should have uncovered any high risk data and strategies be under development to mitigate that risk to an acceptable level. The level of access employees have to data should also have been reviewed, with the principle of limiting access to the minimum number that is required for operations.
Locking the doors on EU data stores
The separation and restriction of EU citizens’ data, plus confirmation of its secure geographic location, should be in its final stages. This ties in with the point above about data controllers and processors and is particularly relevant to the cloud. Controllers need to know that data pertaining to EU citizens is locked down to that geography and will not be inadvertently accessed by staff from other territories.
Processors must commit contractually to meeting and sustaining that requirement. For entities that utilise cloud services, it is important that you verify that the proper legal data transfer mechanisms are in place as well. If your Data Processors are not actively engaging with you on this and all other issues relating to data protection by this stage, you need to start asking questions.
Appointing and embedding the Data Protection Officer
If your organization is a public body, systematically monitors data subjects on a large scale, or you handle special categories of protected data, you must employ a Data Protection Officer (DPO) who reports to the highest level of the organization. By now your DPO should be in position, fully resourced and supported to lead your GDPR compliance program.
Even if you do not officially need to appoint a DPO under the terms of the regulation, you will need to ensure that you have sufficient staff with designated responsibility for ensuring compliance. There appears to be a shortage of qualified data protection specialists in the UK at the present time, which is not surprising. One alternative is to consider appointing a third party specialist to assist in your GDPR compliance activities.
As we approach the run-in to zero day, these are the kinds of activities that should be well under way for businesses that are on track. For organizations that are less well-prepared, the key at this stage is to be able to demonstrate that you are at least working towards compliance.
Remember, 25th May is just the start of a continuous commitment to improving data privacy for everyone, and the work will continue.
Frank Krieger is VP of governance, risk & compliance at iland