This is my first blog on the the EU General Data Protection Regulation (GDPR) which is coming into force next May. There’s a lot of scary LinkedIn articles regarding compliance however from what I’ve seen, most are about selling you a tool once you’re compliant and not necessarily how to get compliant. This is my take on it but before I begin I’ll try and give a brief overview of what it is and I’ll concentrate on the start of my journey to compliancy.
The GDPR is an update and European wide law updating the control of personal data from individual data protection laws which all mostly came into existence during the early days of the internet. It extends the data rights of individuals and requires organisations to put clear and transparent procedures in place to safe guard the data of EU citizens. The penalties for non-compliance are huge and can lead up to a 4% fine of the total worldwide annual turnover which should be an eye opener and a driver towards becoming compliant. One particular telecom firm that was breached and received a fine of £400k in 2015 would expect a £57M fine under these new rules. That’ll hurt a bit.
To become compliant you need to consider the following things:
- Keep up-to-date documentation of Personal Identifiable Information (PII) processing
- Implement measures of data protection by design and by default.
- Implement appropriate technical, policies and procedures to ensure and demonstrate compliance.
- Conduct data protection impact assessments (DPIAs) where appropriate.
Additionally, if your core activity is processing of PII you need to appoint a qualified Data Protection Office (DPO) who will be legally responsible for the whole process however this is not necessary if it’s not your core activity but it’s a good idea to appoint one person responsible for data protection who can steer the business. PII is any information that can be used to identify a living human being. This means names, emails addresses (including business email), staff pay roll numbers, you name it. It also gets more complicated if you’re sending data outside of the EU and so I’ll cover that in a later blog. Another complication is vulnerable people, ie kids and data classed as sensitive such as health or religious information.
So where do you start?
- Get management buy-in and create a working party.
- Get the working party to identify the PII that is processed within their departments
- Collate this information and create a Personal Data Asset Inventory (PDAI)
- Review the information in the PDAI and ascertain the following:
- Purpose of the PII
- The elements of the PII, ie name, address, identifier, etc
- The owner
- The reason for the processing under the GDPR fair processing rules
- Who has access to the data
- The retention period
- The sensitivity to disclosure
- Create Data Protection Impact Assessments of high risk data
- Create Data Mapping flows to illustrate how and who the data moves to
- Create the necessary policies and procedures to keep you compliant such as Privacy Notices
- Create the necessary procedures for when you have a breach
- Make staff aware of the controls in place to ensure that they don’t create breaches
- Put the technical measures in place to reduce risk such as ensuring all laptops, etc have encryption
The Personal Data Asset Inventory will become the central to your control of data. Its intention is to allow you to see what PII you process, who owns it, who processes it and why you process it. You’ll probably add more information than I’m discussing here however by creating an inventory you’re at the first step of understanding just how much and what PII you’re dealing with.
I’ll go into further detail on Data Protection Impact Assessments in a later blog however high risk data includes:
- Evaluation or scoring, including profiling and predicting concerning the individual’s performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements
- Systematic monitoring of individuals
- Sensitive data
- Personal Data on a large scale
- Data sets that have been matched or combined
- Data concerning vulnerable Data Subjects
- Data transfers across borders outside the European Union
So…first thing’s first, find your PII!