General Data Protection Regulation (or GDPR): seven steps to comply with the new data protection regulation

Determine if you are subject to GDPR The General Data Protection Regulation is a European Union Regulation, and you might believe that the GDPR applies only to companies within the European Union. However, the Regulation extends to all companies that collect or process data to offer goods or services to European citizens or non-citizens. For example, the American-based Facebook must comply if the service is also offered to users within the EU. If none of these apply to you, you may be off the hook. For all others, keep reading.   Learn the basics of data processing The purpose of the GDPR is to give consumers greater visibility and control over how their personal data is used. GDPR defines personal data quite broadly, compared to personally identifiable information of earlier legislation. Personal data, in the context of the GDPR, covers a much wider range of information that can include social media posts, photographs, lifestyle preferences, transaction histories and even IP addresses.

Many GDPR consultants tout the maximum fine of 20 million euros or 4% of annual global revenue, whichever is greater. The truth is, fines of this scope are reserved for repeated serious violations. Initial penalties will be far lower or more likely just a warning. The real risk is that unprepared organisations spend time scrambling to respond to regulator questions, taking precious attention from business goals.   Focus on key GDPR articles The GDPR spans 11 chapters and 99 articles, yet there are a few foundational articles to focus on first. Article 30: Records of data processing activities The records of data processing activities are centred on identifying where personal data are being processed, who is processing them, and how they are being processed. It is important to identify all personal data repositories, not only CRMs. Article 32: Data processing security Article 32 states that companies must “implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk”. Though the Regulation gives little guidance as to what “appropriate” means, some reasonable solutions include installing antivirus software on all devices and identifying and patching known vulnerabilities. Article 35: Data protection documentation Article 35 demands that companies identify data processing activities that are especially sensitive and then make sure they take extra security precautions to protect these data. While the Regulation does not explicitly describe when such sensitive data processing is required, a few examples are provided, including data processing involving legal matters such as criminal convictions, data processing utilising new technology, and processing very large amounts of personal data.

The General Data Protection Regulation does not require your company to be “vulnerability free” or that you must own a certain security solution. The truth is that GDPR provides few specifics on required security measures. Details will likely be forthcoming in the first few years of enforcement. What is clear is that organisations must make a best effort at protecting personal data and be able to produce documentation to prove such efforts.   Appoint a data protection officer Not every company needs a Data Protection Officer. Under the GDPR, a DPO is required for all public authorities, organisations which regularly process personal data on a large scale, and when sensitive data is processed. DPOs are needed by organisations that process personal data as a core part of their business, but not when processing is done for support activities such as payroll or IT. DPOs are also required for any organisation that captures any form of tracking and profiling on the internet, including for the purposes of behavioural advertising.

The DPO must be involved in all data protection issues and their key concern is monitoring compliance with the GDPR. To successfully do this they must remain independent. In addition, DPO responsibilities cannot be divided up among multiple individuals. The appointed DPO must be responsible for all the data processing activities carried out by the company.   Oversee all data processing activities Most companies, beginning their journey to GDPR compliance, understand the importance of identifying the location of personal data repositories. Many focus too heavily on the most obvious systems such as SAP, Oracle databases and middleware Marketo, and Salesforce. But these large systems often represent just a fraction of the systems that process personal data. Like an iceberg, the vast majority of applications are often effectively invisible. One of the causes of this invisibility is often SaaS applications purchased by business units with little to no involvement by IT. You may not think you have many of these SaaS applications – and personal data repositories – in use. But are you sure? It is critical to be aware of all on-premises and cloud applications in use by your organisation. Without full visibility, any claims of “GDPR compliance” are hollow, create a false sense of security, and expose the company to GDPR audit findings.   Eliminate personal data blind spots Having accepted that you likely do not have full visibility of on-premises and cloud applications, the next step is to establish systems and processes to eliminate blind spots, shining a light on unknown personal data repositories. Full visibility requires automated, multi-platform IT asset discovery that extends from mobile devices to desktops, from data centres to the cloud. Effective discovery solutions are able to find and identify all asset types including SaaS subscriptions, IaaS virtual machines, PaaS containers, mobile devices, data centre applications and virtualised environments.

Mobile devices are regulated by the new data protection law as are all technologies used for the processing of personal data. Not only do these devices maintain personal data, they also process information on the user. In addition, they are especially susceptible to being lost and potential GDPR violations.   Build your data processing arsenal There is no silver bullet to GDPR compliance. No single application you can buy or consultant you can hire. Instead, GDPR compliance takes a combination of people, process and technology. People. Set up a cross-functional data governance team, made up of the DPO, IT leaders and business leaders from a range of functions. This team will own the responsibility for GDPR compliance. They will own documentation of processes and decisions and policy development and do regular reviews of policies, processes, and technology choices. Processes. Once the data governance team has defined what personal data means, they need to share this understanding across the company. In addition, privacy rules must be documented and shared across all lines of business. This protects against violations of GDPR based on personal data access by disallowed individuals. Technology. There are a number of solutions that can accelerate and maintain GDPR compliance including:

• Case management systems for handling data subject requests.
• Data discovery systems for finding applications, structured data, and unstructured data.
• Consent management systems that track all relevant consent provisions.
• Identity and Access Management to track role management and who has access to which data.
• A range of system and network security tools including antivirus and cloud solutions.
• An extremely helpful solution, especially at the early stages of the GDPR journey is Software Asset Management (or SAM) which can help create the system, users, and device visibility required to ensure claims of “compliance” are based on a complete understanding of the business.
• GDPR IT Audit to pinpoint the potential flaws in your IT environment.