The EU Data Protection regulation becomes active on the 25th of May 2018. It may seem far away, but given what the regulation actually entails, it's not much time at all. Start your preparations now for your company, get your systems in place and avoid any last minute rushes and staff pressures.
So what exactly is the EU GDPR?
The new EU GDPR is one of the most substantial security initiatives in many years and has implications for both the public and private sectors in Europe. The EU GDPR identifies many things but the overall theoretical framework behind the EU GDPR is that it is considered an exercise in confidence. This exercise in confidence entails the registered party ”lending” sensitive data to the data controller, and the data controller acknowledging that confidence by taking care of the data, and by always being able to explain - in a meaningful and understandable manner - the purpose for which the information is to be used. It is this explanation of purpose that has not always been standard practice in the past.
The EU GDPR contains many requirements on how businesses shall process and protect personal information. The many requirements set out in the regulation will call for new forms of cooperation between different departments in a firm such as legal, IT and the management.
A correct implementation first and foremost requires the correct administrative understanding and priority of the task. It involves setting the requirements in your own organisation's handling of sensitive information. It also involves setting out requirements for the organisation's suppliers and on the systems they use for data processing. For many, the task of keeping the sensitive information they handle safe, is nothing new. What is new is that the EU GDPR sets a requirement that you must be able to describe how keeping data safe is intended before you go about doing it. Then, it must be possible to show ongoing compliance with your own policies, procedures and guidelines. Certain private companies and most public agencies will also require a Data Protection Officer.
What do you need to do?
The important stages of compliance can be split into seven phases and it is vital for companies to understand each phase and what they can do to streamline their procedures within each:
Phase 1 is the identification phase. In this phase, you need to define what your organisation's core activity actually is. This encompasses such things as a mapping of all the company's data: Where is the data, who has access to the data and in what processes is the data used?
Phase 2 is Gap Analysis. The results of the identification phase are compared with the requirements set out in the EU GDPR so that it is clear what gaps the organisation has with regards to complying with the regulation.
Phase 3 is Privacy Impact Assessment (PIA). A PIA is a basic assessment of the registered party's level of protection. The purpose of a PIA is that a worst-case scenario for the registered party shall be considered, anticipated and thereby avoided.
Phase 4 is the implementation phase. At one end of the scale, there will be organisations that come under the EU GDPR, in which there are no processes or processes that are very temporary and dependent on the individual employee. At the other end of the scale, there are organisations that over the years have built up a strong culture of process documentation.
Phase 5 is Contingency Planning.
In cases where a leak of sensitive information occurs, the EU GDPR contains a new requirement that private and public enterprises must inform the relevant authorities. The following information will need to be disclosed:
What types of data were leaked?
How many registered parties does the leak involve?
What are the consequences to those registered parties?
What has been done to ensure that this does not happen again?
Phase 6 is ongoing management, monitoring and follow up. It's best to use an annual cycle to distribute the tasks of EU GDPR compliance throughout the year so not to put staff under pressure at one particular time.
Phase 7 is Awareness. Ensure that all your staff are familiar with their responsibilities. To some this will be new, and time needs to be taken for education and management.
Contributed by Jakob Holm Hansen, director of GRC consulting, KMD Neupart
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.