GDPR: What you need to know
The GDPR regulations, brought in in 2018, brought in a swathe of updates to the protection of Personal Identifiable Information (PII) and rights for the Data Subjects, such as the right to be forgotten. Not only did it introduce more protection requirements, but failing to meet the GDPR compliance regulations can lead to large fines, with sums up to 20 million Euros.
Our resident GDPR experts have outlined the 10 key point that organisations must be aware of when it comes to GDPR compliance.
GDPR Compliance Service
We create a tailored approach for our clients to
a) assess their current standing against GDPR and
b) create and manage your compliance roadmap.
GDPR Compliance – The 10 Things You Need To Know
1. Understanding your PII
Organisations should be aware of what type of PII they hold. PII is any information relating to an identified or identifiable natural person; an identifiable person is one who can be identified, directly or indirectly, by reference to an identifier. The regulation also adds new types of identifiers, such as location data and online identifiers (IP Addresses). Also included are other types of sensitive data, genetic and biometric data.
2. Where is the PII?
Once you understand the types of PII information you hold, taking stock of where PII may be potentially stored is the next logical step. PII won’t be solely just stored in databases. If your organisation deals directly with customers, PII may be stored in CRMs, email inboxes and potentially recordings of phone calls. Not only that, your own staff PII will inevitably be stored in various places as well, such as your organisation’s pension supplier databases.
3. Where does the PII flow?
The regulation requires that you map where PII is stored and sent. This itself can be a mammoth task for even the smallest organisation. The regulation does not stipulate how exactly this is performed. However, automated data discovery for organisations with a large amount of PII is recommended, while organisations that deal in a small amount of PII could utilise methods such as freeform diagrams.
4. How is the PII protected?
The regulation requires organisations to impellent technological and organisational protective controls for the PII. The regulation also goes one step further, expressly calling for pseudonymising and encryption of PII, controls to ensure resilience of systems and services processing PII, controls that allow organisations to restore the availability and access to the PII in the event of a breach and frequent testing of the effectiveness of the security controls.
5. Do you require a Data Protection Officer (DPO)?
Under the regulation, a DPO must be appointed if you fulfil any of the criteria listed within the regulation. For example, a DPO must be appointed if you carry out large scale systematic monitoring of individuals (e.g., online behaviour tracking). A DPO’s minimum tasks are defined within Article 39 and the regulation also outlines what support the organisation must give the DPO.
6. Do you need to carry out Data Protection Impact Assessments (DPIA)?
A DPIA enables organisations to identify the most effective way to comply with their data protection obligations and meet individuals’ expectations of privacy. The regulation again stipulates when a DPIA should be performed and what information it should contain. For example, a DPIA is required if your organisation conducts large scale processing of special categories of data or personal data in relation to criminal convictions or offences and should include a description of the processing operations and the purposes.
7. Rights to the people?
Although GDPR requires implementation of controls for securing PII, it also implements a whole new raft of rights for the Data Subjects (i.e. the people who you hold PII on). These rights range from rights to access PII on themselves, right to full erasure, rectification of PII and the right to be informed, to name a few. The regulation also expects organisations to have documented and implemented processes to support these rights.
8. Data Controller or Data Processor?
Data Controllers and Data Processors are not new terms and have been apparent in older regulations. However, the GDPR regulation outlines responsibilities for both the Data Controllers and Data Processors. Deciding whether your organisation is a Data Controller or Data Processor will be key in how you meet the defined responsibilities. There is an argument though, that most organisations will be the Data Controller in terms of their own employees’ PII.
9. Do you have incident management?
Under GDPR, all organisations have a duty to report certain types of data breaches to the supervisory authority. In the UK’s case, this is the ICO and in certain cases the Data Subjects involved. The regulation also includes a 72 hour time limit from discovery, for reporting data breaches. Your organisation’s Incident Management programme should mirror the regulation’s process for determining what type of breach it is, who it should be reported to and how.
10. Do you have data breach insurance?
Along with the data breaches reporting mechanism, the regulation also enforces financial penalties for certain data breaches. These penalties can be as high as either €20m (£17m) or 4 per cent of global annual revenue, whichever is highest. Organisations with the best intentions of complying fully with GDPR will not be infallible to data breaches – no one is. With this in mind, organisations should consider data breach insurance or update their current insurance policies to reflect GDPR penalties.