In the run-up to the deadline for EU GDPR implementation, many companies are scuffling around trying to get a list of things they should do now, without trawling through the piles of legal work to get to the key action points. Gold n’ Links Europe (‘GnL Europe’) are pleased to present this bite-sized guide to starting off implementation of the EU GDPR.
The UK’s ICO (Information Commissioner’s Office), has issued a short guide“12 steps to take now”. GnL Europe has merged the ICO’s 12 steps together with GnL Europe’s own list and present below what is believed to be optimal for efficient implementation of EU GDPR.
GnL Europe’s experience has evidenced that there is no one-size-fits-all solution. The steps below are general and need to be customized for each specific firm. Data security service providers such as GnL Europe offer services to assist firms with the implementation and customization of all of the below.
1. Inform the board and decision makers
GDPR implementation will need a budget (outside expertise, training etc.), and budget always needs to be approved. The Board and key decision makers need to be made aware of the EU GDPR and its impacts. Mention of the €20m fine may ensure that the topic gets the attention it needs.
Decision makers should usually be informed about GDPR (if they haven’t picked it up already) by the company’s compliance / IT departments/consultants.
2. International – Lead Data Protection Supervisory Authority
Companies that operate in more than one EU member state (i.e. they hold data of residents of more than one EU state), will need to determine their lead data protection supervisory authority. There is guidance available in the EU’s Article 29 Working Party guidelines.
Cross-border activities are an area where most organisations have either not understood their obligations or not understood the scope of work. There will most certainly be a requirement for binding corporate rules (Agreements) and in other instances, input assessments and permissions from regulators.
Companies not based in the EU, but with EU clients, also fall within the scope of GDPR as they process data of EU clients. Such companies should speak to data security service provides specialising in GDPR such as GnL Europe.
3. Data Protection Officers (DPOs) & Company GDPR working group (committee)
The Board of the Company must allocate someone to take responsibility for data protection compliance and determine where this role will slot in within the organisation’s structure and governance arrangements.
Firms should establish whether they meet the criteria to formally designate a DPO. In some cases, a DPO may be outsourced. Depending on the nature, size and operations of the company – the Company should also establish a GDPR working group. This should at least include the Head of IT, Compliance, Risk Management and a member of the Board. It is further suggested that an external security consultant (e.g. from GnL Europe) is added to the Company’s GDPR working group/committee.
4. Initial Training of staff (and non-executives) on GDPR
The intensity and duration of the training on GDPR will vary by roles and responsibilities in the company and such training will have double the benefit. Not only is a firm mitigating the risk of a data breach but staff are also indirectly being educated on their own data rights. (It is understood that such training could also count as CPD hours which is the third benefit!)
Training and/or the arrangement thereof is a responsibility of the Compliance department. Compliance departments generally need to present summaries of training in their annual reports to the Board and regulators. Data security service providers such as GnL Europe offer training on GDPR at various levels, provide cyber-awareness training, teach staff to apply GDPR from both a policy and technical standpoint, or can recommend some third party providers.
5. Establish a Data Map (data register)
Firms need to create (or update) and maintain a data map. A data map is basically a register documenting essentially the ‘who, what, when why and where’ of data:
- what personal data is held;
- where did it come from (precedents e.g. external sales teams);
- where is such data stored;
- who accesses it,
- why it is accessed or transferred
- with whom is such data shared with (dependents such as service providers, cloud-based data systems etc.).
- when- timestamps or frequencies would also be useful to add to the data map.
Data maps may be more complex for international companies. An information audit may be required.
It is expected that internal auditors of firms subject to GDPR will need to review the information registers/ information audit. This is a key area that the regulators will be looking for in terms of compliance and due diligence.
6. Data Protection by Design and Data Protection Impact Assessments
GnL Europe recommends that forms execute a full review of relevant policies and procedures, and compare where they are lacking in terms of the following requirements:
- regulations, codes and guides issued by the relevant authority(data commissioner office or information commissioner office)
- the latest guidance from the EU’s Article 29 Working Party
Following the identification of gaps, firms must put a plan together to fulfil the outstanding requirements. This is key both in terms of due diligence and being able to demonstrate to regulators the firm’s plan to achieve GDPR compliance.
At least the following should be considered as part of the full review:
6.1 GDPR compliance of portable devices
Often overlooked in the data mapping is the use of portable devices, so it is explicitly listed as a separate item.
It is severe enough if a laptop is stolen with a company’s next million euro plan on it, but GDPR makes that worse if the laptop also has subject data on it, risking a fine to the company. Mobile phones – especially of your sales teams probably have client data and email correspondences thereon.
Some companies allow the use of USBs and other portable devices. Devices get lost, stolen, and according to a study performed in 2015 by an Irish technology provider, ESET, “22,266 USB memory sticks and 973 mobiles phones are left in pockets and a staggering 45 percent of the devices never get returned to their owners” (which begs the question of if they did get returned, would it be safe to use it again?).
Companies should register how their data gets around and ensure that if portable devices are allowed – the company has signed an agreement with the employee/sales team specifying rules around the use of the device. It is highly recommended that encrypted portable devices are used because people are at the end of the day only human – things will get lost or stolen so the damage must be mitigated.
6.2 Update or implement privacy notices
Firms should ensure that their compliance or legal department/consultants review the Company’s current privacy notices and made amendments in time for GDPR implementation on 28 May 2018.
6.3 Ensure individuals’ rights
Firms must ensure that their procedures cover all the rights of data subjects (individuals). Including how the firm would delete personal data or provide data electronically (in the specified commonly used format).
Individuals have at least the following rights according to GDPR:
- to be informed;
- to access;
- to rectification;
- to erasure (commonly termed the “right to be forgotten”);
- to restrict processing;
- to data portability;
- to object; and
- not to be subject to automated decision-making including profiling.
Companies can expect this particular point to be of high risk. After 28 May 2018, individuals may start contacting firms to exercise their rights or report the relevant firms.
6.4 Subject (individual) access requests
Firms must introduce (or amend) procedures to cater for individuals’ access requests and the firm must have planned how it will handle requests within the new timescales(specified by GDPR) and provide any additional information.
6.5 Lawful basis for processing personal data
Firms must identify the lawful basis for their processing activity in the GDPR, document it and update their privacy notice to explain it. This should probably be reviewed at least annually, or upon changes in business activities etc.This document would be critical in any legal case as to why the firm is processing the data.
Firms must review how they obtain, record and manage consent and whether they need to update any of this to be GDPR compliant. Existing consents must be updated if they don’t meet the GDPR standard. Recording of such consents is critical.
Consent must now be explicit and specific.
Such consents in the experience of GnL Europe are quite comprehensive and will require drafting by GDPR-expert lawyers. Firms such as GnL Europe do boast such lawyers on their team.
6.7 Consent for Children / Minors
Firms must assess if they need to put systems in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity.
Details on this are available through local regulatory bodies in each jurisdiction.
Firms handling data of children need to be even more cautious as a case involving data of one or more minors is likely to be tougher than if it is just data of adults. The reputational damage should also be expected to be more severe.
6.8 GDPR compliance of backup systems and suppliers
This is probably also a suitable time to check that the business continuity plans are up to date and GDPR compliant.
6.9 GDPR compliance of data precedents/dependents
Because a chain is only as strong as its weakest link this is a good time to check that suppliers of data, data storage providers and service providers processing data are GDPR compliant (or at least how they plan to be compliant by the deadline). This is another area where agreements and corporate binding rules are critical.
6.10 Data breach reporting procedures
Firms must ensure they have the right procedures in place to detect, report and investigate a personal data breach. The GDPR requires that breaches be reported in 72 hours.
6.11 Manual or automated Data Management?
Companies need to decide if they will be using manual data management tools (traditional) or automated systems (“off-the-shelf”). Each firm needs to assess the pros and cons of each specific to its circumstances.
Firms will probably need to incorporate technical teams in the implementation, encryption, pseudonymization, anonymization of relevant data (depending on the rationale and use of the data).
Platforms offer the following benefits:
- Creation of Privacy Impact Assessments
- Data mapping to document data flows and determination of privacy risk
- Identification of points of integration into business processes
- Setup of triggers for “Privacy By Design”.
- Setup of access roles and define approval workflows
- Identify and prioritize projects and systems that need (privacy) review.
- Some platforms integrate backup, recovery and archiving in a way that combines the data into a single searchable data pool.
Traditional tools offer the following benefits:
- Most probably costs less
- No specialised training as the tool was created in-house
- Fully customised.
Both have critical issues that need to be addressed.
6.12 Subsequent and On-going Training of staff (and non-executives) on GDPR
After policies and procedures have been reviewed – staff must be trained on the changes! Training should include cyber awareness training, and training on the new tools. Of course, training should be executed on a regular basis to incorporate changes and ensure that new staff are also trained.
7. Penetration testing and vulnerability testing
Naturally, the new infrastructure needs to be tested. Specialist firms such as GnL Europe boast teams specialising in these services.
Based on the experience of GnL Europe, it is believed that for most companies, the Principle (or law) of Parsimony holds true and that the most effective and efficient method is indeed to keep things simple.
From a cyber-security standpoint, Gold n’ Links Europe’s CEO, Mr Timi Moisis believes that grey box testing will generally provide the best value here.
8. EU GDPR implementation; it's not a one-off matter!
The fact remains that no company can ever guarantee that data will never be breached – for a host of reasons. However, it is believed that if a company does everything to mitigate a data breach – the impact (or fine!) can be mitigated.
GDPR is in its infancy, and by no means a mature regulation. There will be teething issues and expectation should me managed. Data protection and GDPR are not one-off issues. They will develop and evolve – and so will the solutions…
About Gold n’ Links Europe (GnL Europe)
The Gold N’ Links team provides a trident of solutions in Homeland Security, Cyber Security and Insurable solutions. Gold n’ Links is founded on decades of battle-hardened, cutting-edge technologies.
Pivoting off experience in Intelligence, Research & Development, Homeland Security, Cyber Security and Warfare, their risk managers not only bring tested and robust but, dynamic and tangible solutions to their clientele.
Gold N’ Links Europe’s core experience is in bringing both qualitative yet quantitative solutions to the European arena, with expertise in Defence, Government, Critical Infrastructure, and Enterprise.
They pride ourselves in delivering best in business security with tailored solutions to each of our client’s specific needs, risks and business operations.