Data breaches and hacks are occurring every day, so protecting customer data is at the top of every major corporation’s priority list. As software companies, we are gatekeepers of that data and must ensure our processes and technology are designed correctly to maintain their trust and comply with the regulations imposed by the countries in which we operate.
Data privacy rules in the EU are changing. As of the 25th May 2018, the EU will impose stricter rules on how companies handle data through the General Data Protection Regulation – or GDPR. These rules will be implemented across all 28-member countries and will ultimately change how companies can process and store personal data.
After next May, for instance, companies must disclose a data breach to the authorities, in the UK you would notify the ICO (Information Commissioner’s Office), and the victims of the data breach within 72 hours of becoming aware of the incident. GDPR also requires organisations to maintain up to date records in order to provide customers confirmation if their data is being used, and they must provide them with a copy of their data if requested and allow them to have their data erased.
It is vital to understand the GDPR’s principles and set up the necessary infrastructure to ensure compliance, or risk facing steep penalties that can be up to €20 million or four percent of global annual revenues, whichever is greater. There are also additional fines for violations such as not having customer consent to process data, not having maintained records or not notifying the authorities about a data breach.
So, what do organisations need to consider? If your company is based in the EU, plans to expand into any of the member countries or manages EU citizen data even from outside of the EU, you’ll need to be prepared. And, even with the UK exiting the EU, it’s likely that we’ll adopt these regulations.
Here are some practical tips to prepare for GDPR compliance:
- Hire a data protection officer
If your company processes or stores a large amount of data, the GDPR mandates the appointment of a data protection officer (DPO), whose job is to ensure compliance with the regulations. This person should be an expert on data protection law, educate the company on compliance requirements, train the staff involved with data processing, and conduct audits – and GDPR guidelines suggest the DPO should be located in the EU. Suffice it to say that individuals with this skillset can be difficult to find: start recruiting as soon as possible!
The DPO should be involved in every aspect of protecting data, from overseeing the entire data protection strategy to ensuring compliance across the organisations. They will report in to the highest level of management and be a key decision maker in their role. The DPO can be an existing employee or be appointed from an external source, however, senior managers—including the entire C-suite as well as heads of marketing, HR and IT—are not allowed to take on the role. Furthermore, there will be different requirements, solutions and risks based on all the data the company accumulates. As such, the DPO may need a team of privacy officers with specialisms in different types of data processes (such as financial data, HR data, marketing data, and so on).
- Conduct an annual privacy impact assessment
A Privacy Impact Assessment (PIA) is a systematic process to assess how customers’ personally identifiable information (PII) is collected, used, maintained and disclosed to ensure it is protected. Working with your DPO, the PIA should be conducted throughout the development lifecycle of a system, but especially before you even start collecting the data. When risks are identified, the GDPR expects you to employ measures to address them, such as encryption, continuity plans or backups of the data.
This should sound familiar to you and organisations should be able to reuse much of the existing security audit and risk management procedures and solutions—however, privacy risks and requirements should be incorporated into the mix, and remember, if security is about who has access to the data, privacy is about what you do with the data you have access to. Assuming security is good, the main risk will be the way in which you use the data.
- Produce an excellent team
Before the May 2018 deadline, it is critical that your legal, compliance, finance and IT security teams are aligned to ensure all current data partners and vendors are compliant, and to ensure the correct processes are in place for contracting future work.
It is critical that future vendors are meeting the same strict technical requirements in terms of data centre security and encryption, but also with the data residency and location guidelines. You’ll need to make sure you have your paperwork in order. Many companies are including data protection requirements in vendor contracts to ensure they are compliant. As well as implementing corporate rules or the Privacy Shield to ensure cross-country compliance.
- Toughen data centre security
It is without question that you should have already implemented IT security measures to prevent data breaches, however with the GDPR, you must have the necessary infrastructure to ensure proper detection, notification, analysis and recovery to maintain compliance in case of an incident. Securing data transfers (whether file transfer, API calls, or physically moving data on a USB stick—which you should avoid) will not be enough. You will also need strong security and monitoring capabilities to protect the data stored internally.
Overall, your aim should be to ensure accountability to protect your customers (or employees) and earn their trust. Organisations must develop solutions that process customer data correctly. These processes should employ the principles of “privacy by design,” where they proactively embed data protection within processes, “privacy by default” where they use methodologies that minimise identifiability, observability and linkability by default, and review the processes done by partners and vendors.
By Jose Alberto Rodriguez Ruiz, data protection officer at Cornerstone OnDemand
PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.
For more information on upcoming events, visit the website.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.
Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/