This is Post 3 in a series of 4 series on the basics of GDPR. Part 1 covered who is subject to GDPR requirements and Part 2 identified GDPR data security requirements. In this post, we’ll look at what the GDPR means for enterprise companies and how they should be preparing for the deadline - May 25th, 2018.
With the enforcement dealine only 6 months away, there are some key questions every organization should be resolving.
What data do you have and where is it stored? You need to assess what kinds of data your organization currently has under its management. This includes identifying all types of personal data including the following; financial information, customer records, employee records, marketing optimization information, etc. Know all the locations this information may be stored, including 3rd-party cloud-based storage.
Many people working outside the IT department will not realize that creating and maintaining an accurate inventory of the structured and semi-structured data scattered across the entirety of an enterprise is very difficult if not impossible to do manually. This task must be automated using tools that can detect unknown data stores and locate personal and confidential data within the data structure based on a variety of pattern recognition techniques. Once found, the information must be classified and assigned a risk profile.
Who has access to the data and can you control that access? A key data protection requirement is limiting access to personal data, which can be accomplished in many ways including data collection minimization and data masking. There will be some users and applications that need access to the live personal data. Identifying those applications and users requires user access controls, user rights management and activity monitoring. Similar to data inventories, these tasks are best accomplished by automated tools.
Common gaps in companies’ access limits are excessive rights granted to use a privileged application or a service account or access rights that have simply accrued over time. This is where technology powered by machine learning can help close gaps and minimize access.
What responsibility do you have for your processors? If you’re a data controller, and you use processors (or sub processors) you need to take steps to ensure that the processors will protect the data you control, in accordance with your GDPR policies. This critical requirement is best addressed by a combination of contracts from your legal team and technology that can enforce limitations on the movement of data.
This is especially important if there is any chance the data could be transferred to and viewed by people outside the EU or a country recognized as having adequate data protections by the EU such as Canada, New Zealand, or Argentina. The full list of countries with adequate data protections is published by the EU here. Even a remote desktop session via VPN violates the data transfer requirements if the person viewing the data is sitting outside the EU or the countries that have been deemed to have adequate protection. You’ll want to have both legal and technical controls in place to monitor and control access to your data.
Chapter V of the GDPR covers transfers of personal data of EU data subjects to third countries or international organizations and mandates organizations that control or process such data to ensure all transfers are done with adequate safeguards in place to protect the personal data of EU subjects. If adequate safeguards are not in place, then the data should not be transferred.
What about data transfers from the EU to the US? A simple question: can your organization control its data if it enters the US? Model contracts and Binding Corporate Rules (BCRs) will help some companies address specific controller-processor relationships. Companies that cannot utilize these contracts rely on the Safe Harbor Framework to provide a legal basis for data transfers to the US. The Safe Harbor Framework was invalidated in 2015, but it was replaced by the EU-U.S. Privacy Shield Framework in 2016.
The Privacy Shield Framework was designed by the U.S. Department of Commerce and the European Commission to provide companies with a mechanism to comply with data protection requirements when transferring personal data from the European Union to the United States. The Privacy Shield Framework utilizes a self-certification format and is open to U.S.-based organizations. Once an eligible organization makes a public commitment (via the Privacy Shield website) to comply with the framework, the commitment will become enforceable under US law.
Although debate still continues as to whether the Privacy Shield Framework will pass muster in the face of a legal or regulatory challenges, as of now it has credibility given that, as of March 1, 2017, 1,750 organizations — including Facebook, Google, Microsoft, Oracle, and Salesforce — have joined the EU-US Privacy Shield and it has been approved by the European Commission.
What to Do First?
GDPR compliance may seem daunting initially, but if you can answer the questions above, you’re already off to a good start. At a high level, your responses will help you build a preliminary plan along the following lines:
- Identify - what kinds of data you have, where it’s stored and its risk profile
- Examine - the data flow and all the access points
- Assess - current protection policies and procedures
- Perform - a prioritized gap analysis to the new requirements
- Identify - technology, processes, contracts, and resources to address the gaps
- Work - back from the May 2018 enforcement date to determine your timeline for rolling out the new elements.
This is just the starting point and is not meant to be a comprehensive list. Visit our blog post on GDPR planning for additional details and a timeline for how to tackle GDPR readiness.
For a free GDPR data security consultation, contact one of our security experts here.