What is GDPR.
"The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and its designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy. " https://www.eugdpr.org/the-regulation.html
Many organizations are impacted by this new regulation. There are many activities being initiated and implemented by organizations to be compliant with GDPR before the enforcement deadline of 25th May 2018. Those who are tasked with implementing GDPR are sometimes bewildered as to where to start and what to do in a practical sense. This article provides guidance by identifying some of the key activities that will take you towards your compliance objective.
Is my Organization impacted ?
GDPR impacts capture and storage of "Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address."
The regulation applies to "all companies processing the personal data of data subjects residing in the Union, regardless of the company’s location."
What to do if you are impacted by this requlation ?
Some of the activities below will apply to you depending on where your organization is in the compliance journey
- Appoint a Data Protection officer -if you are a large organization that systematically processes large sets of data, you need to appoint a Data protection officer. Small organizations do not have to appoint one
- Set up a register of activities that documents your effort at achieving compliance
- Review the changes introduced by the GDPR legislation with a view to updating your information security policies and guidelines. For example, "Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it." Consent should inform data subjects as to why the data is being requested , what it will be used for. Find points in your interaction with your customers and update consent notices as required
- Find an locate all personal data in your organization- This is not as daunting as it seems. You can start with compiling a list of applications that various departments use.You should confirm this with a similar list from your IT department. A good questionnaire can facilitate this activity. You can then verify data held by these applications
- Hire or assign a "Data Architect" or similar role to model an Information flow diagram across the organization. This deliverable should contain , the source of data , at a high level , the processes utilizing it , where it is stored and which other databases or processes share the data. You need to understand how the purpose or use of the data changes so that you either declare the purposes at data capture point or determine when you need to request additional consent from the data subject because you intend to now use the data for other purposes than the consent given.
- Identify the data owners and any data processors. Data owners are from the business , for example Marketing information stored has a data owner who is responsible for the accuracy and modification of any changes to the data set. Data processors may be external organizations you share data with for processing e.g. payroll agencies. The data gathering questionnaire should contain questions about who owns data and whether there is any external processing.
- Question or challenge reasons for retention of all personal identifiable data stored , and review its continued retention in the light of GDPR and company data retention policies . Your data retention policies should reflect GDPR regulations.
- Implement remediation where neccessary and ensure all personal identifiable data is stored securely. Remediation will include deleting of unnecessary data, anonymization, encryption etc.
- Flesh out processes for complying with personal data rights and other GDPR regulations and look into ways of efficiently implementing it. For example a "request to be forgotten", may require the deletion of data subject personal information in multiple databases previously identified. Organizations have suggested encryption of personal data and "throwing away" the encryption key as a way of compliance with this. There will be many approaches and organizations must choose what is best for their situation. https://www.eugdpr.org/key-changes.html
All these activities must be documented in the Information register created in order to demonstrate efforts at compliance in an event of a breach of GDPR regulations.
‘Yemi Oluleye B.Sc., ACIB, MBA, CISSP, Certified TOGAF
Consulting and Research Director at Y-Digital Technologies