Is Your Executive Team Worried About GDPR Compliance? It Probably Should Be.
Under GDPR Not Protecting Personal Data Can be Very Expensive
Most companies today are increasingly customer data-driven. As such they are collecting, analyzing and storing ever-growing volumes of personal data. If your organization is doing business with any EU citizens, you’re most likely going to need to be compliant with the EU’s General Data Protection Regulation (GDPR). This means you need to identify, monitor and protect any data that can be used to identify a person. Given that GDPR fines for compliance violations can have a material impact on revenue and profit, up to 4% of global revenue for a firm, this regulation has to be taken very seriously.
Security and Compliance Professionals Agree: GDPR Will Have a Big Impact
A recent survey of 300 security and compliance professionals by a large international law firm, Baker and McKenzie, found that 84% of those surveyed anticipated that the GDPR was going to have a significant impact on their organizations in terms of budget expenditures and efforts to comply. Some of the major requirements that they are concerned with include customer consent requirements, data security, data breach reporting, hiring a data privacy officer, documentation and accountability, and training, among others. http://bit.ly/2dy9zD9
In my last blog, I explained what the GDPR is and seven fundamental provisions that everyone should be aware of. The objective of the GDPR is the protection of personally identifiable information (PII). To be GDPR-compliant organizations need to begin to put in place policies, procedures and technologies now to ensure they can protect PII of EU citizens ahead of the May 25TH, 2018 deadline. This is not a lot of time given the complexity, scale and potential fines associated with GDPR.
Addressing Four Key GDPR Privacy Protection Requirements
In this blog, I want to discuss four key GDPR PII protection requirements that my company is helping companies address now as they prepare for GDPR. My company, Teleran, offers a data protection and compliance solution that helps with critical GDPR gap assessments and with addressing four essential GDPR data protection requirements that I describe below. By way of context, our software solution continuously monitors access and use of PII in relational databases. It delivers a “fact-based” process that identifies exactly where a company’s GDPR compliance risks and liabilities exist and what actions are required to bring their PII processing into compliance. In addition, our real-time alerting, access controls, and detailed audit reporting meet mandatory GDPR security, audit, incident response, and breach notification requirements.
What follows are descriptions of four of the most challenging GDPR requirements and how Teleran enables your organization to prepare for and meet these challenges.
One of the essential principles of the EU data protection law is “purpose limitation” of the use of PII as described in GDPR Article 5-1(b). It has two main elements: The use of personal data must have an explicit purpose, and the data must be used only for that stated purpose and no other. Teleran addresses this key requirement by:
- Monitoring and analyzing the access and use of PII to ensure it is limited to the stated purpose only and that no other unauthorized or non-compliant accesses are occurring.
- Establishing PII access policies to enforce purpose limitation. These policies can include only allowing specific applications and users to access and process the PII and preventing all others from accessing the data.
According to this critical security requirement, Article 5-1 (f), PII must be processed in a manner that ensures its security and integrity, including protecting against unlawful use, manipulation, destruction or loss of the data. Regular evaluation of data security measures through documented audits is another requirement of this article. Teleran addresses these requirements by:
- Monitoring and controlling the access and use of PII to ensure it remains confidential and protected.
- Establishing PII protection policies to prevent: illegal use of the data, the manipulation or changing of the data, and the destruction or loss of the data.
- Delivering comprehensive data usage audit documentation.
Accountability and Documentation
Article 5-2 defines a company’s accountability in complying with the GDPR. In addition, this article requires that the companies must “be able to demonstrate and document” their processes are in compliance. Teleran addresses this mandate by:
- Providing demonstrable and fully documented PII access monitoring audit reports.
- Delivering PII access policy and testing processes to prove that the security measures are effective and GDPR-compliant.
Article 33 requires that the appropriate GDPR government authority is notified within 72 hours of a company becoming aware of a breach of PII data that is likely to “result in risks to the rights and freedoms of EU citizens.” Article 34 pertains to notifying the EU citizen or resident of the data breach. In this case “owners” of the data need to be notified without delay, but the 72 hour notification period does not apply. Teleran addresses both these requirements by:
- Identifying and alerting staff to suspected or actual data breaches, in which case further investigation of the suspected breach can occur using Teleran’s forensic audit reports and other means.
- Documenting the breach activity for purposes of notification and preventing further breach activity or future non-compliant activity.
- Applying additional real-time access control policies to prevent future breaches of this nature.
GDPR Gap Assessments
Under the GDPR it is essential to demonstrate that your PII data is protected. In fact, organizations need to be prepared to demonstrate their compliance at any time. Organizations should begin preparing now for GDPR compliance. Our firm offers GDPR Readiness Assessments to help companies identify where sensitive structured data resides, who is using it, how is it used, and is it appropriate use according to GDPR requirements. In addition, to further minimize risks and lower data handling costs, the assessment can assist in updating data retention policies, identifying unused or “dormant” data and removing it to reduce future liability and lower data processing and storage costs as well.