In less than 3 months GDPR will come into force but a recent survey conducted by bluesource, which covered the data archiving activities of senior IT staff, across 150 UK medium to large organisations revealed that 70 per cent do not possess effective processes and systems to swiftly submit data to regulations, meaning that they are at risk of being fined under GDPR. To make sure you are better prepared to cope with the demands of GDPR compliance, Mike Small, Senior Analyst from Kuppingercole breaks down the 5 things you need to know about GDPR.
1. Discover the PII data
The first and most important step is to discover the Personally Identifiable (PII) Data that is held in your IT systems. This data is likely to be distributed across systems, applications and directories, and some may be held in unstructured form. Until you have found this data you cannot implement appropriate controls or test that they are working. Some tools such as DLP (Data Loss Prevention) which can scan databases, shared drives and endpoints could help to find this data.
2. Control Access
It is the responsibility of the Data Controller and the Data Processor to ensure that PII data is only accessed in accordance with the consent given by the data subject. This requires that there must be controls over access to the data and that these controls must both enable authorized access and prevent unauthorized access. The controls must also allow for requests from the data subject to see and correct any data held on them. The controls must cover application access to structured data as well as individual access to unstructured data held in spreadsheets, documents and emails. They must also limit the way in which the data can be aggregated.
3. Manage consent
Where the consent of the data subject is required for processing, this consent must be freely given, informed, and unambiguous for each purpose. Consent may be withdrawn by the data subject at any time. Applications that collect PII may need to be revised to ensure that these requirements are met. The burden of proof for demonstrating consent lies with the Data Controller / Data Processor. Therefore, organizations must have processes and technology to track the consent lifecycle for each data subject and purpose potentially at the data field level. Access controls to the data must be linked to this consent.
4. Manage cloud services
The above also apply where data is held or processed in cloud services. CASB (Cloud Access Security Brokers) sometimes in conjunction with DLP solutions provide the ability to detect and control what data is moved to cloud services and to control access to that data, through encryption for example. Where cloud services are used, it is essential that the CSP (Cloud Service Provider) is made aware of the fact that its service is being used to hold PII. It is also important to ensure that the service is certified for this purpose, for example to ISO/IEC 27018.
5. Prepare for a data breach
The regulation requires that when a data breach is discovered that must be notified to the local supervisory authority within 72 hours and to the data subjects without undue delay. For this to be achieved it is essential that the organization has a prepared and tested data breach process and plan.
6. Implement Privacy Engineering
This is an approach, outlined in NISTIR-8062, amongst other places, to the design and implementation of data processing systems to ensure that they reliably meet the requirements for processing personal data in a trustworthy and compliant manner. Like security, it is difficult to reverse engineer privacy into existing systems that were designed without this in mind. However, the design and implementation of new applications handling PII should follow this approach.
To read more about GDPR check out A CIO’s Guide to GDPR.