Meeting the deadline for the General Data Protection Regulation (GDPR) in May doesn’t mean your work is done. Preparing for GDPR is an ongoing process of internal readiness with both short-term and long-term tasks.
Despite being birthed by the European Union, this incoming privacy legislation is driven by citizenship—and that’s why Canadian businesses need to be preparing for GDPR, as well. There’s a lot to consider: At first blush, GDPR preparation appears to be a security exercise, but that’s only one component, albeit essential. Ultimately, the new legislation will prompt organizations to think differently about the data they store and process.
Most of all, organizations must realize that meeting the May 25, 2018 deadline doesn’t mean their GDPR preparation is done.
Preparing for GDPR requires transparency
You can’t secure data if you don’t know how it’s stored or how it flows through your organization. Under GDPR, you must know how data moves across different borders within the European Union and beyond. Even if you’ve done a thorough investigation of the data you store currently and how it’s processed, it’s not something you can tick off a checklist. Your data is a living entity. You need to identify where it’s held, how it’s accessed and processed, and its characteristics—it not only has to be documented once but over time. For instance, is it sensitive financial data or Personally Identifiable Information (PII)?
Your documentation and data processing activities must be transparent and demonstrate accountability, so make sure you’re evaluating your current data governance practices and policies as part of your GDPR preparation and identifying areas that need improvement.
Be ready for breaches
The reality is it’s not a matter of if a breach will occur, it’s a matter of when, and GDPR provides further incentive to understand where your data is most vulnerable. Not only do you need a process for detecting and investigating breaches, but you need a plan to disclose that personal data has been breached within 72 hours—although GDPR allows for some exceptions. You may want to conduct a fire drill to test the effectiveness of your procedures for data breach response.
It’s also a good time for Canadian organizations to consider the breach notification guidelines being developed under the Personal Information Protection and Electronic Documents Act (PIPEDA), which are, in part, inspired by privacy legislation in Alberta, the first province to have notification provisions.
A key aspect of GDPR is getting a person’s consent to process their data. Even more importantly, you must be able to honour a request to have that consent withdrawn—that’s why understanding how your data flows is so important. Consent under GDPR must be specific, granular, auditable, and easy to understand. For the affected EU citizen, the consent must also be easy to withdraw. While consent is already an existing component of PIPEDA, new requirements under GDPR may require approaching current data subjects and asking permission again to use their data.
The consent aspect reinforces the need for bulletproof record keeping. You must clearly identify your organization to the data subject and be transparent about any third parties who may also have access to their data. You should review your consent process in preparation for GDPR, and do so regularly from now, so you can develop an audit trail to satisfy regulators. You should also keep it aligned with any changes to your data processing activities.
GDPR preparation requires the right people
Under the legislation, public authorities or organizations conducting large-scale monitoring of individuals, special categories of data, or data relating to criminal convictions and offences are required to have a data protection officer (DPO). But even if your organization doesn’t require one, Gartner recommends designating someone to be responsible for data governance, so you can readily comply with GDPR. This person will be the point of contact for the data protection authority (DPA) and data subjects.
Regardless of the size of your organization, it’s also a good idea to retain outside experts—consultants who can help architect a risk assessment framework, manage data privacy, and deploy technology that can ensure compliance. In case of a breach, you should have public relation experts, forensic experts, and legal counsel at your disposal.
Preparing for GDPR means staying prepared. Just as Canada’s PIPEDA was intended to be reviewed every five years since being introduced more than 15 years ago, organizations should expect GDPR to be modified over time. While there are many tasks in the short term to complete to meet the May deadline, you should prepare to integrate your GDPR compliance into ongoing operations. Since customer data is rarely static, understanding where it flows is critical to its protection, regardless of regulatory requirements.
Looking for more information about how you can prepare for GDPR? Check out, “Prep for a GDPR audit by building a GDPR compliance checklist” for your ultimate guide to data protection, and learn how you can stay in line with shifting data regulations beyond just GDPR with, “Keep pace with the evolving, far-reaching impact of GDPR.” And don’t forget to hit subscribe at the top of the page to receive the latest IT security insights from Tektonika.