How Companies Should Prepare For GDPR

The EU General Data Protection Regulation (GDPR) is an important topic, and one I’ve been working with since the beginning of 2016. In 2016, the GDPR (which will become effective on 25 May 2018) was adopted to replace the Directive 95/46/EC to implement a legally binding regulation that will be considered the EU data protection law.

For readers who are not familiar with the massive breadth of topics covered, it is beneficial to provide, as a reference, the following listing of topics covered within the 11 chapters, consisting of 99 articles with hundreds of specific requirements in total that make up the law. They include:

Chapter 1—        General provisions includes Articles 1 through 4

Chapter 2—        Principles includes Articles 5 through 11

Chapter 3—        Rights of the data subject includes Articles 12 through 23

Chapter 4—        Controller and processor includes Articles 24 through 43

Chapter 5—        Transfers of personal data to third countries or international organizations includes Articles 44 through 50

Chapter 6—        Independent supervisory authorities includes Articles 51 through 59

Chapter 7—        Cooperation and consistency includes Articles 60 through 76

Chapter 8—        Remedies, liability and penalties includes Articles 77 through 84

Chapter 9—        Provisions relating to specific processing situations includes Articles 85 through 91

Chapter 10—      Delegated acts and implementing acts includes Articles 92 through 93

Chapter 11—      Final provisions includes Articles 94 through 99

While May 25, 2018, the GDPR compliance deadline, may sound like a long time away, it is important for all types of organizations to take some time to determine, first of all, if they are obligated to comply with GDPR. Then if they are, they need to take appropriate actions to establish a realistic timeline to meeting compliance by that date, by performing several necessary activities between now and then. So, at a high level, companies should prepare for the EU GDPR as follows:

1. Determine if you must comply with the GDPR.

Generally, if you have information that can be associated with a specific individual who is in or from Europe, you must comply with GDPR. GDPR compels action from all organizations not only doing business across Europe (including the United Kingdom post-Brexit, along with the European Union and European Economic Area countries), but also all those with workers or contractors in or from Europe. Ask yourself the following questions. If you answer yes to any of these questions, they you most likely must comply with GDPR.

1. Do you have organizations with offices in Europe?
2. Do you have workers in Europe (even if they are not there permanently)?
3. Do you have clients, customers, patients and any type of consumer in, or still a citizen of, Europe?
4. Does your organization have a website? Do individuals from Europe interact with your organization in any way through the website?
5. Does your organization provide applications (apps) that folks in Europe, or who are European citizens, can use?
6. Does your organization provide services for organizations with offices or consumers in Europe?
7. Does your organization have contracted vendors who have workers in, or citizens of, Europe?

1. If you DO need to comply, establish the details for the following work plan

1. Assign responsibilities for GDPR compliance. Establish a leader for the effort, along with team members, including those from the following areas:

1. 1. 1. 1. Information security
         2. Legal/Compliance
         3. IT
         4. Internal Audit
         5. Physical Security/Safety
         6. Acquisitions & Contracting
         7. Marketing & Sales
         8. Customer Support
         9. Public Relations
         10. Research & Development
         11. A leader from each Business UnitThis team needs to start meeting now to identify actions necessary for GDPR requirements, and then to execute those actions.

1. Establish plan and ongoing method to inventory personal information (PI). Here is a very high-level plan to get you started.

1. 1. 1. 1. Determine the definition of PI that applies for your organization.
         2. Identify within an inventory all locations where that PI is collected, stored, transmitted, and accessed.
         3. Establish a method and/or mechanism to keep the inventory updated.
         4. Establish and/or update information security and privacy notices, policies, and supporting procedures and standards, to support GDPR compliance.
         5. Provide GDPR training, and then provide regular refresher and update training at intervals appropriate to your organization, in addition to providing regular awareness reminders.
         6. Identify all your contracted workers, vendors and business partners with PI from those in, or citizens of Europe (basically your data processors), and ensure they are taking actions to be in compliance with GDPR.
         7. Establish a PI breach response team and supporting procedures and processes.
         8. Perform a data protection impact assessment (DPIA). Establish corrective action plan (CAP) to mitigate and close gaps, and implement any necessary information security and privacy controls, discovered in the DPIA.
         9. Identify all your applicable supervisory authorities, along with their contact information and documentation providing guidance for when you should contact them.
         10. Establish and follow a plan to maintain GDPR compliance once it is reached.

1. If you determine you do NOT need to comply with GDPR, DO NOT just set this topic aside.

If you ever start collecting, accessing or storing PI of those who are in, or citizens of, Europe as part of your organization’s activities, you will then need to comply with GDPR. So at a minimum, even if you are not obligated to comply with GDPR at this time, assign a position or person with the responsibility for monitoring the PI collection, use, and access to then be able to know if and when you must now start complying with GDPR.

See more of my advice for EU GDPR compliance, along with more details that take a deeper dive to go beyond those provided above, here:

• Using ISACA Privacy Principles for GDPR Compliance http://www.isaca.org/COBIT/focus/Pages/using-isaca-privacy-principles-for-gdpr-compliance.aspx
• Webinar on September 28, Noon EDT: How to Perform GDPR Data Protection Impact Assessments http://www.isaca.org/Education/Online-Learning/Pages/Webinar-How-to-Perform-GDPR-Data-Protection-Impact-Assessments.aspx
• Webinar from April 12, 2017: How will GDPR Impact Incident Response and Data Breach Management? See recording at https://www.brighttalk.com/webcast/15313/252273/how-will-gdpr-impact-incident-response-and-data-breach-management
• ISACA will publish a DPIA template I created for them on their site sometime in August or September.

• • I will be providing an automated DPIA within my SIMBUS Risk Management platform ) in the 4^thquarter of this year (2017), so check that frequently. Or, let me know (using [email protected]) if you want me to send you a notice when it is available.

• It’s Harder Than Ever to Operate a Globally Compliant Business https://simbus360.com/2017/07/19/its-harder-than-ever-to-operate-a-globally-compliant-business/

Webinar: Using ISACA’s Privacy Principles to Create an Effective Privacy Program https://www.cpomagazine.com/2016/09/22/webinar-using-isacas-privacy-principles-create-effective-privacy-program/

Rebecca Herold

Rebecca has over 25 years of systems engineering, information security, privacy and compliance experience. Rebecca is an entrepreneur; she is CEO and Founder of The Privacy Professor® consultancy she established in 2004, and is Co-Founder and President of SIMBUS, LLC, and information security, privacy, technology & compliance management cloud service for organizations of all sizes, in all industries, in all locations. Rebecca has authored 18 books, dozens of book chapters, and hundreds of published articles. Rebecca led the NIST SGIP Smart Grid Privacy Subgroup for seven years, was a founding member and officer for the IEEE P1912 Privacy and Security Architecture for Consumer Wireless Devices Working Group, and serves on the Advisory Boards of numerous organizations. Rebecca also serves as an expert witness for information security, privacy, and compliance issues. Rebecca was an Adjunct Professor for the Norwich University MSISA program for many years. Rebecca is frequently interviewed, including regularly on the KCWI23 morning television show, and quoted in diverse broadcasts and publications. Rebecca holds the following certifications: FIP, CISSP, CISA, CISM, CIPT, CIPM, CIPP/US, FLMI. Rebecca is based in Des Moines, Iowa.