When it comes to expectations around the necessity for securing and protecting customer data, the EU General Data Protection Regulation (GDPR) is very clear. What isn’t quite as clear is exactly how organizations should go about securing their data. We don’t know what to expect when it comes to GDPR enforcement, and some regulations are left up to interpretation as to how organizations should design their strategy. Also, the path to compliance will probably be different for everyone, even though the end result will be the same.
We are six months away from the GDPR compliance deadline of May 25, 2018. This means that organizations need to start evaluating their key processes, now, and work to assess their level of risk based on these seven key GDPR principles:
- Lawful, fair and transparent processing – this principle emphasizes transparency for all EU data subjects. When the data is collected, it must be clear as to why that data is being collected and how the data will be used. Organizations also must be willing to provide details surrounding the data processing when requested by the data subject. For example, if a data subject asks who the data protection officer is at that organization or what data the organization has about them, that information needs to be available.
- Purpose limitation – this principle means that organizations need to have a lawful and legitimate purpose for processing the information in the first place. Consider all the organizations that require forms with 20 fields, when all they really need is a name, email, shipping address and maybe a phone number. Simply put, this principle says that organizations shouldn’t collect any piece of data that doesn’t have a specific purpose, and those who do can be out of compliance.
- Data minimization – this principle instructs organizations to ensure the data they capture is adequate, relevant and limited. In this day and age, businesses collect and compile every piece of data possible for various reasons, such as understanding customer buying behaviors and patterns or remarketing based on intelligent analytics. Based on this principle, organizations must be sure that they are only storing the minimum amount of data required for their purpose.
- Accurate and up-to-date processing – this principle requires data controllers to make sure information remains accurate, valid and fit for purpose. To comply with this principle, the organization must have a process and policies in place to address how they will maintain the data they are processing and storing. It may seem like a lot of work, but a conscious effort to maintain accurate customer and employee databases will help prove compliance and hopefully also prove useful to the business.
- Limitation of storage in the form that permits identification – this principle discourages unnecessary data redundancy and replication. It limits how the data is stored and moved, how long the data is stored, and requires the understanding of how the data subject would be identified if the data records were to be breached. To ensure compliance, organizations must have control over the storage and movement of data. This includes implementing and enforcing data retention policies and not allowing data to be stored in multiple places. For example, organizations should prevent users from saving a copy of a customer list on a local laptop or moving the data to an external device such as a USB. Having multiple, illegitimate copies of the same data in multiple locations is a compliance nightmare.
- Confidential and secure – this principle protects the integrity and privacy of data by making sure it is secure (which extends to IT systems, paper records and physical security). An organization that is collecting and processing data is now solely responsible for implementing appropriate security measures that are proportionate to risks and rights of individual data subjects. Negligence is no longer an excuse under GDPR, so organizations must spend an adequate amount of resources to protect the data from those who are negligent or malicious. To achieve compliance, organizations should evaluate how well they are enforcing security policies, utilizing dynamic access controls, verifying the identity of those accessing the data and protecting against malware/ransomware.
- Accountability and liability – this principle ensures that organizations can demonstrate compliance. Organizations must be able to demonstrate to the governing bodies that they have taken the necessary steps comparable to the risk their data subjects face. To ensure compliance, organizations must be sure that every step within the GDPR strategy is auditable and can be compiled as evidence quickly and efficiently. For example, GDPR requires organizations to respond to requests from data subjects regarding what data is available about them. The organization must be able to promptly remove that data, if desired. Organizations not only need to have a process in place to manage the request, but also need to have a full audit trail to prove that they took the proper actions.
Organizations should take the necessary time to evaluate risk and be as honest as possible when evaluating their current status. There are a lot more details within each of these requirements, but gaining a basic understanding is an important starting point.