Whether you’re someone managing data or an executive responsible for your data assets, the advent of the GDPR demands attention now. The impact is measured by the severity of the fines, but also from the expectation that all data will be controlled and processed correctly.
In this blog post, we’ve done all the hard work for you. We’ll talk you through the ins-and-outs of GDPR and the steps you’ll need to take in order to improve your data security strategy and become compliant.
The GDPR challenge
First things first, we define the GDPR as a regulation that changes the way companies capture, manage and store information of EU citizens.
To date, the maximum fine handed to organizations under the Data Protection Act (DPA) by the Information Commissioner’s Office (ICO) is £400,000. Two companies have received the record penalty – Keurboom Communications and TalkTalk. Under GDPR, the fines for a data breach will either be €20m ($23.2m) or 4 per cent of global annual revenue, whichever is highest. Had GDPR been in place for the past five years, analysis from Oliver Wyman shows that FTSE 100 companies could have owed up to £25 billion in fines to EU regulators, a run rate of £5 billion a year!
GDPR is structured to simplify data management for global organizations to ensure a process and a means of enforcement. According to a PwC survey, being GDPR compliant is the top data protection priority for 54 percent of US multinationals and one of several priorities for another 38 percent. There are broad definitions of what personal data represents, and along with that come rights on how personal data is accessed, used, stored, protected and deleted. GDPR even says an individual consumer can restrict processing and enforce the right to be forgotten. Moreover, organizations must be able to show the location of data in both systems and geographical sites.
Does ISO 27001 implementation satisfy EU GDPR requirements?
The implementation of ISO 27001 covers most of the requirements of the EU GDPR; however, some controls should be adapted to include personal data within the Information Security Management System (ISMS).
In addition to what is planned for the implementation of ISO 27001, some measures will have to be included in order for an organization, controller or processor (both of them need to perform these activities), to ensure compliance with the EU GDPR, such as:
- Procedures for ensuring the exercise of the rights of data subjects;
- Mechanisms for the transfer of data outside the EU;
- Minimum content of the impact assessment on data protection;
- Procedures to be followed in case of violation of personal data.
All of these measures can be integrated into the Information Security Management System, allowing the guarantee of legal compliance and continuous improvement – even more so if the ISMS and the EU GDPR are aligned.
Controller vs. Processor
According to article 4 of the EU GDPR, different roles are identified as indicated below:
- Controller – “means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data”
- Processor – “means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”
So, the organizations that determine the means of processing personal data are controllers, regardless of whether they directly collect the data from data subjects. For example, a bank (controller) collects the data of its clients when they open an account, but it is another organization (processor) that stores, digitizes, and catalogs all the information produced on paper by the bank. These companies can be datacenters or document management companies. Both organizations (controller and processor) are responsible for handling the personal data of these customers.
The controller says how and why personal data is processed and allows the processor to act on the controller’s behalf. If your organization is currently subject to the DPA, it is likely that you will also be subject to the GDPR. For controllers and processors already operating under DPA rules, GDPR extends the obligations and responsibilities of both.
What does your business need to do about GDPR?
GDPR requires you to look at 3 different aspects of your business in order to comply with the regulations – the legal side, the processes you manage, and the data itself. While many people are focusing on the first two, it’s your data that is the basis for any other effort you’re making with GDPR.
Do you know where your data is?
To be able to manage your data properly, you first need to know where it is. And that’s not necessarily easy to determine. Especially in large, complex organisations, there can be many, many places where personally identifiable information (PII) data is stored, each potentially managed by a different region, department or individual.
Even if you think you know where your data is – it’s likely that what you actually know is where your data is supposed to be. An example – you might think you have a database that contains no personal information, because it has no fields for ‘name’ ‘address’ or equivalent information. But what about a ‘description’ field? As soon as someone enters in a note there that includes a phone number – that becomes PII. In most organisations, there are many thousands of these data points, so finding this data, wherever it lives, is impossible to do manually.
Why it’s important to know where your data is
Without knowing where you are storing data, you can’t put the necessary legal and process changes in place for compliance. Establishing data governance rules to ensure that your organization is processing data legally is a crucial part of adhering to GDPR regulations (the ‘legal’ and ‘process’ parts of the solution), and one which relies on having a unified vision of your data.
Under GDPR, you have obligations to provide information to individuals about what personal data you hold on them and how it’s processed. If there’s data lurking that you are unaware of, there’s a good chance you could breach these obligations.
And a key implication of GDPR is the subject’s ‘right to be forgotten’. If a request to erase personal data needs to be dealt with, you need to know where this information is stored across your organization. You can’t delete it if you don’t know where it is.
The 5 steps to managing the GDPR
Still with us? Good! Here comes the important part.
Now that you've got a better understanding of what the GDPR is, it's time to take the next practical steps towards achieving your data security obligations and becoming compliant.
Step 1: Finding your data for GDPR
Determining where all your data is can be a daunting task but the CloverDX GDPR approach can help, with the CloverDX Harvester managing the first step of finding your data. The CloverDX Harvester crawls all your data, and finds where you have PII. Not where you think it is – but where it actually is. The Harvester builds a complete map of where your data exists so that you have a comprehensive view – the first step in being able to establish rules and processes for how your systems work.
How CloverDX Harvester creates a map of your organization's data:
- The CloverDX Harvester profiles your data and finds sensitive information in various data sources
- The Cleaner module can remove explicitly defined entities from the system
- The Pseudonymizer performs the anonymization transformation process
- CloverDX Harvester receives list of sensitive domains and data samples
- CloverDX Harvester profiles database columns and reports statistics on the sensitive matches including weighting scores
- Business Analyst examines and refines results, e.g. excluding false positives
Step 2: Keeping your data useful
Anonymizing your PII is a way of complying with GDPR requirements, but truly anonymized data (let’s say by replacing sensitive information with asterisks) has limitations when using it for analysis. For example, if you’re getting statistical insights about your customers’ geographies, that information can potentially be lost when data is anonymized in this way. The answer can be in pseudoanonymisation – breaking the link between personal info and other data but retaining some of the data’s previous qualities or characteristics. The CloverDX data anonymization engine has been built specifically to address this challenge, and to keep your data usable, allowing you to extend your compliance with GDPR to broader usage of your data – for example sharing portions of the pseudoanonymised data with your software vendors as reliable test data sets.Data Anonymization with CloverDX
Step 3: Managing consent
GDPR is very clear in requiring an affirmative consent to how a subject’s personal data will be used. It also suggests that multiple consents for various uses can be given, and independently withdrawn at any point. Many software vendors are working hard to remedy this issue by putting some consent management into their products. However, GDPR leaves much to interpretation when it comes what the right way of managing consent looks like. Do you need to keep an encrypted record of the consent transaction, signed with a timecode by a trusted 3rd party? Or will simple record in a database suffice?
Either way, the problem quickly grows out of individual applications and become an exercise in managing consent centrally within the entire organization. In many cases this can require additional data connections between applications, sharing the information about where, when and which consent is valid or withdrawn.
Step 4: Executing data rights
With GDPR your subjects are empowered to execute their fundamental data privacy rights, like the right to be erased (forgotten), right of access or right of data portability. We can expect a significant increase of requests like these, calling for automating the process from ground up. Meaning, using the ‘PII map’ for identifying where information about a data subject sits, as well as automating fulfillment of these requests with little to no human intervention.
Step 5: Reporting and auditing
An important part of GDPR compliance includes full reporting, auditing and logging capabilities. Being able to log all manipulations with sensitive data, as well as being able to simply build audit trails for all incoming and outgoing data to identify where it came from and where it is being shipped to, helps to reinforce your compliance.
Solid data foundations
Ensuring you can map and navigate your data landscape is essential for successful implementation of GDPR policy. CloverDX’s Harvester helps you solve the data challenges that need to be overcome in order to ensure that your organization complies with the new requirements.
Start now – contact us for an assessment
As you plan your GDPR policy and implementation, talk to us for a free, no-obligation assessment of your data situation, and advice on what your first step towards GDPR should be.
Editor's note: this blog post has been updated since August 2017 to include more content. Enjoy!