Did you ever try to set-up and execute a transformation programme in just 18 months that will change your global processes, involve all divisions, affect most of your supplier and client contracts, and bear the risk of fines as high as four per cent of your global turnover?
That is what many are probably facing as they prepare for the General Data Privacy Regulation (GDPR), which the EU enacted in 2016 and comes into effect mid-2018. I can already hear shouts of “But Brexit!” However, if an enterprise offers services to the EU market, it is still involved. And now things have gotten even more complex…
What’s the buzz about GDPR?
Given the patchwork of data protection directives created since 1995, the EU decided to harmonise standards, increase cooperation between institutions, and provide clear points of contact. This was backed by a 2015 study showing 89 per cent of Europeans said it was important to have the same rights and protections over their personal information, regardless of the country in which the entity offering services is based.
The most important GDPR updates include:
Privacy by design: Design processes need to incorporate ”privacy by design,“ which means appropriate technical and organisational measures to implement data-protection principles, e.g. applying principles for personal data minimisation, early pseudonymizing of personal data, and data protection security features.
Right to be forgotten: Subjects can request erasure if no legal ground or purpose still exists, or their consent has been withdrawn. Online enterprises are obliged to inform third parties to remove links or duplicates of the data to be erased.
Data portability: In case of automated data processing, data subjects have the right to request and receive data in ”a structured, commonly used, machine-readable and interoperable format” that can be transferred to a different provider.
Notification in case of data breaches: In cases of risks to the rights of data subjects, the supervisory authority needs to be informed within 72 hours. In cases of high-risk data subjects need to be informed with recommendations to mitigate the risk.
Review and Recertification of data: Users may view and update their personal data, free of charge (if not misused).
Rules for consent of data subject: Processing based on consent has been update. It needs to ensure that sufficient consent can be demonstrated; existing consent either fulfils all new requirements or needs to be renewed. Consent may not be conditional for the performance of a contract, must be in clear and plain language, and easily withdrawn in the future. Consent for processing of sensitive data needs to be explicit.
Processing documentation: Data controllers and processors need to maintain processing documentation of various aspects, e.g. representative contact, data protection officer, processing purpose, data categories, data recipients, safeguards in third countries, time limits for erasure, and security measures.
Data Protection Officers (DPO): Necessary in a variety of circumstances. They require expertise, need to remain independent, and shall directly report to the highest management level.
Transparency to data subject: When personal data is acquired the subject needs to be informed about various aspects, e.g. identity of the processor, DPO, recipients, international transfers, storage period, several data protection rights, and if data is used for automated decision-making.
Data processing risk assessments: GDPR requires establishment of effective procedures and mechanisms that focus on processing operations that are likely to result in high-risk to allow effective risk mitigation (in some cases with supervisory authority).
International transfers to non-EU countries: Have been modified and need to be revisited.
Explicit obligations of data processors: Data processors (processing on behalf of a data controller) are now explicitly required to fulfil certain rules, like documentation requirements, DPO, EU representatives, or data breach notification.
What should be done?
You should get the detailed requirements from the regulation, check how far the regulation is applicable, perform a gap-analysis and launch the most important transformation initiatives.
This could include:
- Review communication channels and appoint necessary roles
- Ensure proper consent of data subjects
- Update notices, standards and policies
- Verify and streamline your processes
- Design processes (privacy by design)
- Risk assessment and security measures
- Data subject requests (erasure/portability)
- Notification and reporting (PDA/data subjects)
- Evaluate your contracts
- With your data subjects
- With your data processors
- Monitor for local GDPR amendments and any updates issued by the European Commission orthe European Data Protection Board.
Markus Bekk, CISA, PMP, ITIL Expert is a hands-on professional in IT governance, risk and compliance management, and specialises in sourcing and third-party management. He has delivered numerous transformation, transition and innovation projects and programmes with international players mainly in the financial and insurance industry. Bekk is determined to overcome the gaps between traditional IT management disciplines and distributed, international, agile business requirements.