If your organization is like most, you may be freaking out about the upcoming General Data Protection Regulation (GDPR) enforcement date of May 25, 2018. As a CISO, there is a significant role to play, whether you are the Data Protection Officer (DPO) or not. To manage GDPR compliance, I have a strong partnership with our legal counsel — something I strongly encourage to ensure your company meets the requirements of GDPR. Without it, you may risk both damage to your reputation and fines of up to four percent of global revenue.
If you read the GDPR articles, you’ll see that many of the 99 articles are up to the reader to determine the actionable items for their company. There aren’t always clear control points or actions to take, and many articles do not provide a clear understanding of what is truly permissible as it relates to consent, and processing and maintaining personally identifiable information (PII). As such, I’ve done my best to decipher the regulation and have come up with a few key work items that should cover most organizations. In addition to the items I’ve outlined below, I’d also recommend the following resources: (1) GDPR Data Protection Impact Assessment from ISACA and (2) Microsoft’s GDPR Assessment Toolkits.
Although my company is not a large processor of PII, we are a security software development company, and our customers have an expectation that we are GDPR compliant. We process PII in our sales, marketing, and HR departments, as well as logs through our security cloud offerings. Therefore, we’ve had to invest and take the steps necessary to protect our prospect and customer information.
Awareness and training
There is no way that you are likely staffed up or have a dedicated GDPR team (that reports to the Data Protection Officer) to handle all EU PII across your company. As such, you have to raise awareness with the owners of this data and the systems that are used to process this data. If you can get them to understand the requirements of GDPR and how they are impacted, you can often use them to ensure compliance across their respective groups, moving the DPO team into a management and oversight role. (See GDPR Article 39.)
Vendor and data inventory
You can only protect and control what you know about. You need to understand who your vendors are, what is their role as it relates to the processing, maintaining, or storing of EU PII, and if they have adequate controls in place and can attest to those controls. The good thing is that many companies that supply products or services have proactively taken steps to attest to their compliance with GDPR often using updated contractual language (e.g. Data Processing Agreements), publicly available attestation documents, or share the results of a privacy impact assessment (PIA).
In addition to your vendors, you must also understand where PII is and its associated data flows and processes:
- Where does data move?
- Who has access?
- Is there a data owner?
- Are there control points for the data (so you have the ability to secure the data, control access and remove PII on request across your organization)?
All the data flows and custodians of that data — both inside and outside of your company — need to be mapped out, classified (often at the system level), and documented. (See GDPR Article 30.)
Data governance
This doesn’t mean that you are required to have a full-blown data classification and retention project. However, you will need a way to classify data as containing PII. If you don’t need the PII, you might want to consider getting rid of it all together — or limit the time you store the data, at minimum. You can start by focusing on your key systems and roles that contain the majority of your potential EU PII. It would probably make sense to classify all data in these systems as containing PII vs. the individual data elements. In our case, we leverage many SaaS providers for processing our PII, so we have labeled those providers as such. (See GDPR Article 32.)
Develop processes for the right to be forgotten
Now that you have the data inventory mapped out, you should have a clear understanding of the employee roles and systems that contain or have access to PII. It’s now time to develop your processes around the “right to be forgotten.”
The processes to forget EU PII from your systems can be both manual or automated. It really will depend on the ability of your systems to remove this data entirely and your ability to integrate the “right to be forgotten” into your workflow when acquiring, storing, processing, or maintaining EU PII. The key is to document these processes, so you can both prove to an auditor that you have them and also ensure that you can do this consistently moving forward.
In our case, we’ve built some automation in our workflow to take actions when EU employees or our customers onboard or offboard. We’ve also had to create manual processes (where clean technology integrations don’t exist) as it relates to our ingestion of sales lead information (whether that’s someone requesting information from us online or at a tradeshow or conference). (See GDPR Article 17.)
Document your legal basis for processing PII
Article 6 of the GDPR provides six different bases for processing of PII, and they range from express consent from the data subject to processing necessary for a “legitimate interest.” You should assess your data inventory and ensure that you can trace and document a legal basis for processing. For example, for our business and our customers, we rely in part on Recital 49 of the GDPR, which states that certain processing of personal data proportionate to the purposes of ensuring network and information security is a legitimate interest. However, this doesn’t arbitrarily exempt my company or our customers from other provisions of the GDPR, such as rights of the data subject and obligations of the data controller and data processors to implement appropriate levels of security.
Data protection or privacy impact assessments
If you are a service or product provider, you may want to contract with a third party (e.g., law firm) to conduct a Data Protection Impact Assessment or a Privacy Impact Assessment. This is your attestation that you meet the intent of the controls outlined in GDPR and have validated that with an outside expert. Alternatively, you could consider using a self-attestation template from organizations like ISACA (mentioned earlier). This might be especially useful for companies that do not process consumer data. Although it can look intimidating, the template from ISACA really walks the user through the applicable code sections and requirements. (See GDPR Article 35.)
Data processing agreements
These are documented agreements specific to GDPR that speak to the roles (of the vendor or your own) associated with the processing of EU PII, the details of the processing, how you protect the data, access the data, transfer the data, and destroy the data, as well as the rights of the data subjects. (See GDPR Article 28.)
Implement monitoring and response
You need to understand if your PII is being moved to places it shouldn’t be and that your processes for GDPR are actually working. In many audits, you get asked to provide evidence of this and you don’t want to be generating it at time of audit. Additionally, your incident response processes and procedures are something you cannot forget. You will need to develop them or update them to include steps associated with responding to incidents involving EU PII. The lack thereof could have significant ramifications for your company regardless if it’s an incident involving EU PII or another significant incident. There are many companies that provide technology to help you with this, and it would be a sound investment to obtain this capability. (See GDPR Article 33.)
Test your processes and procedures
I think it goes without saying that you don’t want to be in the position of testing your procedures when you’re under the gun of an audit. You need to test your procedures early and often to ensure they are sound and meet the intent of the GDPR regulation. In many companies, technology and people change quite frequently, and you need to ensure that your processes and procedures take that into account.
Although GDPR may appear daunting, difficult to understand, or hard to implement, there are many freely available resources at your fingertips that can help you and your company with organizing information, tracking compliance with specific articles, and overall demonstrating compliance with GDPR. If you focus your attention on the key areas listed above, it should help streamline your processes and accelerate your roadmap to GDPR compliance.