On 14th April 2016 The European Parliament gave final approval to the enactment of the new EU Data Protection legislation, reforms that will replace the 1995 Data Protection directive was devised before internet use became widespread.
These changes, combined with the increasing risk of cybercrime, mean it is critical for data protection to be at the top of the boardroom agenda. We know that the issue of a data breach is a key concern for business continuity professionals, as the 2016 Horizon Scan Report placed it at number two on a list of top continuity concerns. Here are some the steps organizations can take to stay ahead of the reforms taking effect in 2018.
1. Get the Board On-Board
Board buy-in is key to getting the resources and support needed to adequately address new Data Protection obligations. Ensure the impact of the new requirements is understood both operationally and financially.
2. Train up a Data Protection Officer (DPO) now
While SMEs are exempt from the obligation to appoint a data protection officer, all other organizations will be required to appoint a DPO, who is responsible for compliance with the General Data Protection Regulation (GDPR). With widespread reports of shortages of suitably qualified DPOs in the EU, organizations may want to consider training up an individual to act as its DPO in advance of the GDPR or should consider engaging a qualified third party DPO on an outsourced basis.
If your business is outside the EU, plan to appoint a data protection representative who is based in the EU to address the heightened European obligations.
3. Scope your data now
Organizations need to develop a comprehensive understanding of the scope of their environment, including the types of data held and their sensitivity. Likewise, they need to fully understand the flows of personal data within their company and identify any potential for breaches.
4. Look at what data you process - create an information management policy and data registers/flows
Knowing and having up to date data sources will help to ensure its confidentiality and assist information security practitioners in applying appropriate defense techniques. An information management policy is the roadmap for how data and information is captured in an organization. It should describe how data is collected, collated, captured and analyzed as well as define data flows and the roles of each person in the information management cycle.
5. Be prepared to act fast if breached
GDPR will require that organizations notify their national authority within 72 hours after a breach where there is a significant risk to data subjects. Organizations need to prepare a response plan now to ensure they can react to the incident itself while notifying data subjects and regulators within a compliant timeframe.
6. Review contracts with data processors to ensure that the terms regarding Data Protection are strong enough
If your organization engages the services of a sub-contractor to process personal data (such as a payroll company), then you must ensure data protection standards are maintained. Appropriate security and data protection safeguards must be enforced at a contractual level.
7. Review your internal Data Protection policies and materials
Maintaining and enforcing internal data protection policies and procedures is a requirement under the GDPR. If policies and procedures do not exist, you will need to create these. If your organization already has policies and procedures in place, these will need to be reviewed in line with the new DP regulations to ensure that the updated requirements are accounted for.
An internationally recognized best practice framework for information security management systems like ISO 27001 can be incredibly beneficial in helping you implement the appropriate policies, procedures and controls for the type of information you are handling.
8. Introduce privacy impact assessments to detect data protection risks at an early stage
Another of the key new requirements is ensuring that privacy is built in to all operations involving personal data by default; privacy can no longer be considered as an afterthought. This can be achieved by integrating Privacy Impact Assessments (PIAs) into your existing project and risk management processes. PIAs are a structured process for identifying and minimizing the privacy risks of new projects, processes or policies; they will be essential to ensure and demonstrate compliance with privacy by design requirements.
9. Review all consents received for direct marketing to ensure that they fit within the new definition of consent
When it comes to collecting data, organizations will be required to get explicit consent from data subjects to prove they have given their agreement to process their sensitive personal data. For children under 16 years of age, the child's parent or guardian must consent. The processes and mechanics for data capture may need to be redesigned to include data processing policies in line with the spirit of the regulation which calls for more transparency via icon based privacy notes (which suggest taking an "infographic" type approach for communication of policies to end users).
Organizations, regardless of size or industry, now have two years to adhere to the new EU data protection regulation and should use this time to take control of their data. By taking steps now organizations will put themselves in the strongest possible position to implement the change smoothly and, importantly, with no nasty and costly surprises.