It’s months past when the EU’s General Data Privacy Regulations (GDPR) went into effect, and many are wondering, “Where are we now?” Among the many aspects of the GDPR talked about at today’s Infosecurity North America conference, Nashira Layade, SVP, CISO at Realogy Holdings Corp., and Elena Elkina, partner at Aleada Consulting, spent a bit of time focusing on data-subject requests.
In particular, one of the three types of data-subject requests is the right to be forgotten, which in itself can be tricky, Layade said. “Understanding where the data is will help you with data-subject requests, but the right-to-be-forgotten request means that you also have to look at the requirements on how long you are supposed to hold onto that data. Always check with your legal team to make sure you are complying with all of the regulations.”
It’s also key to understand the 30-day-response requirement. The data-subject request demands a response within 30 days, but that doesn’t mean that the activity will be carried out within those 30 days, according to Layade.
Certainly there will be situations where an organization may need more time to act, which is something that should be discussed with legal. Either way, the response has to be delivered in the designated time frame.
As more regulations and legislative acts are brought forth, complying with all of them could feel overwhelming. Usually, though, compliance with one will cross over and lead to compliance across the board. “I would not focus on a regulation-by-regulation basis, because you are going to drive yourself crazy. What is your organization’s risk profile? Start there,” Layade said.
For some organizations, GDPR has had little impact on their data privacy impact assessment practices. Layade said that her organization has two different processes for risk assessment, which include the technology side and the data side.
“GDPR didn’t change anything for us because we do impact assessments on a six-month basis. For those who are just starting out on the journey, though, you should consider evaluating certain GRC [governance, risk and compliance] tools that automate your privacy impact assessments. Those assessments should be automated to increase efficiency and make the process more streamlined and easier to implement,” Layade said.
“If you are just implementing, think about the goal of why these regulations were even required by regulators. If there is potential for high risk, you need controls. Assess your product and your business processes. Don’t just think about products. Think about the process as well,” Elkina said.