As GDPR enforcement is only weeks away, European businesses and organisations that deal with personal data covered by the GDPR should work hard to ensure appropriate processes are in place to avoid unprecedented fines. For those still struggling with the challenges of compliance, here is a GDPR compliance checklist to make your life easier. These five steps include some of the UK Data Protection Authority’s (ICO’s) guidance, as well as recommendations based on our experience, both at ELEKS and with our clients.
As a starting point, you will need to take stock of the data you already hold, from location and lifecycles to current compliance status. Once the inventory is specified, you should move on to scoping, which involves clarifying:
When you start to feel like there’s no end in sight to this process, you should move on to analysing the data itself. There’s no need to get too deep into this just yet, at this point you should categorise the information according to the project, that should be enough for now.
Two essential factors to consider are: where did you get the data (source) and what’s your legal basis for having it and processing it? If data has been obtained or kept without solid legal ground, you should consult with a privacy professional as soon as possible to find a remedy.
In general, to perform data inventory, you need to take the following steps:
Now it’s time to dig deeper. Try moving step by step with each category of personal data in your inventory. For each category you need to be able to answer the following:
As an example, you wouldn’t hire a team of three security analysts and set up a 24/7 security operation centre to protect your in-house database if it contains few emails and isn’t connected to the Internet. However, if you process medical records for the whole state and those records are available online, well, you probably should consider this option.
"A practical, risk-based approach is at the core of building GDPR compliance".Legal and Privacy Counsel at ELEKS
How should you correctly determine the level of the privacy risk? Consider actions that could harm the integrity, confidentiality or availability of the personal data. Some examples include accidental or unlawful destruction, a data loss, an alteration, unauthorised disclosure of personal data or access to the private data being transmitted, stored or otherwise processed (remember the recent scandal with Facebook?).
The right tool for discovering and responding to privacy risks is Data Protection Impact Assessment (DPIA). In some cases, it is mandatory under GDPR to conduct such an assessment. The general rule is that if your planned data processing is likely to create high privacy risks, DPIA must be conducted beforehand.
Here are few examples of the high privacy risks:
We recommend running DPIA when the controller is processing based on his/her legitimate interest, rather than consent of the data subject. DPIA should describe the processing activities as well as their purpose and, most importantly, assess the necessity and proportionality of the processing. The fundamental purpose of any DPIA is to find out whether your processing activities will violate the rights of the data subjects.
The security framework is the basis of an organisation’s privacy framework. In addition to governance and legal requirements, Information Security Management System (ISMS) is also critical. To put it simply, governance means that the company and its management recognise privacy is a priority, and as such, has created and implement relevant policies. With respect to legal requirements, generally speaking, you should keep your focus on GDPR principles and data subjects’ rights.
GDPR is believed to be the most advanced piece of privacy legislation that currently exists; however, there are a lot of GDPR myths circulating the Internet regarding data breach reporting. A quick Google search would throw up various sources claiming that any personal data breach should be reported to the Data Protection Authority (DPA) within 72 hours, regardless of whether you know about it. Well, that’s not true!
Here’s the correct breach reporting schema:
There are four main players here:
Let’s illustrate this process with a real-life example:
So, let’s imagine that some attackers hacked DHL's server; however, since the data has been protected with advanced encryption standard, the information is impossible to read. The scenario should look like this: DHL must notify Amazon as soon as the breach is detected. The processor shall always inform the controller as quickly as possible. Amazon then has two choices. Firstly, if Amazon is 100% sure that Alex’s personal data can’t be accessed, there is no sensitive data, appropriate measures were taken to terminate the breach and its consequences, etc., then they can decide not to notify the DPA.
Depending on the individual circumstances of the breach, this course of action may be fully compliant with GDPR. The controller shall notify the DPA only when there is a definite risk to a data subject’s rights. In such cases, the DPA should be notified no later than 72 hours from the moment the controller became aware of the breach. The DPA then may advise, if requested to do so by the controller, whether there is a need to inform the data subject of the incident. So, if Amazon decides to notify the ICO, ICO may instruct Amazon to get in touch with Alex as well. The general rule is that the controller must notify data subjects immediately, but only if there is high risk to data subjects’ rights. The risk is always initially assessed by the controller internally.
The below schema shows the process of responding to a data breach:
This is where a reliable security partner can be of great help, offering expert consulting and compliance services. At ELEKS we understand the key pain points of enterprise security management. Our security services focus on threat prevention, detection and incident response as the top security priorities. We engage the brightest security and legal experts to help you cut security costs, extend your endpoint visibility and prevent attacks in the future.
"To efficiently tackle the challenges of GDPR implementation, enterprises need to understand the full scope of the new processes and policies that need to be adopted, as well as have a clear, actionable strategy in place".Director of Corporate Security at ELEKS
The breadth of knowledge and understanding that ELEKS has within its walls allows us to leverage that expertise to make superior deliverables for our customers. When you work with ELEKS, you are working with the top 1% of the aptitude and engineering excellence of the whole country.
Right from the start, we really liked ELEKS’ commitment and engagement. They came to us with their best people to try to understand our context, our business idea, and developed the first prototype with us. They were very professional and very customer oriented. I think, without ELEKS it probably would not have been possible to have such a successful product in such a short period of time.
ELEKS has been involved in the development of a number of our consumer-facing websites and mobile applications that allow our customers to easily track their shipments, get the information they need as well as stay in touch with us. We’ve appreciated the level of ELEKS’ expertise, responsiveness and attention to details.