GDPR (General Data Protection Regulation) – Quick Facts & Best Practices to address GDPR Compliance, Risk & Security requirements – Part II & III

Version 1

    Hi folks! Welcome back to combined final part of my GDPR blog series.

     

    In the last post GDPR (General Data Protection Regulation) – Quick Facts & Best Practices to address GDPR Compliance, Risk & Security requirements, I covered the definitions, facts, scope, responsibility, and accountability pertaining to GDPR. In this article I will review the data breaches, penalties and challenges (Part II) organisations may encounter while attempting to achieve GDPR compliance. Also, I will be highlighting key GDPR requirements and best practices to address those requirements (Part III).

     

    And of course, you are welcome again to add your comments and insights to this very important subject.

     

    So, Let’s talk firstly about data breaches, penalties, challenges related to GDPR:

     

    Data Breaches & Penalties:

     

     

    Under the GDPR, the independent Data Protection Officer (DPO) will be under a legal obligation to notify the Supervisory Authority (SA) of a data breach as soon as they become aware of the data breach (§ 33). The maximum allotted time is 72 hours in accordance with §55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Individuals have to be notified if adverse impact is determined. So, what key data points need to be included to a SA?

    • Nature and approximate number of affected records with personal data
    • Name and contact details of the Data Protection Officer or other contact point
    • Likely consequences of the personal data breach
    • Measures taken or proposed to be taken to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects
    • Document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken. That documentation shall enable the Supervisory Authority to verify compliance with §33.

     

    •     Potential Penalties:

      • A warning in writing in cases of first and non-intentional non-compliance (you need to prove that it was non-intentional!)
      • Regular periodic data protection audits (collection of relevant evidences)
      • A fine up to 10,000,000 EUR or up to 2% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater (§83, Paragraph 4)
      • A fine up to 20,000,000 EUR, or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher (§83, Paragraph 5 & 6)

     

    Challenges:

    • Responding in 72 hours will require significant planning and practice
    • Understanding of key requirements about the GDPR’s applicability to an organisation including attestations required for key stakeholders and other involved parties including 3rd Party vendors
    • Consideration of policies, procedures and technology to meet the GDPR requirements
    • Lack of GDPR experts, knowledge and resources
    • Education in data protection and privacy is a critical success factor for the GDPR
    • The communication method context to the SA (Supervisory Authority)
    • Audit evidences from across business units, departments, stakeholders
    • The implementation of the EU GDPR will require comprehensive guidance, domain knowledge, and in many cases, changes of business practices
    • Implementation enforcement by the EU and tracking

     

     

    Part III: In this part below, I will cover key requirements & best practices to address the GDPR.

     

    Key Requirements (highlights):

     

    •      Accountability, Policies & Procedures

      • Mandatory appointment (in most cases) of a DPO (Data Protection Officer) responsible for data processing
      • Evidence of internal documentation on policies & procedures
      • Implementation of special codes of conduct

     

    •      Compliance & Risk Activities

      • Measurement of effectiveness of activities & compliance controls
      • Implementation of a risk-based approach for data processing
      • Definition of all risks presented by a data processing activity
      • Likelihood and severity of the risks by data processing activities
      • Implementation of Data Protection Impact Assessments (DPIAs)

     

    •      Implementation of Security Measures

      • Implementation of controls & processes related to potential security threats & breaches
      • Pseudonymisation and encryption as suggested controls
      • Regular controls to ensure the ongoing confidentiality, integrity, availability and resilience of systems and services
      • The ability to restore the availability and access to data & services in a timely manner in the event of a security incident
      • A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

     

     

    •      Reporting

      • Reporting on the compliance state & metrics of implemented policies, procedures & relevant controls and data protection audit evidences

     

    Best P_.png

     

     

    Establish

    • Involve the stakeholders of your organisation and get their buy-in to successfully implement the GDPR requirements

    • Make a checklist of requirements

    • Establish and amend organisational policies and procedures to match the GDPR requirements supporting CIAR (confidentiality, integrity, availability, resiliency)

    • Establish a DPO and GDPR project and accountability team

    • Educate teams responsible for addressing the GDPR requirements

     

    Connect

    • Create policy enforcement procedures for compliance requirements

    • Implement technologies to prevent and detect security threats

    • Operationalise risk, security, and compliance controls

     

    Scope

    Discover what personal data is collected and how it is used

    • Detect and assess changes to risk and security posture, in real time

    • Analyse both the severity of the data breach and business criticality

    • Scope and calculate potential financial impact in case of a data breach

     

    Operationalise

    • Implement regular auto-executions of GDPR controls for related citations

    • Leverage risk and security data for audit planning

    • Engage regular periodic data collection and protection audits

    • Accelerate remediation and orchestration through automation

     

    Measure & Report

    • Get real-time, business insight into the enterprise’s compliance, security, and risk posture

    • Track the status of audit, compliance, and remediation tasks at the business service, risk, security, and impact level

    • Quickly review the business services that are the most out of compliance

    • Identify areas most under duress and determine if the issue is technical, training, or personnel related

     

    Vision

    • Align priorities with business elements that are vital for GDPR compliance

    • Enhance security and risk management resources—educate

    • Optimise costs and productivity from lessons learned

    • Establish resiliency procedures through post-data breach and security incident activities

    • Create dedicated knowledge base articles to help responders take care of repeat issues quicker and predict potential future threats/ breaches

    • Join the established and relevant Information Sharing Analysis Centers (ISACs) for your organisation

     

     

    Conclusion:

    The GDPR is a fact. You have to align your data with the GDPR and there is not much time left to do so! Familiarize yourself with the GDPR challenges & requirements while collecting and utilising personal data. Map those to your organizational policies & procedures. Understand the Impact. Educate and train your people. Get professional guidance. Evaluate technologies that can help you. Implement Best Practices. Just do it!

     

    Learn more at www.servicenow.com/grc