Any organization that handles EU citizens’ personal data, regardless of its location, is subject to GDPR, the 2018 privacy and data protection law in the European Union and the European Economic Area.
Noncompliance with GDPR can result in data processing injunctions, suspension of data transfers and fines of up to 20 million euros — approximately $23.2 million — or 4% of annual global turnover. Due to this, GDPR is shaping data protection strategies worldwide.
GDPR requires a risk-based approach to data processing activities. Though most companies collect and utilize users’ data, security is not necessarily their main activity. However, organizations still need to understand and implement GDPR’s key requirements to ensure compliance. This requires board-level support. GDPR legislation is detailed and requires businesses to change or adapt their current data handling procedures and processes and find the resource to do so. Following these seven best practices will help smooth the journey toward GDPR compliance.
1. Appoint a data protection officer
Organizations that process or handle large amounts of personal data must appoint an independent data protection officer (DPO) who reports to the board. The DPO’s primary role is to ensure the organization processes the personal data of all its data subjects — including employees, customers, providers or any other individuals — and is in compliance with applicable data protection rules. This entails educating the organization and its employees about compliance, training staff involved in data processing, maintaining records of all data processing activities and conducting regular security audits. The DPO also acts as the point of contact between the company and any supervisory authorities.
2. Classify all data
To ensure data confidentiality, integrity and availability, an organization has to know what data it has. Conduct a data inventory so stakeholders can better understand the quality and value of the data they are responsible for and classify it appropriately. It is easier to ensure security and privacy controls are adequate and justified when data has been classified and flagged as personally identifiable information (PII).
3. Complete a privacy impact assessment
Before data processing can begin, perform a privacy impact assessment (PIA). The PIA should identify risks that could arise from the collection, use and handling of PII. This is an important component of the GDPR’s privacy-by-design approach to data handling. It is also a valuable exercise that helps build data privacy and security into the design of systems and operations. It will involve input from the entire organization as every department will process, handle or use PII in different ways.
Start by mapping how data flows through the organization, including where and how it is collected; how and where it is used; by whom, how, where and for how long is it stored; and whether it is ever transferred to a third country or an international organization.
While threat modeling will establish security risks for this data, a PIA also requires an assessment of activities to determine the level of privacy risk and identify those that are high risk.
A privacy risk is defined in the following ways:
- a failure to meet an individual’s reasonable expectations of privacy, such as the collection of unnecessary information;
- a failure to obtain user consent for data to be collected; or
- no method for users to opt out or request their data be deleted.
If the PIA shows a high risk to the rights and freedoms of data subjects, GDPR requires a data protection impact assessment for compliance.
4. Document, maintain and enforce privacy policies, procedures and processes
Data inventories and data flow maps need to be kept up to date so the DPO knows what data is being collected and why, how it is used, where it’s stored and secured, how access is controlled and how it will be erased when requested or upon expiration. Documented privacy and data handling policies need to cover the people, processes and systems involved in these activities to ensure data always remains protected and properly handled.
Policies for data collection consent will have a big effect on how data is collected from online forms and cookies. Ensure developers and those who use this data understand how these policies affect them. Policies must also mandate layers of authentication, authorization, accounting and, most importantly, encryption of data both at rest and in transit. Correctly encrypting and handling data collection will significantly reduce fines for a data breach.
Compliance may also require revisions to vendor contracts to include adherence to GDPR requirements, including a clause for periodic audits.
5. Train employees in GDPR
6. Test data breach response procedures
There is a 72-hour limit for notifying a local data protection authority (DPA) of a data breach that could result in harm to data subjects. GDPR mandates affected subjects be notified “without undue delay.” Regularly test breach management procedures and responses to data subject requests to ensure employees can meet these deadlines. They should know how to identify and report a data breach internally, and it should be clear whose responsibility it is to communicate with the DPA and customers.
7. Monitor and audit GDPR compliance
Organizations need to conduct regular audits of privacy protection practices to prove compliance with GDPR. Records of all data that is held, how it is processed, details of any transfer of data to other countries and how it is being protected must be kept up to date. Carry out regular risk assessments to determine if data processing methods, documentation and privacy policies need updating. And, of course, the security of the IT infrastructure needs to be maintained.
Implement GDPR best practices to remain compliant
These seven best practices are the foundation of a solid GDPR-compliant project that safeguards the processing and movement of personal data. However, they are not trivial tasks that can be casually ticked off. Implementing the basic controls needed to meet GDPR requirements won’t necessarily result in an adequate and resilient data handling strategy. Compliance is a continual process, not a one-off activity. Investing in GDPR compliance leads to a more secure IT infrastructure and shows consumers that an organization takes its data privacy and security seriously.