In the past few months, you may have heard a lot about GDPR and how it affects US companies. The regulation is designed to protect EU citizens, which means if you have employees, customers or you outsource data within the EU, it applies to you. Even if your business is located in the US!
What is GDPR?
The EU’s General Data Protection Regulation (GDPR) defines how organizations process, store and destroy data. It comes into effect on May 25th, 2018 and the purpose of the regulation is to protect the data of EU citizens.
GDPR gives people more control over how organizations use their data, and it introduces heavy fines for organizations that don’t comply. The fine is up to 4% of annual global turnover or €20 million, whichever is greater!
How does GDPR apply to IT?
IT plays a critical role in the journey to compliance for GDPR. If you work in IT, then it’s essential that you become knowledgeable about GDPR and IT, crucially what you need to do for compliance. The regulation will affect everyone, from Chief Technology Officers to system admins and all levels of seniority in between.
In fact, according to a survey of IT and security professionals in the US by Imperva, 51% said that GDPR would affect their company. It's important for IT to be at the forefront of compliance and IT teams must make a major contribution to the successful implementation of GDPR practices.
However, data protection is not a responsibility of the IT department alone. It needs to be integrated into the entire business by senior management. All departments need to consider how they use data in their day-to-day work, for example, HR needs to ensure that employee records are GDPR compliant and the same applies to marketing and customer data.
I work in IT, where should I start?
There are seven crucial areas that IT departments need to adjust for compliance with GDPR:1. Collecting, processing and deleting data
The first step to compliance is conducting a full audit of the data in your organization. What data do you hold, where did it come from and who is it shared with?
Firstly, find out where you store data. It could be held in CRM systems, files in your network, in physical document storage, email inboxes, calendars, voice recordings, spreadsheets and lots of other sources. Remember, that data could be held across different regions or offices and it all needs to be taken into consideration.
Whilst you are conducting the audit, remember that any data that is not useful, should not be stored. Look for duplicates in the data you hold. Data must be accurate and up-to-date. For all data that you hold, you should be able to clearly identify where it came from and why you store it.
2. Know how to deal with a data breach
No matter what protection you have in place, a security incident may still occur. You need a plan in place that explains what to do if a data loss occurs or if there is a breach. The plan should include how you will communicate the event to the relevant authorities, your data subjects and the wider public.
IT is responsible for preventing, stopping and recovering from a data breach but you also need to effectively communicate any incidents to rest of the business, including information on when the breach occurred, the amount of data lost and how it happened.
You should have the ability to identify the source of a breach. For example, a breach could occur as a result of hackers, infected machines, lost credentials, or sharing information on unsafe cloud services.
Once a breach has been identified, the data controller has 72 hours to notify the authorities. With such a short timescale, it’s crucial that you have a plan in place to investigate and report on the breach quickly.
Encryption or tokenization can be used to reduce the risk of data loss in organizations. In particular, encryption technology that encodes data before it is even transferred to a data processor or cloud service, can significantly reduce the risk of data loss. This is because decrypting such data can take a significant amount of time.
The regulation recognizes that if data loss is 'unintelligible’ then data subjects do not need to be informed. Though, it’s best practice to inform data subjects of an incident if the data could be affected.
4. Using data processors
A data processor is a separate legal entity that processes data on behalf of the data controller (that’s you). You may be using more of these that you think, for example, cloud providers, outsourced companies and storage vendors are all considered to be data processors.
Whilst you have an overall responsibility for the data you hold, you must ensure that any processors are aware of their data protection responsibilities to meet the regulation’s requirements.
5. Subject Access Rights
Data subjects can request their data at ‘reasonable intervals’, and you must respond within one month. Can you respond to data requests quickly?
Individuals now have the right to access any information a company holds on them. They can question why the data is being processed, how long it will be stored for, and why. Individuals can ask for their data to be rectified if it is incorrect or incomplete.
They also have the right to request that their data is deleted if it is no longer needed, this is known as the ‘right to be forgotten’.
To streamline the process for both your business and data subjects, information should be stored in commonly used formats (e.g. CSV files). This will make it easy for an individual's information to be collated and moved to another organisation if they request it.
6. Update security data policies and procedures
Under GDPR, you must be transparent about how you collect data, what you do with it and how you process it. Policies and procedures must also be easily accessible and written in plain English.
Are your policies and procedures up-to-date? Are they clear and easy for people to understand, and easily accessible for people who want to read them?
Under GDPR, you must be able to demonstrate that each person has consented to their data being used and for what purpose. It’s crucial to have a record of this consent.
Do you have the required consent from data subjects and a way to record that consent? Consent must be an affirmative action by the data subject. As a controller, you also need to keep a record of how and when the individual gave consent. They must also be able to withdraw that consent whenever they want.
GDPR and IT compliance may seem like a tough task, especially for small teams. But, imagine yourself as the data subject, when you buy products or transact with an organization, you expect your data to be handled securely. The regulation just puts the best practice in place to ensure that this is the case.
Want to check if you’re ready? Download our GDPR Checklist for IT Systems to check your compliance today.