GDPR for CIOs: Why it’s important and what you need to do
13 September 2017
The 25th of May 2018 was when GDPR came into full force. Being designed to standardise measures across Europe and provide individuals with greater rights. GDPR applies to any organisation, regardless of whether they are actually based in the EU, if they process as the key point is that if an organisation handles the data of EU citizens then it must be compliant.
With the GDPR bringing in numerous changes, such as widening the definition of personal data, increasing the rights of individuals and establishing new obligations regarding personal data breaches, complying with the regulation will be no small feat. It is likely that many organisations will need to carry out data audits, review processes and privacy notices, assess their current data protection methods and explore technological solutions to help achieve compliance.
To help your organisation prepare for these upcoming changes we’ve put together a list of key points that CIOs should be aware of:
5 important things CIOs need to be aware of
1. You need to know your data
The first step in your journey to compliance with the GDPR is to know exactly what personal data you hold, where you hold it, who has access to it and how you process it. All organisations will have data across multiple systems such as file shares, Sharepoint, databases, cloud systems and social platforms like Yammer. You may not have even identified some it yet. With a vast amount of data out there to discover, classify and report on it will be necessary to investigate technology solutions which can assist.
2. “Privacy by Design” is an obligation – not a recommendation
The ICO and other regulatory authorities have long recommended that organisations take a “Privacy by Design” approach, but the GDPR outlines this an obligation. In the past, privacy controls may have been the last thought, but now it will need to be embedded into every system that handles data right from the very start and throughout the entire lifecycle of the project. The GDPR states that you must “implement technical and organisational measures to show that you have considered and integrated data protection into your processing activities”, to ensure that Personally Identifiable Information (PII) is protected.
As part of this approach by default, you will now have to give consumers the maximum privacy protection. They can have the ability to lower this, for example when setting up a social media profile they can reduce the default privacy settings, but the maximum settings have to be the baseline. Achieving these obligations involves enacting measures such as explicit opt-in, safeguards to protect consumer data, restricted sharing, and minimised data collection and retention.
3. You will need to undertake Data Protection Impact Assessments
In line with the “Privacy by Design” obligation, organisations will need to undertake Data Protection Impact Assessments (DPIAs) to ensure you are complying with data protection obligations and meeting individuals’ expectations of privacy. A DPIA is a risk management tool which allows organisations to identify and fix data protection problems in the early stages of a project before they cause damage – both to individuals and the organisation involved. When carrying a DPIA you should document:
- what kind of personal information will you collect;
- how will you collect, process and store that personal information;
- how and why it can you share it; and
- how it will you protect it from inappropriate disclosure at each step
According to the GDPR, a DPIA should be carried out where “processing operations are likely to result in a high risk to the rights and freedoms of natural persons by virtue of their nature, scope, context and purpose”.
The Information Commissioner’s Office (ICO) states that organisations must carry out a DPIA when using new technologies and when the processing is likely to result in a high risk to the rights and freedoms.
4. Breach notifications are mandatory
Not only could breaches potentially carry much larger fines once the GDPR is in place, there are also strict requirements when it comes to reporting such a breach to your supervisory authority and to the individuals affected. If your company suffers a personal data breach which is likely to result in a risk to the rights and freedoms of individuals then you must notify the relevant supervisory authority within 72 hours of discovering the breach, including the following information:
- The nature of the personal data breach including where possible:
- the categories and approximate numbers of individuals concerned; and
- the categories and approximate number of data records concerned
- The name and contact details of your Data Protection Officer or another contact point
- A description of the likely consequences of the personal data breach; and
- A description of the measures taken to deal with the breach and mitigate any possible effects
A personal data breach which is likely to result in a “high risk” to the rights and freedoms of individuals, requires organisations to notify those concerned directly and “without undue delay”. One example of such as breach could be the loss of customer details which leaves individuals open to identity theft. Failure to notify when required could result in a significant fine of up to €10 million or 2 percent of your global turnover.
5. You must take a “risk-based” approach
Certain pieces of personal data can be considered more high risk (or more valuable in the eyes of a cybercriminal). As such not all data will need the same level of protection. Not only will organisations need to know their data, they will also need to decide how exactly to protect it. This will depend on how you store and process it, and the level of risk it could pose to concerned individuals. When conducting a data audit you may need to move, delete, encrypt or block certain pieces of personal data. The ability to do this proactively, and keep detailed records of your decisions and activities, will be key to compliance.
Achieving compliance will require a concentrated effort across the whole organisation. Although there is some confusion on who bears responsibility for GDPR, it will likely involve multiple parties. Key people involved could include, the Data Protection Officer, the Chief Data Officer, Chief Information Officer, Chief Information Security Officer and senior leadership from departments such as HR and Marketing. It will depend on your organisation’s structure. The board will also need to understand the implications of the GDPR and why it’s necessary to make changes – which could involve financial outlay.
Even though the UK is planning to leave the EU, organisations will still need to comply with the GDPR when data passes through the EU, even if they have no influence on its direction. Furthermore, the UK plans to continue to apply the regulation by transferring into UK law through a new Data Protection Bill, so waiting to implement GDPR principles within your organisation would not be a wise move.