GDPR for CIOs: Why it’s important and what you need to do

The 25th of May 2018 was when GDPR came into full force. Designed to standardise data protection measures across Europe GDPR provides individuals with greater rights and establishes a modern framework to which companies need to comply. GDPR applies to any organisation, regardless of whether they are actually based in the EU, if they process the data of EU citizens.

With the GDPR bringing in numerous changes, such as widening the definition of personal data, increasing the rights of individuals and establishing new obligations regarding personal data breaches, complying with the regulation will be no small feat. It is likely that many organisations will need to carry out data audits, review processes and privacy notices, assess their current data protection methods and explore technological solutions to help achieve compliance.

To help your organisation prepare for these upcoming changes we’ve put together a list of key points that CIOs should be aware of:

5 important things CIOs need to be aware of

1. You need to know your data

The first step in your journey to compliance with the GDPR is to know exactly what personal data you hold, where you hold it, who has access to it and how you process it. All organisations will have data across multiple systems such as file shares, Sharepoint, databases, cloud systems and social platforms like Yammer. You may not have even identified some of it yet. With a vast amount of data out there to discover, classify and report on it will be necessary to investigate technology solutions that can assist.

2. “Privacy by Design” is an obligation – not a recommendation

The ICO and other regulatory authorities have long recommended that organisations take a “Privacy by Design” approach, but the GDPR outlines this as an obligation. In the past, privacy controls may have been the last thought, but now they will need to be embedded into every system that handles data right from the very start and throughout the entire lifecycle of the project. The GDPR states that you must “implement technical and organisational measures to show that you have considered and integrated data protection into your processing activities”, to ensure that Personally Identifiable Information (PII) is protected.

As part of this approach by default, you will now have to give consumers maximum privacy protection. They can have the ability to lower this, for example when setting up a social media profile they can reduce the default privacy settings, but the maximum settings have to be the baseline. Achieving these obligations involves enacting measures such as explicit opt-in, safeguards to protect consumer data, restricted sharing, and minimised data collection and retention.

3. You will need to undertake Data Protection Impact Assessments

In line with the “Privacy by Design” obligation, organisations will need to undertake Data Protection Impact Assessments (DPIAs) to ensure they comply with data protection obligations and meet individuals’ expectations of privacy. A DPIA is a risk management tool that allows organisations to identify and fix data protection problems in the early stages of a project before they cause damage – both to individuals and the organisation involved. When carrying a DPIA you should document:

• What kind of personal information will you collect;
• how will you collect, process and store that personal information;
• how and why it can you share it; and
• how it will you protect it from inappropriate disclosure at each step

According to the GDPR, a DPIA should be carried out where “processing operations are likely to result in a high risk to the rights and freedoms of natural persons by virtue of their nature, scope, context and purpose”.

The Information Commissioner’s Office (ICO) states that organisations must carry out a DPIA when using new technologies and when the processing is likely to result in a high risk to the rights and freedoms.

4. Breach notifications are mandatory

Not only could breaches potentially carry much larger fines once the GDPR is in place, but there are also strict requirements when it comes to reporting such a breach to your supervisory authority and to the individuals affected. If your company suffers a personal data breach that is likely to result in a risk to the rights and freedoms of individuals then you must notify the relevant supervisory authority within 72 hours of discovering the breach, including the following information:

• The nature of the personal data breach including where possible:
  • the categories and approximate numbers of individuals concerned; and
  • the categories and approximate number of data records concerned
• The name and contact details of your Data Protection Officer or another contact point
• A description of the likely consequences of the personal data breach; and
• A description of the measures taken to deal with the breach and mitigate any possible effects

A personal data breach that is likely to result in a “high risk” to the rights and freedoms of individuals, requires organisations to notify those concerned directly and “without undue delay”. One example of such a breach could be the loss of customer details which leaves individuals open to identity theft. Failure to notify when required could result in a significant fine of up to €10 million or 2% of your global turnover.

5. You must take a “risk-based” approach

Certain pieces of personal data can be considered more high risk (or more valuable in the eyes of a cybercriminal). As such not all data will need the same level of protection. Not only will organisations need to know their data they will also need to decide how exactly to protect it. This will depend on how you store and process it, and the level of risk it could pose to concerned individuals. When conducting a data audit you may need to move, delete, encrypt or block certain pieces of personal data. The ability to do this proactively, and keep detailed records of your decisions and activities, will be key to compliance.

What next?

Achieving compliance will require a concentrated effort across the whole organisation. Although there is some confusion on who bears responsibility for GDPR, it will likely involve multiple parties. Key people involved could include, the Data Protection Officer, the Chief Data Officer, Chief Information Officer, Chief Information Security Officer and senior leadership from departments such as HR and Marketing. It will depend on your organisation’s structure. The board will also need to understand the implications of the GDPR and why it’s necessary to make changes – which could involve financial outlay.

Even though the UK is planning to leave the EU, organisations will still need to comply with the GDPR when data passes through the EU, even if they have no influence on its direction. Furthermore, the UK plans to continue to apply the regulation by transferring into UK law through a new Data Protection Bill, so waiting to implement GDPR principles within your organisation would not be a wise move.