GDPR for CIOs: Why it’s important and what you need to do
13 September 2017
If there’s one date guaranteed to be in the diary for next year it’s the 25th May – and if it’s not in your diary then you better make a note… quick! It marks the official start of the General Data Protection Regulation (GDPR).
One of the largest overhauls of data protection, designed to standardise measures across Europe and provide individuals with greater rights when it comes to the collection, storage and use of their personal data. It will apply to organisations regardless of whether they are actually based in the EU, as the key point is that if an organisation handles the data of EU citizens then it must be compliant.
With the GDPR bringing in numerous changes, such as widening the definition of personal data, increasing the rights of individuals and establishing new obligations regarding personal data breaches, complying with the regulation will be no small feat. It is likely that many organisations will need to carry out data audits, review processes and privacy notices, assess their current data protection methods and explore technological solutions to help achieve compliance.
To help your organisation prepare for these upcoming changes we’ve put together a list of key points that CIOs should be aware of:
5 important things CIOs need to be aware of
1. You need to know your data
The first step in your journey to compliance with the GDPR is knowing exactly what personal data you hold, where you hold it, who has access to it and how it is processed. All organisations will have data living across multiple systems such as file shares, Sharepoint, databases, cloud systems and social platforms like Yammer, some of which might not have been identified yet. With a vast amount of data out there to discover, classify and report on it will be necessary to investigate technology solutions which can assist.
2. “Privacy by Design” is an obligation – not a recommendation
The ICO and other regulatory authorities have long recommended that organisations take a “Privacy by Design” approach, but the GDPR outlines this an obligation. In the past, privacy controls may have been the last thought, but now it will need to be embedded into every system that handles data right from the very start and throughout the entire lifecycle of the project. The GDPR states that you must “implement technical and organisational measures to show that you have considered and integrated data protection into your processing activities”, to ensure that Personally Identifiable Information (PII) is protected. As part of this approach by default, you will now have to give consumers the maximum privacy protection. They can have the ability to lower this, for example when setting up a social media profile they can reduce the default privacy settings, but the maximum settings have to be the baseline. Achieving these obligations involves enacting measures such as explicit opt-in, safeguards to protect consumer data, restricted sharing, and minimised data collection and retention.
3. You will need to undertake Data Protection Impact Assessments
In line with the “Privacy by Design” obligation, organisations will need to undertake Data Protection Impact Assessments (DPIAs) to ensure you are complying with data protection obligations and meeting individuals’ expectations of privacy. A DPIA is a risk management tool which allows organisations to identify and fix data protection problems in the early stages of a project before they cause damage – both to individuals and the organisation involved. When carrying a DPIA you should document:
- what kind of personal information will be collected;
- how that personal information will be collected, stored and processes;
- how and why it can be shared; and
- how it will be protected from inappropriate disclosure at each step
According to the GDPR, a DPIA should be carried out where “processing operations are likely to result in a high risk to the rights and freedoms of natural persons by virtue of their nature, scope, context and purpose”.
The Information Commissioner’s Office (ICO) states that organisations must carry out a DPIA when using new technologies and when the processing is likely to result in a high risk to the rights and freedoms.
4. Breach notifications are mandatory
Not only could breaches potentially carry much larger fines once the GDPR is in place, there are also strict requirements when it comes to reporting such a breach to your supervisory authority and to the individuals affected. If your company suffers a personal data breach which is likely to result in a risk to the rights and freedoms of individuals then you must notify the relevant supervisory authority within 72 hours of discovering the breach, including the following information:
- The nature of the personal data breach including where possible:
- the categories and approximate numbers of individuals concerned; and
- the categories and approximate number of data records concerned
- The name and contact details of your Data Protection Officer or another contact point
- A description of the likely consequences of the personal data breach; and
- A description of the measures taken or proposed to be taken to deal with the breach and mitigate any possible effects
A personal data which is likely to result in a “high risk” to the rights and freedoms of individuals, requires organisations to notify those concerned directly and “without undue delay”. One example of such as breach could be the loss of customer details which leaves individuals open to identity theft. the Failure to notify a personal data breach when required could result in a significant fine of up to €10 million or 2 percent of your global turnover.
5. You must take a “risk-based” approach
Certain pieces of personal data can be considered more high risk (or more valuable in the eyes of a cybercriminal), and as such not all data will need to be protected in the exact same way. Not only will organisations need to know their data, they will also need to decide how exactly to protect based on how it stored and processes, and the risk it could pose to the concerned individuals. When conducting a data audit you may find it necessary to move, delete, encrypt or block certain pieces of personal data. The ability to do this proactively, as well as keep detailed records of your decisions and activities, will be key in achieving GDPR compliance.
Achieving compliance will require a concentrated effort across the whole organisation. Although there is some confusion on who bears responsibility for GDPR, it really will involve multiple parties working together because data is critical for so many. Key people involved could include, depending on your organisation’s structure, the Data Protection Officer, the Chief Data Officer, Chief Information Officer, Chief Information Security Officer and senior leadership from departments such as HR and Marketing. The board will also need to understand the implications of the GDPR and why it is necessary to make enhancements – which may involve some financial outlay.
Even though the UK is planning to leave the EU, organisations will still need to comply with the GDPR when data passes through the EU, even if they have no influence on its direction. Furthermore, the UK plans to continue to apply the regulation by transferring into UK law through a new Data Protection Bill, so waiting to implement GDPR principles within your organisation would not be a wise move.
IMAGE: Icons made by Freepik, Dinosoft Labs, Vectors Market, Made by Oliver