GDPR – Getting your Ducks on Parade for Regulation
For any organisation, it is a numbers game; GDPR, the most important new regulation in decades, will certainly give them a run for their money! For service providers, the regulation could have a financial and reputational impact on their clients and associated legal ramifications. The oft-quoted potential fines of, four percent of global turnover or €20,000,000 whichever is greater, grab the headlines (and the attention of the Board) but the fines are only part of the possible additional costs brought about by the regulation. To be compliant, many organisations will require structural changes across the entire data lifecycle for necessary levels of guardianship needed to ensure that data are handled in compliance with the Regulation. For organisations which routinely handle large quantities of sensitive personal data, the appointment of Data Protection Officers (DPOs) is compulsory. Arguably, this would encompass most modern businesses and organisations, but is particularly relevant for finance and insurance industries, law firms and healthcare providers.
GDPR is concerned with handling, processing and storage of Personal Data of EU residents. The regulation is applicable to all organisations that offer products and services to EU residents regardless of an organisation’s legal or physical location. As the name implies, Personal Data is information about an individual, which identifies them, could allow them to be impersonated, or which describes them in the widest sense; this could include data about status, preferences, behaviour, location or movements, and also includes biometric data of all forms, and even opinions about the individual from other people. Ultimately the objective of GDPR is to enforce the protection of every individual’s right to privacy of their data. The regulation does not apply to pseudorandomised data, for example, patient responses to new drugs in clinical trials, or to meta-data, i.e. intelligence gained from the original data. Clearly, not all of an organisation’s data will be affected by GDPR, and those which are impacted by the regulation is likely to have higher costs for their lifecycle management, thus the first step for any organisation is to identify and classify their data. Accurate classification of data and continued maintenance to ensure that this inventory is up-to-date will not only provide greater visibility to the business but will reduce the overall overheads on data management with regards to GDPR.
A key goal for GDPR is to ensure that organisations are incentivised to establish: effective accountability, including ensuring systems and processes that are designed with privacy in mind. A program of Privacy Impact Assessments if risky or large quantities of personal data is to be processed, explicit consent is required from the originator before their information is used; processes for complying with data subject requests for transfer, rectification, or deletion of their personal data; breach-management procedures including prompt notification to supervisory authorities (within 72 hours of discovery), and if the breach is deemed as presenting high risk, to the data subjects also; and finally the regulation of data processor organisations.
If we get past the actual numbers and the fact the regulation is new, the actions required are simply ‘good practice’ in terms of data management. However, two 2017 studies, by Gartner and Veritas, suggest that most organisations are not quite there yet. Although data is extremely important to organisations, described as the 21st-century gold, many businesses still lack a structured strategy, which is becoming more pertinent as their volume continues to increase, making it simply impossible to maintain everything to the same standard. In this environment, could a regimented prescription by GDPR be just the medicine required for organisations to align their ducks and gain visibility of their data, with the added possibility of gaining even greater intelligence and insight from them?
Dr Wendy Ng, CISSP, CCNP; 26th January 2018