May 25th is an important date for our European colleagues and customers: it’s the date that the EU General Data Protection Regulation (GDPR) goes into effect. Companies that don’t comply with GDPR could face hefty fines of 4% of annual revenue or €20 million (whichever is greater).
When it comes to your data, what do you need to know about GDPR? Or for those of us outside of the EU, what the heck is GDPR? I recently spoke to Elisa Elbers, Diver consultant and security officer for our European headquarters in the Netherlands, and Debbie Lonsdale, consultant at Dynamic Business Informatics (DBI), a Dimensional Insight partner in Ireland, to learn more about GDPR and some ways companies can better organize their data.
What is GDPR?
GDPR is a regulation that strives to protect EU citizens from privacy and data breaches. Here are some of the key points of the new regulation, taken from the EUGDPR.org web site. (These are just high level; for the nitty-gritty details, please visit the web site to learn more.)
- Increased territorial scope: GDPR doesn’t just apply to EU companies, but it applies to all companies that process personal data of EU citizens, regardless of where the company is located. So all those emails and notices you’ve been getting from companies about updating their privacy policies? That’s because of GDPR.
- Penalties: I previously mentioned some of the fines associated with GDPR. That’s for the most serious infractions. Companies can also be fined smaller amounts (2%) for not having records in order, not giving proper notification of a breach, or not conducting an impact assessment.
- Consent: Companies must request consent using clear and plain language. It should be easy for individuals to withdraw their consent.
- Breach notification: Will become mandatory, and it must be done within 72 hours.
- Right to access: People have the right to obtain information on whether or not personal data is being processed, as well as where and for what purpose. They will be able to get a free copy of their personal data electronically.
- Right to be forgotten: People can request that companies erase their personal data, stop disseminating it, or halt processing of it.
- Data portability: People can receive their personal data and can transmit it to another controller.
- Privacy by design: Companies must include data protection in systems from the design phase rather than add it on later.
- Data protection officers: It will be mandatory for certain types of data controllers and processors to have a data protection officer. This person must report directly to upper management and cannot have any conflicts of interest.
What does all this mean?
For businesses that collect or process data, the bottom line is that you need to know:
- What data you process and/or control
- Where the data is stored
- How long you have had that data
- Whether you have the right to hold it
How is Dimensional Insight preparing for GDPR?
Our European headquarters in the Netherlands has been busy preparing for GDPR to better service our clients in the EU. I recently asked Elisa about our GDPR efforts. Here is what she told me:
Data security and privacy have been a major focus for Dimensional Insight Netherlands for the past year. We are working on getting ISO27001 and NEN7510 (a Dutch certification, similar to ISO27001 but specific for healthcare) certified. As part of the certification process, we have implemented an Information Security Management System (ISMS). Our ISMS contains a set of policies and procedures and helps us to systematically manage and protect information.
As a business intelligence company, we help our customers to gain insight in their data. Our role as defined by the GDPR is therefore processor, meaning we process personal data on behalf of our customers, the controllers. Because of this role, it is really important to make getting GDPR-ready a shared effort between us and our customers. We have raised awareness on the importance of implementing the GDPR at our customers’ sites – for example, by organizing a workshop on “GDPR and Business Intelligence”. We have created a record of processing activities and are in the process of concluding processor agreements with our customers. We have analyzed whether our internal business processes were GDPR compliant and streamlined and standardized them where necessary. We also gave a lot of attention to raising awareness among our employees, in awareness sessions and via extensive communication.
Ways to organize your data
As an EU company that has customer data and also processes its clients’ data, DBI in Ireland has also been getting ready for GDPR. Through its process of getting its own data in order, it developed some ways that organizations could use Diver to help become GDPR-ready. Following are some tips from Debbie.
Step one: Create a data registry
This is where organizations should start – by getting a handle on what data they have and what attributes that data has. You can use either a spreadsheet, a database, or DivePort to list the various data sets and their attributes. You should design this registry with the questions in the next step in mind.
Step two: List all data sets and check the following questions
- Does the data set have personal information in it?
- Do you have a contract/consent saying you have the right to hold the data?
- Are you the data controller or data processor?
- How long have you had the data? Do you still need to hold it?
- Is it in a secure area of the server? Is it monitored by security software?
- Can it be accessed only by people who need to access it?
- Is there consent to hold each PII (personally identifiable information) record?
- Is there consent for each purpose it is held? (Every service provided must have consent.)
Step three: Carry out privacy impact assessments
This assessment should be performed on each data set, and it should be able to be viewed by the auditor, commissioner, and regulator.
To determine risk:
Likelihood of incident x consequences (low, med, high) = risk to subject
Ways you can use Diver to help manage GDPR
Debbie’s organization has used DivePort to help organize its data sets. Here are some ways Debbie says you can do the same.
1. Use DivePort to manage GDPR projects
- Data repositories and document management portlets
- Keeps GDPR documents together and accessible to those who need to view them
- Allows you to set access control lists for security – the weakest link is often employees
2. Use DivePort to report on your compliance progress
- KPIs on security, risk factors, clean desk, breaches, etc.
- Number of O/S subject access requests – days to deadline, etc.
3. Use DivePort to access details of the data registry and subject access requests
- Diver Portlet and reports – ad hoc analysis
4. Use DivePort to create individual PDF reports that can be supplied on request
- To data commissioner – within 72 hours after breach
- To subject access requestors – 30 days to provide details
Following are some screenshots that show how DBI is managing its data.
The bottom line
I hope some of these tips were useful to you as your organization becomes GDPR-ready. (Or if – like me – you knew very little about GDPR before and wanted to get up to speed on it.) As you can see, getting ready for GDPR is a process that requires continual education and vigilance. It requires knowing what data you have, how you’re using it, and how well it’s protected – and continually being on top of all that. While GDPR goes into effect on May 25th, there are continual ways that your organization can improve its data processes in the days and years to come.