Two years into GDPR
Two years have passed since the implementation of the general data protection regulation and, we are still finding only one in three organisations to be fully compliant with the legislation. The UK’s information commissioner’s office had issued a record fine of £183m to British Airways which was the result of hackers stealing almost half a million records of customer data.
Businesses, especially in the tech industry face the biggest challenge to align their landscape to the complexities of GDRP. Many not only find it to be time consuming but posing high financial impacts to maintain. However, non-compliance can lead to potential data breaches and accumulate fines up to 20 million euros or 4% percent of the company’s global turnover (whichever is higher).
So, what is it exactly?
The general data protection regulation is a enforced law designed to protect the collection and management of personal data. The policy aims to harmonize the data privacy laws across Europe with the hopes to provide better protection to individuals rights.
The Seven Principles:
- Lawfulness, fairness and transparency: User’s data is processed in a lawful manner whilst keeping the user fully informed on what data is collected.
- Purpose limitation: User’s data must be collected with a clearly stated purpose.
- Data minimisation: The user’s data must be collected to a minimum where relevant and limited to the purpose. (Justification to the amount is required under GDPR)
- Accuracy: User’s data must be stored with accuracy and kept up to date without retaining older information.
- Storage limitation: The user’s data must be kept for a signified limited period and justification is required for each retention policies.
- Integrity and confidentiality (security): User’s data must be handled with the appropriate security measures to protect it from unlawful processing or accidental loss. (Standards such as the ISO 27001 is considered acceptable)
- Accountability: Your business is liable to be compliant with the principles of GDRP. Each step taken towards data collection should be clearly documented.
How to Approach Compliance for your Website
Know the Philosophy
When it comes to GDPR, you must account for all departments (IT, HR, Legal..) that interact with data. Implementations need to consider both legal and technological standpoints.
This is an essential step to begin with in regards to mapping data flows between websites and applications. The source of truth (master data) and internal/external maps need be documented well especially in the cases of audits.
Ensuring your departments are well informed of the changes is considered an organisational change project. Employees should receive training from the responsible teams and be informed well in advance to avoid any project conflicts.
Data controllers should be collaborating with supervisory authorities on a regular basis. Data breaches should have reporting mechanisms in place as well as a safeguards for data transfers outside the EU.
Enabling ‘opt-in’ forms in your admin dashboard will require you to adjust all online form submissions. Another component to enable is the ‘cookie consent’, informing your users the purpose for tracking their web session.
- In all cases of data transfers outside the EU, you must ensure a mechanism that requires approval from your designated data controllers.
- Data protection impact assessments (DPIA) are not only useful for pre-project implementations but also for auditing purposes where businesses are at high risk e.g as large scale databases of personal data; user profiles, SSN and addressees.
- A designated data protection officer (DPO) is mainly required for larger companies to ensure compliance is thoroughly monitored and implemented across the company infrastructure.
This may sound a lot to consider, however, no business is truly compliant to a 100%. The objective should always be to remain as compliant as possible, and schedule regular maintenance checks of your systems whether you have DPO or not.
Tight on time? Consider a SaaS Platform
For those preparing to initiate a business change project into GDPR, it might be worthwhile to look into SaaS solutions. Upon the introduction of the regulation, the market blew up with a number of services aiming to ease the maintenance, reporting and auditing processes of user’s data.
Here are two great options; one being on the budget friendly end and the other on the premium for the larger scale organisations.
- Visualize Compliance: Collaborate with multiple users to review submitted documentation and get a high level view of stakeholders, status, risks and owners.
- Breach Management: Assess the severity of associated risks with automated breach notifications to supervisory management. Breach flow logs allow you to view history, events and mitigated actions.
- Data Mapping: Create visio-like data flows within the dashboard of all your applications. This in turn creates an automated report ready to be handed to regulators.
The platform is targeted at a wide audience such as employees, team members, regulators, processors and clients. Starting at $56/month, this is a perfect budget friendly option compared to its competitors.
- Privacy Program Management: Benchmark where the organisation stands against other companies. Automate the distributions of PIA/DIAP to achieve ‘privacy by design’. It also comes with a central repository containing the latest compliance information and best practices.
- Third Party Risk Management: Identify and mitigate vendor risks based on key use cases and standards. Report on key contract terms and manage a single vendor repository. Get vendor alerts on critical security & privacy changes, incidents & breaches
As you can tell, the OneTrust platform has a vast number of enterprise grade modules covering not only GDPR but CCPA, LGPD and many more global regulations. This is a fairly new startup valued at 1 billion dollars with pricing starting at approximately $165 per module.