May 2018 GDPR will come into effect. The General Data Protection Regulation is a completely new and very demanding set of rules for companies and other organisations for the storage, processing and protection of personal data. We already discussed this topic earlier in one of our blogs, but we are now approaching the GDPR implementation deadline. So, this is a good moment for the responsible managers to check whether they have everything in place. Are you prepared for the GDPR?
Did you make an inventory of all personal data?
Personal data are all data that point to individual persons. That includes of course information like names, addresses etc. But also other information – from family images and video towards bank account information and healthcare records – are considered personal information. For the GDPR it is essential that you as a company maintain an inventory of all the personal data you own and process in your organisation. That covers of course structured data as stored in systems databases. But it also covers so-called unstructured data which are collected in e.g. word documents and excel sheets (for example an excel based client list with personal information). It may be a serious challenge to keep track of all documents containing unstructured personal data in your company.
Are all procedures in place for personal data management?
Another check to be made is if all procedures are in place to ensure that you only collect data that are allowed. Under the GDPR you need to ask and register the explicit end-user consent for collecting his or her personal data. And you have to inform the end-user about the purpose of the data. Finally, you should check that you only collect the necessary data, and nothing more.
You also have to ensure that if a person asks you which information your organisation collected about him or her, you can swiftly respond to this request with an overview of the collected data. And you must also have the procedures in place to remove the data from the system on request of end-users. This ‘right to be forgotten’ is important, as well as procedures to automatically remove the data after the agreed storage period.
Is your organisation prepared for the GDPR?
It is also important to check whether your organisation has everything in place for GDPR. It is for example important to check in which cases you must appoint a Data Protection Officer (DPO). This is typically the case when you handle substantial amounts of sensitive data. Another important question is – if you are an international organisation – in which EU country the Supervisory Authority is your main contact for GDPR related topics. Contracts with third-party service providers have to be checked. It is your responsibility that your cloud service provider and other external data handlers adhere to the GDPR regulations. Also, do you have the procedures in place to respond to a – hopefully never occurring – data breach? Can you inform the right authorities in time and do you have an emergency plan?
Are your systems ready for the GDPR implementation?
It is important that your systems are designed with data privacy as a core requirement. This is called Privacy by Design. This is not only important to prevent data leaks. It is also important in case a data leak occurs. If an organisation can show that all security preparations were done and everything is documented correctly, this may substantially reduce penalties. Note that under the new GDPR penalties may be as high as either 4% of the yearly revenue or 20 million euro. Whichever is higher defines the maximum penalty. So, for large multinationals the penalty in case of GDPR non-compliance can be 4% of the total yearly international turnover, while for a start-up with no serious revenues yet, there can still be a 20 million financial damage.
And is your desktop GDPR compliant?
We already discussed the requirement to have your systems designed with privacy as a core requirement. Also all systems privacy settings have by default to be set at the highest possible level (often referred to as Privacy by default). However, if we know that the weakest link in many security plans is the person behind the desk, it is worthwhile to look further.
How is the password discipline in your organisation for example? And not just for computers and laptops, but also for your desktop telephones. Does your telephony system support extension mobility (also known as hot desking)? And if so, did you assign personal usernames and passwords to end-users? Or was ease-of-use the most important requirement and does everybody use the default password? Did you consider a Single Sign-On solution for telephony like the RSconnect Active Login Manager?
All important questions to be answered. Since in the end an effective GDPR implementation does not just rely on a good security organisation and well-designed IT systems. It also depends on a well-organised desktop security.