GDPR Guide: The ICO's 12 Recommended Steps To Take Now
3 likes1,854 views
The document outlines a set of 12 recommendations from the UK's Information Commissioner's Office to help organizations prepare for the General Data Protection Regulation (GDPR) coming into effect on May 25, 2018. Key steps include building internal awareness, documenting data processes, reviewing privacy policies, and establishing procedures for user rights and data breach notifications. Organizations are encouraged to proactively address compliance issues before the regulation takes effect to avoid potential fines and operational disruptions.
GDPR Guide: The ICO's 12 Recommended Steps To Take Now
- 1. GDPR GUIDE: 12 STEPS TO TAKE NOW Recommendations from The United Kingdom’s Information Commissioner’s Office (ICO) to Prepare for May 2018
- 2. When the European General Data Protection Regulation (GDPR) takes effect on May 25, 2018, every organization that collects information on European Union (EU) citizens will be forced to change how it manages and secures customer data. Hopefully you’re already taking steps to ensure GDPR compliance, which includes facilitating better data access, security, and management. This could impact your organization well beyond just your development team, so getting a head start on compliance is a good idea. In the remaining time before GDPR takes effect, the United Kingdom’s Information Commissioner’s Office suggested “12 steps to take now” to get ahead of GDPR’s impact on your operations and processes. Here’s a quick recap. GDPR is Fast Approaching
- 4. GDPR will impact your business in many ways, so make sure every decision-maker starts to consider how GDPR affects their department. That means elevating security to the board level, explaining what’s required for compliance, and making it a recurring topic. It’s important to stress to others in your organization that GDPR isn’t just a data security burden. The rules will influence how your product, communications, legal, and other teams approach security. In bigger and more complex organizations, GDPR could even force significant resource reallocations in order to have people focused on mitigating risks, reacting to data requests, or ensuring compliance. With a $20 million or more in potential fines, this is your opportunity to make security a boardroom topic. Building Internal Awareness1
- 6. GDPR focuses on user data, user access to their data, and your treatment of the data. To fully comply, you need to understand what data you currently have, where it comes from, what you do with it, where it’s stored, and who you share it with. Depending on your data processes, this might be a significant, audit-like undertaking. Next year, if you’re compelled to take a GDPR-related action, such as deleting a user’s data, you have to take that action along the entire process. If you don’t have a detailed map of your data flow, you won’t be able to comply. As you audit your data processes, document what you find and keep detailed records. GDPR’s rules force you to prove compliance, which means having documented policies and procedures in place. Documenting Your Data2
- 8. GDPR requires that specific privacy and data information be publicly accessible. This includes details around data retention periods and users’ right to file complaints. These new statements should be in your privacy policy, so it may need an update. That means reviewing your current policy against GDPR to identify gaps and potential conflicts. Next, you’ll need to have your security, communications, and legal teams to determine what needs to be changed, added, or deleted. Since this may take some time, best to get started early. Review Your Privacy Policy3
- 9. Define How You’ll Facilitate Users’ Rights 4
- 10. GDPR affords users many rights, such as access to their data, deletion of data, and more. Unless you already offer avenues to manage many of these requests, you’ll need to think about the processes, staff, and systems to put in place. Think about what would be involved. How will users make a request? Who will manage and respond to requests? How will you identify a particular user’s data? How will you delete it, from where, and who will do it? If a user requests their own data, in what form will it be transferred to them? These types of requests will come up and GDPR only allows 30 days to comply. Asking the questions now will save both time and resources later. Define How You’ll Facilitate Users’ Rights4
- 12. This is an extension of the previous step. You’ll need a mechanism for individuals to make requests regarding their data, and if you have many users, it may become overwhelming. What’s more, you’ll only have 30 days to comply or to explain your refusal. That’s not enough time to figure out your process on the fly, so get it defined now. Also consider how you might handle a large volume of requests. If your process is to have an individual or small team managing requests, what happens when they’re out sick or can’t support dozens or thousands of simultaneous requests? Think about the nuts and bolts as well. How will individuals submit requests (and how will they know how to submit requests)? How will you communicate with individuals? How will you comply with the 30 day requirement, and who will track the duration of each request? Define Your Data Request Process5
- 13. 6 Explain Why You’re Collecting the Data
- 14. GDPR requires that you state the reasons for collecting data, then document it and explain it to your users. It further provides just 6 situations where lawful data processing is allowed, such as the user has given consent and processing is necessary for performance of a contract. Beyond defining why you’re collecting data, you’ll need to allow review of your data processing activities, and if requested, explain why you do it and why you believe it’s lawful. Once again, your legal team will probably get involved, so acting now gives them ample time to prepare. Explain Why You’re Collecting the Data We’re only halfway through, but the recurring theme here is that GDPR requires accountability, so be sure to document everything. 6
- 16. A major consideration of GDPR is the consent you gain from users before you collect or process data. But more than just gaining consent, GDPR’s rules might impact how you seek, record, and manage that consent. What’s important about how you treat consent is that it cannot be implied, inferred, or even gained via pre-selected check boxes. It must also be informed consent, and the language has to be unambiguous. The opt-in must be positive and separate from that of other terms and conditions. Furthermore, if past consents don’t comply with GDPR, you need to refresh the consent to meet the standard. How you currently gain consent may need to change. Determine How You Gain Consent7
- 18. GDPR has two special statements directly concerning children and the protection of their data. You may need to verify ages and potentially gain parental consent for data processing if children accessing your systems are under age 16. Adding complexity, individual EU member states can enforce GDPR’s rules to children as young as 13. What might take additional effort is GDPR’s rule that any attempt to gain a child’s consent has to be in a “concise, transparent, intelligible and easily accessible form, using clear and plain language,” which implies that it must be written in language a child would understand. If you do collect data from children, you’ll also need to determine how you’ll gain their parental or guardian consent. GDPR further requires that consent to be verifiable, so an audit trail is important. Children Have Special Considerations8
- 19. Define How You React to Data Breaches 9
- 20. GDPR compels you to notify organizations or individuals in event of a breach that concerns their data. Procedures should be in place to ensure you’re also working to detect and prevent those data breaches. Documentation is clearly a major part of GDPR, and you’ll need time to prepare the documentation that supports your breach response process. This step might also force you to look deeply into what types of data you hold, then highlight when and where breaches would compel you to notify the appropriate authorities. Define How You React to Data Breaches9
- 21. Prepare for Data Protection Impact Assessments 10
- 22. GDPR requires “data protection by design and default”, meaning you have to document how you design data protection into your overall organization. You’ll further need to run data protection impact assessments when certain situations occur, such as deploying a new technology. Again, since these assessments could ripple throughout your organization, it’s another reason to raise GDPR to the board level so everyone understands the importance of any new workload. For now, determine the situations where you would be required to run an impact assessment and how you would facilitate it. Prepare for Data Protection Impact Assessments10
- 24. Someone needs to be responsible for complying with GDPR, and that’s your Data Protection Officer, or DPO. It’s a role to be taken seriously, since they DPO is required to have both the knowledge to understand their role as well as the authority to carry it out. GDPR specifically states that “the data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks” related to their role. In other words, it’s not a light responsibility to add to someone’s job description. Furthermore, GDPR requires organizations provide DPOs with the “resources necessary to carry out those tasks and access to personal data and processing operations, and to maintain his or her expert knowledge.” And, also, “the data protection officer shall directly report to the highest management level of the controller or the processor.” Those details imply another level of expertise and authority that might impact your choice for DPO. Designate a Data Protection Officer11
- 26. If you operate in more than one EU member state, you’ll need to determine your one “lead authority”. It will generally be the member state where your EU “main establishment” is located. Or it could be the member state where you make the decisions about data processing. This might be an easy decision, or it may require you to map out your EU organization, where decisions are made, and how data is processed and stored. Determine Your Supervisory Authority12
- 28. As GDPR looks to update and consolidate data regulations across the EU, many questions still remain. If you collect data on EU citizens, you’re bound by these rules and it’s imperative you understand how your data, security, development, and other practices and people will be affected by these new rules. Here are two additional items to consider: ○ Our recent blog post, Ready or Not, Here Comes GDPR, offers additional insights into how GDPR might impact your business, specifically your security team. ○ GDPR requires you to look for, prevent, and investigate breaches. A great first step is to define a process for white-hat hackers to alert you when they find vulnerabilities in your applications. It’s called a Vulnerability Disclosure Policy (VDP), and here’s a quick guide to help you create and publish your own disclosure policy following industry best-practices. More to Think About
- 29. Get Started with Hacker-Powered Security CONTACT US