From May 2018, the new European privacy law, the General Data Protection Regulation (AVG), comes into force. This AVG, international General Data Protection Regulation (GDPR) called, in terms of privacy legislation, is the biggest change to European privacy regulation in 20 years. 2018 seems far away, but this upcoming legislative change should be on the agenda of all CIOs, directors and business owners now. This is because GDPR has far-reaching implications for the information policy and management of both large and small organisations. This article will tell you what steps you can take as an organisation, before it is too late.

New law: from DPD to GDPR

The EU wants to give its citizens back the power over their own personal data. To that end, the age-old Data Protection Directive 95/46/EC (DPD) will be replaced by GDPR. The aim here is to simplify and harmonise the various privacy laws in EU member states. Because DPD was not really a regulation but more of a directive, it created a messy patchwork of privacy standards. A clear line was lacking and enforcement was also far from adequate.

That the GDPR is not a toothless law like DPD, as evidenced by the huge fines which hang on the non-compliance with this law. Exact amounts will announce the Personal Data Authority later, but amounts between €250,000 and €100 million can already be reckoned with. There are also expected to be turnover-related fines that could amount to two to four per cent of turnover. Not something to be overlooked, then.

For whom

Important are the following two terms in the law, namely 'data controllers' and 'data processors'. Data controllers are individuals, companies or institutions that own personal data. The law is not only about possession of personal data, but also about processing. Individuals, companies or institutions that merely 'work with the data' are called data processors. They too must comply with the requirements.

While it is an EU regulation, any organisation in the world can be affected by GDPR. This is because the regulation applies to any organisation that works with personal data of anyone from the European Union. If your organisation is based in the United States, but you have customers who are Dutch nationals, then you do fall under this legislation.

The regulation will 'only' take effect on 25 May, 2018, but it is essential for organisations to take proactive steps now. Organisations that fail to do so run the risk of having to pay hefty fees.

Demonstrating and reporting compliance

An important aspect of GDPR compliance is that organisations should be able to quickly and easily demonstrate that they have taken steps to comply with GDPR requirements. Organisations should be able to provide this information and supporting documentation directly to regulators when requested. This means that organisations should be able to provide insight into:

• What kind of information they store (or process);
• Who this information belongs to (about);
• Where they store this;
• How this is secured.

Most organisations are unable to do this. Indeed, many organisations do not even know what information they possess. And if they do know, it is often a mystery where it is stored. In this way, it often creates dark data. This is mostly due to the lack of a central information strategy, with associated tools and designated responsibilities.

Companies can already do this

There are 3 focal points that will help organisations comply with GDPR requirements in May 2018.

1. Determine the risk the organisation faces

The most important issue of all is assessing risk and complexity.

Before organisations decide on a strategy to comply with GDPR, they would be wise to first examine the current situation. It is especially important to know everything about the data you own (or process) as an organisation. As an organisation, try to answer the following questions:

• How complex is the organisational structure?
  Think of different entities, operational units, departments, groups with different roles related to processing data and data.
• How much data and information do the groups, entities or departments process? Which and what kind of data is involved and what is it used for?
• How was the required consent obtained from the individual the data relates to? And is this accountability directly visible to external parties?
• Where is all the data stored and is it adequately secured?
• Do both the organisation and different groups and departments process data in categories?
• How many and which external parties, such as suppliers and/or stakeholders, work with data for the benefit of your organisation?

In short, organisations should map and document data flows (information flows). This applies to every system being worked with, inside and outside the organisation. This allows your organisation to know where what data is and why, who has access to it and how long it is kept.

A hack or leak

The risk of a leak or hack varies by industry and the size of the organisation. It mainly depends on how and where an organisation stores its data. One organisation may have its data stored in its own data centre, or on a shared network drive. While yet other organisations store everything in a cloud environment. There are companies that outsource this entire process or just part of the handling of data. Here, there is a chance that in this particular storage process, several external parties will have access to the data. Apart from where data is stored, it is necessary to clarify who has access to that data. In the event of a data leak, this responsibility lies with you as an organisation. Control and insight are therefore in order.

By making an assessment of current data storage and processing, companies can estimate the steps needed to comply with GDPR compliance.

2. Establish approach

The moment it is clear what the impact of GDPR might be on your organisation, the next step is to define an approach and map out the associated costs and the organisation's required resources.

For the vast majority of companies, GDPR is one of the most important focal points in their information strategy. New data protection and processing policies and procedures should be implemented in such a way that they comply with GDPR. In doing so, all employees involved in this should be trained in their work to work with these new policies and procedures. All information surrounding data flows with external parties should be manageable and, above all, insightful. At the time of a data breach or an audit, this insight is mandatory, so crucial in the information strategy.

A methodical approach that prioritises high-risk data works best. By determining the risk of the various data sources, you can quickly clarify which systems and data streams are the first to go. This way, you work in phases based on risk weight. You can do this, for instance, using Privacy Impact Assessments (PIA) and risk assessments. From there, you can design your policies and processes to minimise the risk of all individual internal and external data processors or systems. An information or document management solution can be of great value here to add control over documents and information and provides insight into data flows in a simple way.

Since organisations must report a data breach within 72 hours, this quick access to information is crucial. At the time of a data breach, an organisation must prepare a report notifying affected individuals or parties. That report should disclose the impact of the breach and what steps are being taken to secure the data of those affected. In addition to the direct notification of the data breach, an even more extensive report will have to be drawn up in which the national authorities, in the Netherlands the Personal Data Authority (AP), insight is provided into the control and audit processes. On this basis, the Personal Data Authority determines whether and how high the financial penalty will be. If .w.organisation can demonstrate that it has taken steps to mitigate the risk, for example by using an information or document management solution, it is less likely to be fined. If your organisation does not take steps, negligence will be blamed and you can get your teeth wet and count on a hefty fine.

3. Engage your stakeholders

GDPR ends the playground of processing personal data. This means organisations will have more to do with procedures, policies and monitoring. All with the aim of creating a culture of compliance. Depending on the size and type, organisations will be affected by the effects of GDPR in many ways. For some organisations, the expected implications are small, think of organisations up to 250 employees. For other organisations, being able to meet compliance will require a complete organisational and operational culture change. People often resist change, but organisations have an obligation to educate their people on the new legislation. After all, it is about their role within this process of the organisation.

The IT department may implement the best available tools, but people support is crucial. An information manager should work with all stakeholders to determine which policies and processes should be created and implemented first. Risk assessments and PIAs should be carried out, documented and managed. This can be very time-consuming for organisations with many systems and data processing, do not underestimate this.

The employees of an organisation are not the only stakeholders. Other organisations processing your data are very important in this approach, as mentioned earlier, and should be involved. To make the approach as smooth as possible, it is smart to set up monitoring tools and review policies and processes with those external parties.

Just a brief summary of what you can, if not should, do as an organisation:

1. Map risk
2. Map information, documents and data
3. Establish approach to information and document management solution
4. Involve external parties
5. Review information strategy (procedures, policies, contracts)

With these recommendations, you as an organisation can avoid incurring sky-high fines. However, the recommendations described are not implemented within a few weeks. Start on time, before it becomes a race against time.

 

Bastiaan Brefeld
Manager Business Development
bastiaan.brefeld@geone.nl