Compliance with the EU General Data Protection Regulation (GDPR) begins on 25 May 2018, giving us almost 6 months to finalize GDPR preparations. Doing nothing is not an option.
Doing Something
The exact number of days left can be found here. The site provides an overview of what GDPR means for people, roles, responsibilities and IT systems, plus a free white paper on Office 365 GDPR compliance aids.
Alongside GDPR is the need for strong data and cybersecurity. COBIT 5 will help you prepare. ISACA has a useful article, “ Using ISACA Privacy Principles for GDPR Compliance,” in the public domain that provides all the mappings.
True readiness covers understanding, preparing for and testing out the basic concepts, the legal requirements and the contents of the GDPR preparedness plan.
Please refer to, and use, relevant aspects of both links even if you do nothing else. For more context, read on.
True readiness covers understanding, preparing for and testing out the basic concepts, the legal requirements and the contents of the GDPR preparedness plan.
Basic Concepts
Things that demonstrate basic understanding are realizing the following:
- UK-based organizations must comply regardless of Brexit as the GDPR comes into force prior to the United Kingdom leaving the European Union.
- Even if the organization is not based in the United Kingdom, all organizations processing EU nationals’ data will have to comply.
- Each EU nation will enact its own versions of GDPR, so it is necessary to be aware of and prepare for complying with national variations.
There are 2 useful web sites to which people can refer. This one is for the UK and this is for parts of the EU.
While these are just 2 of several sources, they are a good place to start understanding the demands and complexities of 28 nations domestically enacting one regulation.
Legal Requirements
A global law firm, Norton Rose Fullbright, has a checklist that translates the legal aspects into business language, offering a different perspective to ISACA’s guidance. The PDF can be accessed here. Understanding both will aid an organization’s ability to apply GDPR successfully.
In summary, the key aspects are:
- Territorial scope—Non-EU organizations processing EU citizens’ data (data subjects) must comply with the GDPR and must appoint one or more EU representatives to act on their behalf.
- Supervisory authority—One will exist in each EU country to oversee compliance. The United Kingdom has the Information Commissioner’s Office (ICO) and its guidance on GDPR is publicly available here. The list of corresponding bodies for all EU nations and acceptable third-party nations can be found on the European Commission’s website. The institutions making up the EU administration have their own regulator, the European Protection Data Supervisor.
-
Data governance and accountability—This will require board understanding and support to ensure:
- Performance of privacy impact analyses and privacy by design, including explicit consent from everyone whose data are being held
- Fulfillment of mandatory roles and responsibilities, including reporting where significant risk might be and demonstrating compliance
- Corporate capability through training and enhanced processes that support GDPR and supervisory authority requirements
- Export of personal data—Organizations must map data flows within and external to the group, checking that these are appropriate for GDPR purposes.
- Joint controllers—If more than one organization decides how personal data will be handled, all will be considered joint controllers of the data.
- Processors—The GDPR sets out stringent obligations which, if breached, may lead to financial penalties.
- Lawful grounds to process and consent—The organization must show explicit consent to process data and the ability to act when consent is withdrawn.
- Fair processing information/notices—This involves demonstrating to data subjects why, and for how long, their personal data are needed.
- Data subject rights—This reflects the organization’s ability to provide the personal data held and/or erase them when requested.
- Big data, research and wholly autonomous decision-making—Organizations must ensure that the GDPR is not breached when they use secondary data.
- Personal data breach—Organizations must understand the scope of and build the ability to comply with the new time frames for notification of breaches.
Project Plan
There are still almost 6 months to complete preparations. To ensure the program remains on track, COBIT 5 can be used to assess both the process and the output, as discussed in the COBIT Focus article “ An Appropriate Approach for Program and Project Management.”
If your organization has not begun preparations, figure 1 is an outline GDPR program plan to help you get started.
Figure 1—GDPR Project Plan Outline
Final Words
GDPR breaches are expensive. Keep compliant.
Editor’s Note
This article originally appeared as a blog post on the APMG International website. It has been reprinted here with permission.
Sue Milton, CISA, CGEIT
Is a professional IT auditor and governance specialist who has a profound understanding of the intangible aspects of governance, such as organizational behavior, stakeholder relationships and the interaction between people and IT, that influence the effectiveness of working relationships within and between organizations. During 2015-16, Milton worked with the South African Development Community on managing the intangible risk to governance, with the Asian Development Bank to assist Myanmar’s transition to a market economy, and with APMG International to promote COBIT 5. She now concentrates on the governance challenges of the UK government’s green paper on proposed changes to the nation’s corporate governance code, and the strategic and operational challenges of Brexit, cyberthreats, and the EU General Data Protection Regulation. Milton is a former president of the ISACA London (United Kingdom) Chapter who also lectures and writes articles on governance and IT-related subjects for a range of organizations. She regularly provides business comment to the Institute of Directors’ Policy Unit and provides comment on cybersafety issues to the media.