Top Priorities on Your GDPR Compliance Roadmap

europe-2021308_1280
Post Published On: March 25, 2018

With only a handful of months left before the General Data Protection Regulation (GDPR) comes into effect, organizations are welcoming 2018 with a tinge of uncertainty. While some are reasonably confident about their GDPR readiness, a vast majority is still trying to catch up and understand the changes that GDPR will imply for their business. Ingram Micro has launched a suite of GDPR solutions that our partners can leverage and execute in the market. Be sure to go over the Ingram Micro GDPR Solutions Sheet to gain a comprehensive understanding of how we help you approach GDPR. This article is written to help you get started with your GDPR strategy and compliance roadmap.

1. Understand GDPR
GDPR was drafted with the core intentions of giving European Union individuals control over their personal data, and fostering harmony across EU Member States in their approach to data privacy. Let us understand the dimensions involved:
– Who – GDPR aims to protect EU individuals – ie EU citizens and residents, even if they are not present in the EU physically.
– What – GDPR protects the personal data and sensitive personal data of EU individuals. Personal data is defined in GDPR as any information relating to an identified or identifiable natural person. Examples are name, email ID, IP address, etc. GDPR further identifies certain categories of personal data which are called “sensitive personal data”. This includes data revealing racial or ethnic origin, political opinions, religious/philosophical beliefs, trade union membership, genetic or biometric data, and health data.
– How – The Regulation consists of 99 Articles and 173 Recitals which lay out the rights of EU individuals (called Data Subjects) and the obligations on organizations.
– When – GDPR is effective 25 May, 2018 onwards

2. Find out if GDPR applies to Your Organization
Quite broadly, GDPR will apply to you if you are a controller or a processer of personal data or sensitive personal data of an EU data subject. Review the criteria laying out the material and territorial scope of GDPR
– Established in the European Union and processing the personal data of EU individuals.
– Not established in the EU, but processing personal data of EU data subjects in relation to offering them goods and services.
– Not established in the EU, but monitoring behavior of EU data subjects, as long as the behavior occurs in the EU.

If any of the above criteria applies to your organization, then GDPR is applicable to you. The last two criteria may have a tremendous impact on organizations without a physical presence in Europe, because they fall within GDPR scope.

3. Obtain Senior Management Commitment
Naturally, senior management’s understanding and support is a key factor for the success of your GDPR program. Equip your management with a good understanding of the Regulation and how it applies to your organization. Explain the financial implications of non-compliance. The magnitude of fines prescribed in GDPR is so high that it presents in its own right a very compelling case for compliance. Depending on the nature of the infringement, fines for non-compliance can be as high as:
– € 10 million or 2% of total annual worldwide turnover – whichever is higher
OR
– € 20 million or 4% of total annual worldwide turnover – whichever is higher.

4. Develop a GDPR Compliance Roadmap
We present herewith a four phased indicative approach to GDPR compliance that may serve as a reference for your own organization. In each phase, the top priorities are discussed.
Phase 1. Assess
Gather as much data as possible about the data processing operations of your organization. Document existing controls, strengths and weaknesses, and identify areas where further action will have to be applied.
Top Priorities in this Phase:
– GDPR Data Processing Principles: Start with a scoping exercise to document the lifecycle of all forms of personal data that are stored, processed, transmitted within your business processes. Ensure these business processes are aligned with the GDPR Data Processing Principles of lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, data integrity and confidentiality.
– Hire a DPO: Find out if you need to recruit a Data Protection Officer (DPO). A DPO is mandatory if your organization is a public body or the primary activities of your organization comprise of large scale processing of sensitive personal data or regular, systematic and large scale monitoring of EU individuals.

An Oxford University study has revealed that the most eminent credentials for a DPO to hold are Certified Information Privacy Professional/Europe and Certified Information Privacy Manager (CIPM). Ingram Micro has joined up with IAPP to offer trainings and certification exam vouchers for both these key certifications.

Phase 2. Design
Based on the identified weaknesses from Phase 1, design organizational and technical controls that will suitably address them. Privacy by Design and by Default are two key priorities in designing your controls ecosystem.
Top Priorities in this Phase:
– Privacy by Design: Privacy by design aims at maximizing the effectiveness of privacy controls by implementing them right at the early or conception stages of a system. In very simple terms, ensure that the data privacy is an inherent aspect of any system or network component that interacts with personal or sensitive personal data.
– Privacy by Default: Privacy by default establishes a minimum baseline of privacy against which system and network components must be compliant. This will permit only the minimum leeway for infringement of the Regulation.

Phase 3. Implement
In this phase, you will execute the controls that were designed in the preceding phases. Two sample priorities in the implementation phase are as follows – enabling data subjects to exercise their new rights under GDPR, and overseeing compliance of cross-border transfers of personal data.
Top Priorities in this Phase:
– Data Subject Rights: GDPR empowers data subjects with a host of new rights including the Right to Object to data processing, Right to Data Portability to other organizations, Right to Access a copy of their data in your possession, etc. Ensure your organization has appropriate channels in place via which your end-customers can reach you in order to exercise their rights. For example, setting up a web-page or telephone helpline via which they can submit data access or data portability requests might be a necessary action.
– Cross-Border Data Transfers: GDPR brings a change to the way in which data may be transferred to countries not deemed as offering “adequate” levels of data protection within their regions. Ensure you have a complete list of third party service providers, customers, vendors, etc. in other countries to whom you transfer personal data. Ensure the transfer is based on a legitimate basis as per GDPR. Examples are having the explicit consent of the data subject, compelling legitimate interests of your organization as a data controller, etc. which render the data transfer absolutely necessary.

Phase 4. 
Sustain
Ensure continued and on-going maintenance of GDPR compliance. One of the key concern areas is around reporting security breaches to stakeholders. GDPR has clear requirements in case a security breach occurs:
Top Priorities in this Phase:
– Breach Notification: A personal data breach occurs when the confidentiality, integrity and/or availability of personal data is compromised as a result of accidental or deliberate actions. If you are a data processor, processing with personal data on behalf of another company, ensure you notify them without undue delay. If you are a data controller, notify the Data Protection Authority (DPA) of your Member State within 72 hours of being made aware of the breach. In some cases, you might have to notify the affected Data Subjects if the breach is likely to cause a significant risk to their rights and freedoms.

Author: Praveen Joseph Vackayil, Ingram Micro Cyber Security Consultant and Trainer