Many people are finding themselves faced with the need to familiarize themselves with a topic that pertains to everyone — data protection and privacy — even though most have not specialized in it. In April 2016, the General Data Protection Regulation (GDPR) was passed into law in the European Union. The goal of the law is to give individuals control over their own data. While GDPR became law in 2016, it won't become enforceable until May 25, 2018. In this post, we'll explore the universe of GDPR and provide some resources to help you prepare.
So, why is everyone freaking out over this law, particularly if a company is not in the EU? GDPR is composed of 99 articles and 173 recitals that are used to help interpret the law — that's a lot of elements! What's scarier is the sanctions for noncompliance can be a fine up to €20 million (approximately $24.6 million) or up to 4% of the annual worldwide turnover (net sales generated by a business) of the preceding financial year, whichever is greater.
The "whichever is greater" is where most gasp a little. GDPR affects any business that operates in the EU and foreign companies that process the data of EU citizens. In our global economy, this is virtually every business. Furthermore, business must flow these requirements down to all their vendors.
The prospect of digging into this does seem daunting. So, where to start? First of all, breathe. While this is a large undertaking, there are many resources available.
1. Consider a training course. There are several avenues for training, and more become available each week. I'm lucky enough that my senior management team saw the importance of investing in sending someone to training so that our organization was educated, and we would be able to work with our customers to meet their GDPR compliance needs as well as our own.
I went to London and took the DPO Ready Track offered by the International Association of Privacy Professionals (IAPP). This was a four-day training and consisted of the Certified Information Privacy Professional/Europe (CIPP/E) and the Certified Information Privacy Manager (CIPM) courses. IAPP also offers these trainings online in a self-paced course. If you have the budget, I would highly recommend this option. There are consulting firms, training companies, and privacy vendors that also offer GDPR training.
If you don't have the budget to attend a course, consider webinars. If you are able to attend an in-person course like those mentioned above, you may consider augmenting that with webinars as well. TrustArc, OneTrust, and Nymity have a comprehensive series of webinars that are available on their websites. The nice thing about webinars — in addition to being free — is that you can watch them from anywhere, at any time, as long as you have an Internet connection.
2. There are a few books that have been written on GDPR, but... Personally, the handful of books I have read on the topic reminded me of the early PCI DSS books that were not much more helpful than reading the standard itself. Most books are out of date before they even hit the virtual book shelves. I've found online articles, following the news feed from IAPP, and the guidance from the Article 29 Working Party advisory board and the Information Commissioner's Office (ICO) out of the UK to be more helpful.
3. There are many other online resources and tools that are very helpful. If you are unsure if you need a data protection officer, there are flow charts online to help you step through the requirements to determine if you need to appoint or hire a resource. Also available with a quick online search are checklists and templates. Nymity has a very nice GDPR Compliance Toolkit available for download.
Augmenting your knowledge with tools to assist in executing on some of the more daunting tasks for GDPR is a great way to help your organization meet the requirements. If you don't have processes and tools in place to address tasks such as process mapping performing privacy impact assessments (PIAs) and data protection impact assessments (DPIAs), vendor tools may be a solution. I joke that for Christmas I got the TrustArc Data Flow Manager and Assessment Manager Modules from our chief security officer and our VP of finance. These tools have proven invaluable to me. We decided to go with TrustArc for several reasons. However, I evaluated the solutions from OneTrust and Nymity as well. I highly recommend evaluating the solutions that best meet your needs.
4. If you're not an attorney, identify your limits in terms of knowledge and ability. I have a very strong information security and compliance background and, before my training for GDPR, some privacy training; however, I'm not an attorney and have not gone to law school. I'm well aware of the boundaries of my knowledge and do not hesitate to work with our senior management to engage our outside counsel when necessary. For example, one instance where we deferred to our attorneys is when we had to write a data processing addendum (DPA), which is a formal legal contract required under GDPR that outlines the roles and responsibilities of data controllers and processors.
5. Last but not least, reach out to your peers. Many of us are working through the onslaught of requests for information on how our companies will meet the requirements of GDPR as well as reaching out to all our vendors to ask the dreaded question, "What are you doing to meet the requirements of GDPR?" Seek support from peers to discuss your questions, worries, confusion, and frustration.
- GDPR Compliance: 5 Early Steps to Get Laggards Going
- It's Not What You Know, It's What You Can Prove That Matters to Investigators
- GDPR: Ready or Not, Here It Comes
- We're Still Not Ready for GDPR? What Is Wrong With Us?
Join Dark Reading LIVE for two cybersecurity summits at #Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop ITX 2018 security track here. Save $200 off your conference pass with Promo Code 200MC.