Now that May 25, 2018 has come and gone, some of the hype around the European General Data Protection Regulation (GDPR) appears to have dwindled. In the weeks leading up to the deadline, you most likely saw a significant increase in e-mail notices regarding updated privacy policies and required consent for continued e-mail communications. One key requirement of GDPR is that organizations clearly communicate their data privacy and retention policies to those they are collecting data from. Another key requirement is that organizations may only send email communication to individuals who request it. To be on the safe side, many organizations are making changes to the privacy protections for all of their customers, regardless of what country they reside in.
Now that the law is officially in place, it will be interesting to see what may change in the months ahead. The top concern has always been the hefty fines that can be levied against organizations that fail to comply. As predicted, the organizations to be affected first by GDPR are the large technology companies. On opening day there were complaints filed immediately against Facebook and Google claiming that the companies were in violation of the GDPR. Privacy advocates in Europe claimed that instead of adhering to the letter of the law, these industry giants are not providing consumers with a choice. They argue that you can either use the service and agree to let Facebook and Google collect enormous amounts of data on you, or you can delete their services. GDPR allows for the collection and use of personal data that is strictly necessary to use the service, but requires user consent if the data is used for additional purposes (i.e. advertisements, demographic studies, etc.).
As we wait to see how these complaints and lawsuits play out in the court room, the need to comply with the GDPR is still there. Although the requirements were announced over 2 years ago, many organizations are still trying to determine if and how GDPR applies to them. Some have taken the “wait and see” approach, while others have chosen to dedicate resources towards the effort, proactively increasing their protections on affected sensitive data and implementing additional security across campus. Some organizations are even viewing GDPR as an opportunity for customer outreach and promoting their commitment to protecting customer data and privacy. The good news is that, for those that have already worked to achieve compliance with recent audit requirements (i.e. GLBA, PCI, HIPAA, FERPA, etc.), they should already be on the right track. They may just need to apply similar controls to a different subset of user information and review policies, procedures, and consent forms to ensure they meet the strict requirements for GDPR. For example, if your institution recently went through an assessment or audit using the NIST SP 800-171 as a framework, most of the technical requirements for GDPR will have been addressed.
A short GDPR checklist for your institution will include:
- Consulting with your legal counsel.
- Establishing a GDPR workgroup or committee
- Identifying all departments and individuals to whom GDPR applies
- Examining current business practices and policies
- Determining where and when personal data is collected
- Identifying who collects the data
- Documenting why that information is being collected
- Documenting data flows and where information is processed/stored within the institution
- Performing an assessment to identify gaps in the protection and security of this data
- Identifying third party service providers and vendors involved in storing or maintaining protected data
- Recommending strategies to remediate any findings of non-compliance
- Updating breach notification policies
- Reviewing current privacy notices and updating as needed
- Updating consent mechanisms and forms
- Reviewing processes for locating and deleting requested student records
If your organization has questions on how the GDPR applies to you and how to prioritize next steps, please reach out to us.
Some additional guidance from the Security Advisor team below:
[Hobby]: GDPR is now law. Even though it was announced with a two year runway, many organizations are either still not fully aware of the regulation or are trying to determine its impact; and almost everyone is uncertain of how to interpret GDPR’s requirements. While GDPR establishes a set of principles to follow when processing personal data, it’s up to each organization to determine how to put those principles into practice, and there simply has not been enough time for industry groups, the courts, and regulators to work out what GDPR means by “reasonable” measures.
That said, we know what GDPR’s principles are, and we do have a wealth of experience implementing vague regulations. I think it is safe to say that GDPR compliance will be a journey not a destination, and we need to make a good faith effort to move forward on that journey. GDPR requires organizations to have a Data Protection Officer, or DPO. As we are still very early in GDPR’s lifecycle, no one is quite sure what skillset a DPO needs. Most organizations don’t really have a natural spot for an internal role that interfaces directly with both consumers and regulators, supports departments ranging from marketing to engineering, and is intimately familiar with where the business model requires personal information. The role is further complicated in B2B scenarios where the DPO represents the customer’s customer.
If you’ve solved this dilemma, congratulations! If you’re still struggling with how to address the need for a DPO, one approach is to assign ownership to a cross functional committee that includes legal, compliance, the business, IT, risk, and other relevant stakeholders. The committee would need a shared commitment to a GDPR roadmap, and the full support of senior management. Alternatively, the DPO role could be assigned in an interim capacity to a position in your legal, compliance, privacy, or security organizations while your program matures. Either way, be aware that the point of the DPO’s office is not to “check a box,” but for the end user to have a voice in the ethical use of their data.
Once your GDPR program ownership is in place, I would suggest that the first priority be developing actual positions and statements on how your organization observes each of GDPR’s principles. In the development of these positions you will need to account for regulatory guidance, industry views, business risks, corporate ethics, public opinion, etc. As your GDPR program develops, these positions will need to be re-evaluated regularly and adjusted as needed.
I’ll close by returning to the core idea that GDPR is not a set of “check boxes,” but a set of principles we’re expected to make a good-faith effort at following. Our mission is to make that effort.