[BreachExchange] Top 6 steps for GDPR compliance

Audrey McNeil audrey at riskbasedsecurity.com
Mon Apr 2 20:24:04 EDT 2018


https://www.scmagazine.com/top-6-steps-for-gdpr-compliance/article/754487/

Effective May 25, 2018, the European Union's General Data Protection
Regulation, commonly called GDPR, will become not only the law of the land
in Europe but across the globe. If you do business anywhere in the world
and collect personally identifiable information (PII) on an EU citizen, you
will be subject to GDPR regulations. Remember that GDPR is a privacy
regulation, not a data security regulation, but the former certainly
impacts the latter. Here are the Top 6 steps you need to take in order to
become GDPR compliant. It is important to note that many information
security and privacy experts disagree on the order of the steps, but in
general they agree that these are the most important steps to put in place
as soon as possible.

1.      Update your public-facing privacy policy.  Your privacy policy is
likely to be the first formal document a regulator will view. If your
privacy policy is out of compliance, the assumption of the regulator might
well be so are other privacy components. It is an invitation to further
scrutiny by EU regulators.

2.      Know where your data is. GDPR is all about managing PII of EU
citizens. It is essential to know exactly what data you have, where you
have it, how it is protected, and how to access it. If you cannot access
PII, you likely would be subject to a fine. Data flow mapping is a huge
task but essential under GDPR. Incidentally, if you use a customer
relationship management (CRM) application, do disk drive backups or process
various types of data analytics, there could be a lot of hidden PII there
as well. Some experts believe that it is impossible to develop a
comprehensive privacy policy until data flow mapping is in place.

3.      Put privacy protection policies in place and follow them. In the
EU, corporate intent often overrides the letter of the law. If your company
has policies and procedures in place for protecting PII and a breach
occurs, regulators likely will be more understanding if a company tries to
do the right thing and follows its policies and procedures. Unlike US
regulations such as PCI DSS where companies need to follow the letter of
the regulation, the EU views trying to do the right thing as critical to
the process and sometimes more important than actually following the letter
of the law if the former approach protects PII more effectively.

4.      Hire a data protection officer. Actually, not every company needs a
data protection officer (DPO). The local coffee kiosk likely would be
exempt, but if your company has a web site that collects analytics, sells
to EU citizens or EU companies or collects demographic data on EU citizens
for any purpose, you definitely need to be GDPR compliant and have a DPO.
That said, whom you name as a DPO — an existing employee, a new employee, a
third party — opens an entirely new can of worms and has its own multiple
levels of considerations.

5.      Convert your data collection processes to opt in.  In the U.S.,
most companies offer an opt out option to individuals and companies when it
comes to collecting and using personal data. In the U.S., if you don't want
to be in a mailing list, you need to tell the list owner and opt out, for
example. The EU requires explicit opt in consent from the person whose data
is being collected. In addition, the popular Terms of Service (ToS)
document used by U.S.-based companies that include opting in as part of an
unrelated approvals is not acceptable to EU regulators.  According to the
EU, it is not consent if the person has no other options other than to
approve a long ToS document.

6.      Delete what you do not need. Many US companies have a policy of
collecting as much data as possible about their customers, even if they do
not necessarily know how to use the data at the moment. This policy is not
consistent with GDPR. If you do have data on an EU citizen, be prepared to
request permission from the individual for you to keep the data. EU
citizens have a legal right to ask you to produce on demand any data you
have on the person and for you to delete data at their request.  Here is a
simple recommendation: If your company has data on EU citizens that the
company does not require for business purposes, delete it now. If you do
not have the data, it cannot be compromised in a breach and you do not have
to produce it on demand.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180402/7acf681e/attachment.html>


More information about the BreachExchange mailing list