Login | March 18, 2019

EU’s data protection regulations deadline is fast approaching

Law Bulletin columnist

Published: April 16, 2018

The General Data Protection Regulation, or GDPR, will soon be enforced. But how many employees, or executive members of your organization know what the GDPR is and why they should care about it? Is it IT’s problem? Is it legal’s problem? Is it sales’ problem? Whose problem is it?

GDPR is a regulation in European Union law that establishes rights and protections for the personal data of EU citizens. GDPR applies to everyone who handles or possesses personal data of EU citizens or otherwise monitors their behavior.

Personal data is any information related to an identifiable natural person in the EU that can be used to identify that person, directly or indirectly. This includes but is not limited to: names, account numbers, photographs, e-mail address and IP addresses.

It does not matter if this data was generated by a user entering their personal data or a third party providing personal data.

Although GDPR has been in effect since 2016, it will finally be enforced starting May 25.

GDPR has global reach and applies to personal data of EU citizens originating in the EU, regardless of where the physical location of the business or the personal data is located.

How to achieve compliance

The obligations in the GDPR depend on whether your organization is a data controller or data processor.

• A “data controller” is an entity that determines the purposes and means of the processing of personal data.

• A “data processor” is an entity processing personal data on behalf of a data controller.

In general terms, data controllers and data processors are required to secure personal data. This means ensuring that all personal data is (1) encrypted in transit and at rest, (2) collecting only the minimum amount of personal data required for operational needs, and (3) establishing a “privacy by design” structure.

Privacy by design promotes privacy and data security from start to finish of the database and networks’ design process. Additionally, data controllers are required to verify their data processors are GDPR compliant.

Companies that violate the GDPR can face a maximum fine of up to 20 million euros, or 4 percent of their annual gross revenue, whichever is greater.

To be successful and compliant with the GDPR, this has to be an organizationwide effort with cooperation from the legal, marketing, sales, human resources, IT and finance departments pulled together in a keenly devised and implemented plan.

Once you have your organization leader’s attention, each organization then needs to examine how they identify, categorize and handle personal data. In a perfect world, personal data will be separated by the citizenship of the individuals identified in the data and the location of where the data is collected.

Personal data resides on different systems within your organization and is shared with external parties. Systems that you didn’t previously consider most likely hold GDPR personal data, such as human resources systems and your organization’s shared network drives.

This exploration into your organization’s data wormhole may seem overwhelming, but if you are not certain where you have all GDPR data, then treat all the personal data and systems they reside on as subject to the GDPR. This does not mean that all data in every system needs to be compliant with GDPR; only those systems that contain or may contain EU citizens’ personal data originated in the EU will be walled off for GDPR compliance.

This approach transfers the time an organization would take identifying EU citizens in each system, to additional time for an organization to establish data flows and to secure the personal data in all GDPR systems. Once the organization has identified its GDPR systems/data, it is time to develop a dynamic evaluation and implementation plan.

1. Appoint a data protection officer and raise awareness.

A protection officer is required for all data controllers and data processors in any case where (a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity; (b) the core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale; or (c) the core activities consist of processing sensitive data or personal data.

The protection officer must have “expert knowledge of data protection law[s] and practices,” must report to the highest levels of management and not be assigned any other duties that would introduce a conflict of interest. Organizations may appoint single or multiple officers provided that each officer is easily accessible.

Initially, the protection officers will ensure that decision-makers and key members of the organization are aware that the law is changing and that they appropriately anticipate the impact and potential risks of the GDPR. Then the protection officer/officers will team up with human resources and marketing on an awareness campaign conducted throughout the organization.

2. Data flow analysis

All data controllers, data processors and subprocessors shall conduct a data flow audit by documenting and understanding where the data came from, how it was collected, where it is stored and with whom and how it is shared or accessed. This data flow analysis will identify all sources of data, all types of data relationships and what security is placed on the data, both at rest and in transit.

The data flow audit shall also include a data lifecycle from data collection, saving, usage, transfer, processing and storage and archiving to deletion. This is necessary for chain of evidence and should follow your organization’s and contractual record retention requirements.

3. Gap analysis, risk analysis

When all the data flows are complete, a gap analysis between the current status of data protection compliance and the obligations deriving from the GDPR shall be completed. The gap analysis will determine what systems need to be GDPR compliant, what security is required on those systems and prioritize systems for GDPR compliance to arrange the organization’s resources appropriately.

The prioritizations (in no particular order) of the implementation should be determined by weighing, for each system containing personal data subject to the GDPR:

* Risk to operations

• Cost of implementation

• Timeline of implementation

• Legal and regulatory risk

• Potential contact with EU citizens’ personal data originated in the EU

• Rights of the individual whose personal data resides in the system

4. Build an implementation plan and team.

If it is determined from the results of Steps 1 to 3 that the organization is required to implement GDPR security measures, then the protection officer shall use the information gathered in Steps 1 to 3 to build a GDPR implementation plan and a compliance team unique to your organization.

A successful implementation plan should achieve (a) strengthened individual rights to their personal data; (b) strengthened IT and physical security requirements; (c) strengthened governance requirements; and (d) strengthened contractual requirements with customers, consultants and vendors.

5. Implementing GDPR

Along with organizing the compliance team and deploying the implementation plan to comply with GDPR, the organization shall implement:

• A personal data management system, which will include (a) a data protection structure; (b) concepts, policies and standard operating procedures; (c) training applicable employees about their obligations and responsibilities deriving from the GDPR and (d) documentation to demonstrate compliance with the GDPR requirements

• A contract management strategy and system

• A vendor management strategy and system

6. Data protection impact assessment

Thereafter, on an ongoing basis, the protection officer, alone or in conjunction with an outside consultant, shall conduct data protection impact assessments, which shall assess the security, safeguards and governance mechanisms. The assessment procedure are envisioned for mitigating GDPR risk while ensuring the protection of personal data and demonstrating compliance with GDPR.

Upon completing the assessment, the protection officer will report possible gap findings and risks. The officer shall use the gap findings to form an assessment to senior management.

Following the assessment, the protection officer shall assist in the business unit’s implementation of the proposed safeguards and remediation measures.

7. Maintain compliance

The protection officer shall continue to manage compliance by creating and updating policies as GDPR evolves, maintaining controls to implement those policies, auditing and monitoring to ensure the controls operate effectively over time and providing governance to document and communicate the results of the auditing.

The GDPR is not something that should be underestimated, but also is not something to be feared. It is an opportunity for companies with strong information security and governance to excel and for others to improve.

This is the time to break down the barriers within the organization and create partnerships with customers and vendors.

Compliance with the GDPR requires a team effort from the smallest vendor to the largest customer. All GDPR personal data must be secured. The goal is to create and maintain a security shield and achieve GDPR compliance.

Chris Mermigas is senior corporate counsel and data protection officer for Valid USA Inc., which provides solutions in payment, mobile, data and identity solutions as well as digital marketing and digital certification. A John Marshall Law School graduate, Mermigas is a in-house counsel for government and corporations, a legal and IT compliance officer and a certified compliance and ethics professional.