From May 25, 2018, all companies doing business with EU residents must comply with the General Data Protection Regulation (GDPR), but how can companies protect personally identifiable information under GDPR and avoid a penalty for non-compliance?
The General Data Protection Regulation
GDPR is a new regulation in the EU that will force companies to implement policies, procedures and technology to improve the privacy protections for consumers. GDPR also gives EU citizens more rights over the data that is recorded and stored by companies.
GDPR applies to all companies that do business with EU citizens, regardless of whether they are based in the EU. That means a company with a website that can be accessed by EU residents would be required to comply with GDPR.
Personally identifiable information includes a wide range of data elements relating to consumers. Along with the standard names, addresses, telephone numbers, financial and medical information, the GDPR definition includes IP addresses, logon IDs, videos, photos, social media posts, and location data – essentially any information that is identifiable to a specific individual.
Policies must be developed covering data subjects (individuals whose data is collected), data controllers (organizations collecting data) and data processors (companies that process data). Records must be maintained on how data is collected, stored, used and deleted when no longer required.
Some companies are required to appoint a data protection officer (DPO) whose role is to ensure compliance with GDPR. That individual must have a thorough understanding of GDPR, and technical knowledge of the organization’s processes and procedures and structure.
In addition to ensuring data is stored securely and consumers have the right to have their stored data deleted, GDPR will also force companies to disclose data breaches quickly – within 72 hours of a breach being discovered.
Failure to comply with GDPR could result in a heavy fine. Fines of up to €20,000,000 or 4% of a company’s annual revenue are possible, whichever is the greater.
Many companies are not prepared for GDPR or think the regulation does not apply to them. Others have realized how much work is required and have scrambled to get their businesses compliant before the deadline. For many companies, the cost of compliance has been considerable.
How Can I Protect Personally Identifiable Information under GDPR?
GDPR imposes a number of restrictions on what companies can and cannot do with data and how it must be protected, although there are no specific controls that are required of companies to protect personally identifiable information under GDPR. The technology used to protect data is left to the discretion of each company. There is no standard template to protect personally identifiable information under GDPR.
A good place to start is with a review of the processes and systems that collect and store data. All data must be located before it can be protected and systems and processes identified to ensure appropriate controls are applied.
GDPR includes a right to be forgotten, so all data relating to an individual must be deleted on request. It is therefore essential that a company knows where all data relating to an individual is located. Controls must also be put in place to restrict the individuals who have access to consumer data. Training must also be provided so all employees are aware of GDPR and how it applies to them.
Companies should perform a risk assessment to determine their level of risk. The risk assessment can be used to determine which are the most appropriate technologies to implement.
Technologies that allow the pseudonymisation and encryption of data should be considered. If data is stored in encrypted form, it is not classed as personal data any more.
Companies must consider implementing technology that improves the security of systems and services that process data, mechanisms that allow data to be restored in the event of a breach, and policies that regularly test security controls.
To protect personally identifiable information under GDPR, organizations must secure all systems and applications used to store or process personal data and have controls in place to protect IT infrastructure. Systems should also be implemented that allow companies to detect data breaches in real time.
Compliance with GDPR is not something that can be left to the last minute. May 25 is a long way off, but given the amount of work involved in compliance, companies need to be getting to grips with GDPR now.