SBphotos - stock.adobe.com

GDPR gotchas and how to handle them

We look at common problems organisations encounter when dealing with the EU’s General Data Protection Regulation (GDPR), which comes into force on 25 May 2018

There is a common misconception by smaller businesses or companies outside of the European Union (EU) that the General Data Protection Regulation (GDPR) does not to apply to them. 

For example, a GDPR readiness survey, conducted by Vanson Bourne between May and August 2017, found that only 16% of US-based respondents thought they needed to comply.

Even more interesting is that 14% of the worldwide respondents who believed they did not need to comply also admitted to collecting personal data from EU citizens.

Clearly, there is still considerable confusion – and very little time left to clear it up

No half-measures

GDPR is much more inclusive than we’ve seen in other regulations. It covers direct and indirect data, and calls out specific data such as IP addresses as personal data.

The problem is that unless you consider all the personal data covered by the regulation, you risk implementing half-measures that may reduce your penalty, but will not keep you from getting cited and then experiencing a higher cadence of compliance audits and reporting. 

Complying with GDPR requires organisations to make difficult changes to processes, such as mandating notifications and granting data subjects the authority to remove and change personal data. This creates lengthy projects, including re-architecting databases or recoding the operational systems that provide automated messages.

This also creates the need to retrain staff on new or changed processes, and means getting humans to break established habits.

In the Vanson Bourne survey, respondents that were already working towards GDPR compliance estimated that they would become compliant within seven months, on average, and only 10% said they were already fully compliant.

Businesses just beginning a compliance project cannot afford to waste time, and should look for help to accelerate the process. 

Take a measured approach

Some organisations jump right into the Data Protection Impact Assessments (DPIAs) and working with new data protection officers (DPOs) with cross-functional teams, even before they fully understand the regulation.

This can lead to delays and frustration, and cause organisations to consume all the time remaining on research and failed compliance efforts.

Instead, while the impact analysis is underway, take time to implement the simpler upgrades that almost everyone needs to make to become compliant. For example, an upgrade to network security is almost always warranted.

These are the solutions that provide organisations with “situational awareness” and enable preventative, corrective and mitigating actions in near real time – as is specified in the regulation. These are easily deployed and reduce the potential penalties, even if not fully compliant by the deadline. 

A good security model

Waiting to see if the courts decide that GDPR is legal or not is a risky strategy, but some companies are thinking this way.

However, every organisation that complies with GDPR gains the benefits that come with stronger security – including a reduced risk of top-line losses associated with breach-related business disruptions.   

Additionally, GDPR clearly defines a new minimum for data security and privacy. So, with a clear doctrine, and individual and market-wide benefits, GDPR is a good model for modern data security, even if compliance is not mandatory.

Failing to spot the differences

GDPR includes a number of items that are not a part of the current Data Protection Directive and may trip you up if you are not looking for them. Here are some of the more significant new requirements: 

  • Data breach notification: Controllers and processors are now required to notify supervisory authorities within 72 hours of learning of a breach and to notify the people to whom the data applies (data subjects) “without undue delay”. It should be noted that a breach of encrypted data is specifically excluded from notification requirements and so may factor in your compliance strategy. 
  • Explicit consent: GDPR requires that at the time you collect personal data, explicit consent must be given by the data subject. This means organisations can no longer bury generic consent in a long form full of legalese. Instead, organisations must offer specific information on what data is collected, how the data will be stored and processed, and must use clear and plain language. Nothing short of opt-in will do, and it must be as easy to withdraw consent as to give it. 
  • Data transfer out of the EU: Personal data must not leave the EU unless you have approval from the supervisory authority, or where the data subject is informed of the data transfer and associated risks and authorises the transfer. 
  • Data protection officer (DPO) appointment: If you process data on a large scale then you must appoint, hire, assign or contract with a DPO, who is your representative to the supervisory authorities that monitor and ensure compliance with the regulation. The DPO is also the contact for any requests or complaints from data subjects, should lead your compliance activities and handle communication on security policies, assessments, compliance and requests from data subjects and breach notifications, among others. Per the regulation, the DPO reports to the executive level manager and is a two-year appointment that may be extended. 

Read more on IT risk management