GDPR is currently a very hot topic. Not because it is very new (which it of course is) or because it is hard, but because there is a lot of uncertainty among business users.
There’s a very appropriate phrase in Flemish that perfectly describes the current situation: “panic football”. Originally coming from the fact that a football team looking at a loss in a knockout tournament match started playing erratic and frantic, it later became a term to also describe other similar situations outside sports. There’s a lot of “panic football” being played when people talk about GDPR.
Don’t worry, be aware and start preparing
GDPR is not a fixed set of technical or governing rules that everyone needs to comply to. It’s a rule set that only obligates data owners and processors to protect personal information but does not specify what those protections should actually be. This is where a lot of headaches come from: you can’t just take the text and apply it.
GDPR states that you have to take appropriate measures. Simple and actually very clever. As each company has a different size and financial capabilities, it would not be right to obligate a certain set of measures as they would only increase the competitive advantage of larger companies that would need a similar budget as a much smaller one. Also there is no unified data set used by everyone, each company has its own approach so the differences are quite big in terms of personally identifiable data.
What is the impact then? Well you’ll have to work on a proper set of policies and technical controls to prove that you are capable of handling personally identifiable data in a secure way. Anyone who has ISO27001-2013 in place will have an easy transition as there are already a lot of ISO policies on handling data, encrypting data, etc. Anyone who has to start from scratch however will have some work during the current grace period that will last until the go-live on 28/05/2018.
How to start
Start by drafting an improvement plan and keep it updated as you progress. Add improvement opportunities and schedule them so you can prove to an auditor that you are aware and proactively involved. Even if you have unresolved issues and you’re not yet in line with regulation, you’ll at least show that you have a plan and will have those issues fixed by a set date.
First on the agenda of your plan should be policies and awareness. Train your employees so they know how to handle personal data, when to escalate to your data protection officer (DPO) and when to back off due to legal reasons.
Don’t start with an all-in-one system if it introduces a gigantic reversal of your current business processes. Or at least be aware of the impact that it can have on your employees, that you also provide the proper guidance. A more agile way is to start small with basic policies and keep improving and extending policies including proper communication to and with the impacted users.
The following should be in place (at least):
- policies regarding personal data handling.
- disciplinary measures for use in case of violation (inform, formally notify, disciplinary actions for serious offenses or repetitive violations).
- formal agreement with the employee, either in the employment contract or in a separate addendum.
- basic technical measures to protect data sources (firewalling f.e.).
- maintenance on data sources (mitigation of security issues such as bugs by implementing security patching).
- rights management: access needs to be based on a need to have and time limited basis.
- optionally: anonymization of personal data or encryption. Certainly when using (cloud) platforms outside of your control, make sure that if the platform is not properly certified that you implement your own additional measures such as encryption.
To get a better sleep at night, you could get an external auditor to check your status and provide a list of improvement opportunities. However note that there is no official certificate for GDPR, logically as there is no standard, only “an enforced guideline”.