As the years go by, there is increasing focus on the protection of personal identity information around the world. Over time we have seen new regulations such as US HIPAA, US GLBA, Canada’s PIPEDA, the EU Data Protection Directive 95/46/EC, and others around the world. The latest, most comprehensive, and the one that is the front and center of concern to organizations globally is the EU General Data Protection Regulation 2016/679 (GDPR), which replaces the former directive. While this is an EU regulation, it has a global impact. All organizations – wherever they are in the world – that own or process the personally identifiable information (PII) of EU data subjects must comply with the Regulation. GDPR is not sector-specific, unlike privacy laws in other parts of the world (notably the US and Canada). It applies in all contexts and across all sectors. It is extra-territorial which means it applies everywhere in the world (so long as an EU data subject PII is involved).
The GDPR strengthens and unifies data protection of individuals in the EU. Where the former directive required each country to pass national legislation that was not consistent, the GDPR is a regulation and does not require further national legislation.
Full compliance for organizations starts May 25, 2018, and applies to any organization that stores, processes, or transfers the personal data of EU data subjects. It does not matter if the organization resides in the EU. Fines can be stiff, going as high as €20 million or 4% of global revenues of an organization, whichever is greater.
The regulation defines personal data as: “Personal data is any information related to an individual, whether it relates to his or her private, professional, or public life. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.”
To be compliant and mitigate the risk of data protection incidents, organizations should:
- Establish a Data Processing Officer. In fact, this is required in the regulation (Articles 37-39) for all public authorities and organizations that are processing more than 5,000 data subjects in a 12-month period. This role is also called a Chief Privacy Officer.
- Define & Communicate Policies & Procedures with Training. The foundational component of any compliance program is outlining what is expected of individuals, business processes, and transactions. This is established in policies and procedures that need to be communicated to individuals and proper training.
- Document Data Flows & Processes. Organizations should clearly document how individual data is used and flows in the organization and maintain this documentation in context of organization and process changes. This is a key component of managing information assets of individuals.
- Conduct Data Privacy Impact Assessments. The organization should do regular privacy impact assessments to determine risk of exposure to non-compliant management of personal identity information. When events occur, the regulation specifically requires (Article 35) a data protection impact assessment. A new data privacy impact assessment is required if there is a change in the nature, scope, context or purposes of the organization’s processing of PII.
- Implement, Monitor & Assess Controls. Define your controls to protect personal data and continuously monitor to ensure these controls are in place and operating effectively.
- Prepare for Incident Response. The regulation requires data breach notification to supervisory authorities within 72 hours of detection. Organizations need defined processes in place and be prepared to respond to, contain, and disclose/notify of breaches that occur in the organization or those that may have occurred by the data processor.
- Data Privacy by Design. Each new service or business process that makes use of personal identity information within your organization must take the protection of such data into consideration when designing new or updating operational processes and technology builds.
- Ensure Third Parties are Compliant. Many data protection breaches happen with third-party relationships (e.g., vendors, contractors, outsourcers, law firms, and service providers). Organizations need to make sure their third parties are compliant as well and follow strict policies and controls that are aligned with the organizations policies and controls. These data processors now have legal liability under GDPR and have direct legal compliance obligations. One additional requirement is the data processor cannot use a ‘fourth party’ to process any personal identity information without obtaining prior authorization from their client (i.e. data controller).
It is this last bullet, the requirement to ensure third parties are compliant, that is becoming one of the most challenging elements for organizations in GDPR compliance. The dependence on third parties processing data for organizations is becoming critically important and common. Competitive markets are forcing companies to evaluate and potentially outsource more processing to specialist and cost efficient providers to improve margins and/or become more agile in product and service delivery. These third parties who either process employee or customer data need to safeguard this information, particularly in the scope of GDPR. Third party suppliers represent some of the weakest links to a company’s employee and customer data. More than 63% of data breaches can be attributed to third parties, but the organization is still accountable and liable for these breaches.
Organizations will need to take a much stricter approach when dealing with third parties in context of GDPR as they need to ensure that potential contractors handle data privacy and security in a way that is compliant to the regulation. Organizations need to complete due diligence and question their third parties’ data handling practices, how they store and delete data, who has access, their encryption policies, and essentially anything relevant to how applicable structured and unstructured digital data is handled and processed. This will also require more documentation and audit trail capabilities in order to be able to demonstrate compliance to the regulators and their EU data subjects.
This is a program that needs to be managed on a continuous basis to be compliant and minimize risk of exposure in the GDPR regulation in context of third party relationships. Organizations that attempt to manage this in documents, spreadsheets, and emails will find that this approach will lead to inevitable failure. Manual spreadsheet and document-centric processes are prone to failure as they bury the organization in mountains of data that are difficult to maintain, aggregate, and report on, consuming valuable resources. The organization ends up spending more time in data management and reconciling as opposed to active data protection risk monitoring.
The Bottom Line: To address GDPR compliance in third party relationships, organizations should avoid manual processes encumbered by documents, spreadsheets, and emails. They should look to implement a solution that can manage the assessment, communication, and awareness of GDPR requirements and processes in and across third party relationships to manage compliance consistently and continuously in the context of distributed and dynamic business.
GRC 20/20 GDPR Resources
- Managing Third-Party Risk in the Age of GDPR, May 1 @ 11:00 am – 12:00 pm CDT