In the current environment of increasingly aggressive malicious actors looking to infiltrate systems for monetary gain, protecting customer data remains at the top of every major corporation’s priority list. As software companies, we are stewards of that data and must ensure our processes and technology are designed correctly to maintain their trust and comply with the regulations set forth in the countries in which we operate—you can never do enough security.
Data privacy rules in the U.S. differ from those in the EU. In the US, we have a patchwork of legislation to protect customer data and ensure privacy, including the United States Privacy Act, Safe Harbor Act and HIPAA, which most American CIOs are aware of. The EU, on the contrary, has recently approved centralized, formal rules to apply across its member countries, the General Data Protection Regulation (GDPR), which go into effect on May 25, 2018.
With the GDPR, companies must notify authorities and customers of data breaches within 72 hours of becoming aware of the incident, maintain records in order to provide customers confirmation if their data is being used and how, provide them a copy of their data if requested and allow them to have their data erased.
[ Safeguard your data! The tools you need to encrypt your communications and web data. • Maximum-security essential tools for everyday encryption. • InfoWorld’s encryption Deep Dive how-to report. | Discover how to secure your systems with InfoWorld’s Security Report newsletter. ]
It is critical to understand the GDPR’s principles and set up the necessary infrastructure to ensure compliance or risk facing steep penalties, which can be up to €20 million or 4 percent of global annual revenues—not profit—for the preceding financial year, whichever is greater. There are additional fines for infractions such as not having sufficient customer consent to process data, not having records in order or not notifying the authorities and data subject about a breach.
So what’s the main takeaway? If you have offices in the EU, plans to expand into member countries or manage EU citizen data even from outside of the EU, you’ll need to be prepared. And, even with Brexit impending, it’s likely that the UK will adopt the same regulations. Following are several practical tips for preparing for GDPR compliance:
1. Designate a data protection officer
For companies processing large amounts of personal data, the GDPR mandates the appointment of a data protection officer (DPO), whose primary job is to ensure compliance with the regulations. This person should be an expert on data protection law, business practices and technology and security, and GDPR guidelines suggest the DPO should be located in the EU. Suffice it to say that individuals with this skillset can be difficult to find: start recruiting as soon as possible!
The DPO should be involved in every aspect of protecting data from the beginning of system development and throughout the process in a key decision-making role and report to the highest level of management. The DPO can be an existing employee or be appointed from an external source, however, senior managers—including the entire C-suite as well as heads of marketing, HR and IT—are not allowed to take on the role. Furthermore, requirements, solutions and risks will differ based on the type of data, so while you can only name one DPO, you may need a team of privacy officers specialized in different types of data or business processes (HR data, Health Data, Financial data, Marketing data, etc.), same as a CISO, who may have a team of security experts specialized in different areas.
2. Conduct an annual privacy impact assessment
A Privacy Impact Assessment (PIA) is a systematic process to assess how customers’ personally identifiable information (PII) is collected, used, maintained and disclosed to ensure it is adequately protected. Working with your DPO, the PIA should be conducted throughout the development lifecycle of a system, but especially before you start collecting data in the first place. When risks are identified, the GDPR expects you to employ measures to address them, such as encryption, continuity plans or backups of the data. Risk may sit with technology (security of the network, vulnerabilities in the software) or in the organization and the people (access management, background checks, dissemination of the data, etc.).
This should sound familiar to you and organizations should be able to reuse much of the existing security audit and risk management procedures and solutions—however, privacy risks and requirements should be incorporated into the mix, and remember, if security is about who has access to the data, privacy is about what you do with the data you have access to. Assuming security is good, the main risk will sit with the way you use the data.
3. Strengthen datacenter security
It is without question that you should already be putting IT security measures in place to prevent data breaches, however with the GDPR, you must have the necessary infrastructure to ensure proper detection, notification, forensics and remediation to maintain compliance in case of an incident. Securing data transfers (whether file transfer, API calls, or physically moving data on a USB stick—which you should avoid regardless) will not be enough. You will also need strong perimeter security and monitoring capabilities (DLP, IDS, DMZ, as well as physical security) to protect the data stored internally.
4. Get the right team together (internally and externally)
Well before the May 2018 deadline, it is critical that your legal, compliance, finance and IT security teams are in sync to ensure all current data partners and vendors are in compliance, and also to ensure the correct processes are in place for contracting future work.
It is critical that future vendors are meeting the same strict technical requirements in terms of datacenter security and encryption, but also with the data residency and location guidelines. Obligations will cascade from controllers to processors to sub-processors, and the law states that not only is each level liable for the performance of the level below, but also for the choice of sub-processors. You’ll need to get your paperwork in order. Many companies are implementing model clauses in vendor contracts to ensure data protection requirements are met as well as mechanisms such as binding corporate rules (which enables regulators to sign off on programs that allow companies to transfer EU data around the world) or the Privacy Shield to ensure cross-border compliance.
Overall, your goal should be to ensure accountability to protect your customers and earn their trust. As you develop systems that process customer data, employ the principles of “privacy by design,” proactively embedding data protection in your processes, “privacy by default” using methodologies that minimize identifiability, observability and linkability as a default, and don’t forget to include your ecosystem of partners and vendors.