General Data Protection Regulation (GDPR) and its impact on US organizations
On May 25th the General Data Protection Regulation (GDPR) from the EU parliament went into effect and made sweeping changes to how data is to be treated.
The EU GRPR was designed to align data privacy laws across Europe, to protect and empower the data privacy of all EU citizens and to reshape the way organizations across the region approach data privacy. This also has an impact on how US originations need to treat their data when persons from the EU request to unsubscribe from your database. Changes to policies and procedures need to be adapted to avoid heavy fines and penalties.
Other than cybersecurity, this has been a major question our clients have been asking of the CIO for hire and Managed Services practice at Raffa. Increasingly, we see polices updates from websites flooding our inbox about changes in their data polices in response to GDPR.
In our research we found industry experts have started to demystify and simplify the 260-page GDPR document into the following areas:
IDENTIFY | PROTECT | DETECT | RESPOND | RECOVER
This is similar the NIST Cybersecurity 1.1 frameworks which can be found here:
https://www.nist.gov/cyberframework. From the NIST website “This voluntary Framework consists of standards, guidelines, and best practices to manage cybersecurity-related risk. The Cybersecurity Framework’s prioritized, flexible, and cost-effective approach helps to promote the protection and resilience of critical infrastructure and other sectors important to the economy and national security.”
Organizations must be able to identify whether they are considered a data controller or processor. If you have a CRM or an AMS, you would be considered a data controller since personal data would be stored in your system. The less common is a processor of data that stores data based on a transaction for a third party. Knowing where your data resides and whether it’s at rest (stored in the database), or in-motion (passing through the system to a third party), helps organizations develop common practice to regularly review existing and new business processes to identify personal data. This allows for maintaining a record of processing activities and understanding how this data is protected. This is covered in article 24 of the GDPR https://gdpr-info.eu/art-24-gdpr/.
Once personal data has been identified, organizations must ensure they adequately protect this confidential data. Encryption and access control are common control standards but managing encrypted data across multiple business processes is an enormously difficult task. Defined data lifecycle management methodologies are key to helping organizations ensure that EU resident data is stored appropriately. Organizations need to work with their third-party processors to understand what their GDPR policies and procedures are and how they are protecting EU member data as well. This is covered in article 35 of the GDPR https://gdpr-info.eu/art-35-gdpr/.
If an organization does suffer a breach of data, then it is vital to detect the breach and identify if personal data was affected. If affected, the organization will be required to notify the necessary supervisory authorities within 72 hours of the discovery. The investigation will focus on identifying further details of the breach through event and incident information from tools such as Data Loss Prevention (DLP). Examples of DLP can be found here: https://en.wikipedia.org/wiki/Data_loss_prevention_software
Data forensics will help identify which data is involved in the breach, at which time the organization may also be required to issue a notice to any affected data subjects. Regardless of the new GDPR guidelines, organizations should have procedures in place of any data breach and how they will act in the event one is discovered.
Incident response is critical to protecting data, especially EU resident data. In addition to the mandatory data breach notification requirement, organizations must also ensure they have implemented an effective incident response plan. This plan must be regularly tested to ensure that employees involved in a data breach response are familiar with and fully understand the new legislation, communication process and protocols to report a breach. Article 33 of the GDPR covers the notification process and can be found here https://gdpr-info.eu/art-33-gdpr/.
A framework for a security response plan can be found at the SANS institute here: https://www.sans.org/security-resources/policies/general#security-response-plan-policy.
In the event of a data breach, organizations must ensure that you maintain ongoing communication with the relevant authorities. This will ensure secondary loss factors are managed and ensure the affected data subjects are regularly informed. Data protection and privacy are paramount to originations. EU laws are causing changes internationally and it is imperative to closely monitor changes, apply them to your business practices, and be prepared for the next wave of threats. This is covered under article 51 and can be found here:
GDPR is new and goes a long way in creating a global standard for data protection. Understanding the basics is only the first step in determining next steps for your organization. While organizations work out their understanding and update policies and procedures, we advise you to stay up to date in how to interpret GDPR and how it affects your origination. Several organizations are taking this opportunity to examine how they process and store data. They are also examining how to clean that data for better business intelligence and to clean up outdated information to make better business decisions.
To read the full GDPR you can find the link here https://gdpr-info.eu/.
Please contact Kerry Mickelson, CIO for Hire, at Raffa Technology Services with questions about GDPR and potential assistance in determining your exposure and options for compliance, by calling (202) 822-5000 or by completing the form on this page (please indicate “GDPR Compliance” in the form’s comments).
- Post by Kerry Mickelson