From May 2018, when the upcoming EU GDPR (General Data Protection Regulation) comes into force, the requirements for managing personal data will change. The scope of this regulation is very broad and it affects almost all organizations, including those outside of the EU, that hold personal data on EU residents. The requirements for maintaining consumers’ privacy are significantly more stringent through this new framework. This report identifies six key actions that IT needs to take to prepare for compliance.
- Discover the PII data: the first and most important step is to discover the Personally Identifiable (PII) Data that is held in your IT systems. This data is likely to be distributed across systems, applications and directories, and some may be held in unstructured form. Until you have found this data you cannot implement appropriate controls or test that they are working. Some tools such as DLP (Data Loss Prevention) which can scan databases, shared drives and endpoints could help to find this data.
- Control Access – it is the responsibility of the Data Controller and the Data Processor to ensure that PII data is only accessed in accordance with the consent given by the data subject. This requires that there must be controls over access to the data and that these controls must both enable authorized access and prevent unauthorized access. The controls must also allow for requests from the data subject to see and correct any data held on them. The controls must cover application access to structured data as well as individual access to unstructured data held in spreadsheets, documents and emails. They must also limit the way in which the data can be aggregated.
- Manage consent – where the consent of the data subject is required for processing, this consent must be freely given, informed, and unambiguous for each purpose. Consent may be withdrawn by the data subject at any time. Applications that collect PII may need to be revised to ensure that these requirements are met. The burden of proof for demonstrating consent lies with the Data Controller / Data Processor. Therefore, organizations must have processes and technology to track the consent lifecycle for each data subject and purpose potentially at the data field level. Access controls to the data must be linked to this consent.
- Manage cloud services – the above also apply where data is held or processed in cloud services. CASB (Cloud Access Security Brokers) sometimes in conjunction with DLP solutions provide the ability to detect and control what data is moved to cloud services and to control access to that data, through encryption for example. Where cloud services are used, it is essential that the CSP (Cloud Service Provider) is made aware of the fact that its service is being used to hold PII. It is also important to ensure that the service is certified for this purpose, for example to ISO/IEC 27018.
- Prepare for a data breach – the regulation requires that when a data breach is discovered that must be notified to the local supervisory authority within 72 hours and to the data subjects without undue delay. For this to be achieved it is essential that the organization has a prepared and tested data breach process and plan.
- Implement Privacy Engineering – this is an approach, outlined in NISTIR-8062, amongst other places, to the design and implementation of data processing systems to ensure that they reliably meet the requirements for processing personal data in a trustworthy and compliant manner. Like security it is difficult to reverse engineer privacy into existing systems that were designed without this in mind. However, the design and implementation of new applications handling PII should follow this approach.