GDPR - Are you compliant?

By Daniele Carmelitti - Head of Technical Delivery at BIPROCSI

Introduction

Protecting sensitive and personal data has always been a priority for organisations, even more in recent times due to the amount of data individuals produce and consume daily. With the introduction of the new GDPR in 2018, this priority became imperative due to the fines that the regulators could impose and the risks to any organisation’ brand and credibility in case of a data breach. The purpose of this document is to outline the critical steps required to aid in making your company GDPR compliant.

ICO Guidelines

The ICO (Information Commissioner’s Office) is the UK's independent body set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals. The ICO is responsible for controlling how organisations, businesses, or the government use personal information and create strict guidelines. More information can be found here.

As detailed in the ICO Security page: “A key principle of the GDPR is that you process personal data securely by means of ‘appropriate technical and organisational measures’ – this is the ‘security principle’“.

The aforementioned page has a checklist of points to satisfy that you can use as a guideline for ensuring your company is taking the steps in the right direction. Keeping in mind what has been implemented internally, can you and your company agree to all of the following points? 

• We undertake an analysis of the risks presented by our processing and use this to assess the appropriate level of security we need to put in place;
• When deciding what measures to implement, we take account of the state of the art and costs of implementation;
• We have an information security policy (or equivalent) and take steps to make sure the policy is implemented;
• Where necessary, we have additional policies and ensure that controls are in place to enforce them;
• We make sure that we regularly review our information security policies and measures and, where necessary, improve them;
• We use encryption and/or pseudonymisation where it is appropriate to do so;
• We understand the requirements of confidentiality, integrity and availability for the personal data we process.

Information Security Policy

One of the first steps to ensure your organisation is GDPR compliant is to create an Information Security Policy (ISP), namely a set of rules, policies and procedures designed to ensure all users and networks within an organisation meet the data protection security requirements. 

The main aim of the ISP is:

1. managing security risk,
2. protecting personal identifiable information (PII) data against unauthorised access and cyber-attack,
3. detecting security events and minimising the impact of a data breach,
4. documenting the procedures in place and implementing accountability for the application and maintenance of them.

Companies often neglect the last point but it can be the root cause of various issues since not having a clear definition of “who” is accountable to do “what” can only make adhering to the GDPR guidelines more difficult. In the light of that, can you answer affirmatively all of the questions below?

• Have you internally created and distributed data protection and information governance policies and procedures?
• Is your staff clear about their roles and responsibilities regarding data protection and information governance?
• Have you created an organisational structure for managing data protection and information governance, which provides strong leadership and oversight, clear reporting lines and responsibilities, and adequate information flows?
• Do you have a review and approval process to ensure that policies and procedures are consistent and effective?

Your Customers’ Rights

The GDPR was introduced in 2018 and replaced the outdated Data Protection Directive, enacted back in 1995. The Directive was no longer relevant because it failed to address how data is stored, collected, and transferred in today’s digital age. GDPR has been created with people’ rights in mind, and your company needs to be fully aware of it since the regulators will impose sanctions if not respected.

Right of Access

Individuals can access and receive a copy of their personal data and other supplementary information. This is commonly referred to as a subject access request (SAR) and can be done verbally or in writing, including via social media by an individual or a third party (e.g. a solicitor) on their behalf.

In case your company receive a SAR, will it be able to:

• respond without delay and within one month of receipt of the request?
• perform a reasonable search for the requested information?
• provide the information in an accessible, concise and intelligible format?
• disclose the information securely?

Do not underestimate the effort needed to satisfy the request under those terms; if your company's data infrastructure and architecture are highly complex, finding all of the requester’s personal data will be very laborious and sometimes manual intensive. 

Right to be Forgotten

Individuals have the right to be forgotten, hence to ask an organisation that holds data about themselves to delete that data (this is why sometimes it's also referred to as the ‘right to erasure’).

The request can be made verbally or in writing, and in some circumstances, the organisation must then do so. Individuals have the right to have their personal data erased if it's no longer necessary for the purpose it was originally collected or processed for or withdraw their consent. Companies are exempt from deleting the data if they use it for exercising the right of freedom of expression and information, complying with a legal obligation, for the defence of legal claims, and so on.

In the case your company receive an erasure request, will it be able to:

• respond without delay and within one month of receipt of the request?
• rely on a solid mechanism in place to recognise if the request should or should not be actioned?
• satisfy a valid erasure request ensuring to delete the data from live systems as well as backup systems?

As for the “Right of Access”, do not underestimate the effort needed to satisfy this request. Ensuring that all of your internal systems work correctly and maintaining the right integrity after deleting the requester’s data is a big task from an architectural data point of view.

Conclusion

In this article, we introduced the GDPR’s guidelines, talked about the steps required to implement an Information Security Policy, and highlighted how every company needs to satisfy their customers’ rights regarding data handling and processing. If you want your company successful in being GDPR compliant, you need to imagine it as a journey more than a destination to reach since you will need to adapt and evolve in conjunction with the regulation every time something new gets introduced in your internal systems and procedures.

For more information or support on anything GDPR and PII data related, please reach out to any of the BIPROCSI team for an informal discussion!