What are your personal 'Top 5' practical tips for implementing GDPR?
1. Remember that the fundamental purpose of GDPR is to PROTECT the personal data and rights of individual Data Subjects: It's the "General Data *Protection* Regulation. (This sounds obvious but is sometimes forgotten!)
2. Prioritise security awareness - don't leave it as an afterthought for your annual compliance "refresher" training! As soon as possible in the GDPR implementation, start training staff (eg Senior Managers, Project Managers and Security staff) to recognise typical examples of 'personal data' such as different types of personal unique identifiers, data that uniquely identfies an individual because they are the only person who has that Job Title, etc. Also, to always *consider* the extent to which personal data could be involved, from the outset of any project. (Broad statements such as:"There's no personal data involved in this project" usually require further investigation.) Aim to have all your staff trained to understand the Principles and the key Definitions that apply to their own roles by May 25 2018.
4. Unless you are authorised to do so, don't try to 'interpret' the meaning of any aspect of GDPR - check the meaning and its implications with your Data Protection Officer or other authorised data protection/privacy/legal lead.
5. The 'special categories' of personal data (broadly similar to 'sensitive personal data' under current EU legislation) require ADDITIONAL protection on top of any controls that will apply to 'personal data'. Security staff are well-placed to advise on "additional protection" - eg data classification, data handling and other data 'processing' requirements.
.... I deleted Number 3!
3. Ensure your organisation understands the full implications of the Data Controller and Data Processor responsibilities. For instance, Data Controllers have to provide clear instructions to enable their Data Processors to process the personal data entrusted to them securely and with confidence. Data Processors must do likewise if they are allowed to sub-contract any elements of the personal data processing to their own suppliers. This presupposes that everyone will have complete and up-to-date contractual records that easily identify who the Data Processors are and that the communication channels between DCs and their DPs are straightforward and kept up-to-date ....
Rather than focusing 'Top 5 practical tips for implementing GDPR', I suggest:
Hi Flyingboy. Thank you for your response.
Sure, organisations have to have robust high-level GRC measures and so on and strongly agree there needs to be an executive sponsor. These are all things that a good security professional should already be aware of.
I suggested 'practical' tips to highlight some of the simple basic details which can easily get overlooked or which people may not have come across yet, if they haven't implemented data protection and privacy measures before.
Anyway, just hoping to learn more about 'what personally works' for everyone - there are no 'right or wrong ' answers!
Awareness is one thing, however implementation is another. Sometimes, keeping simple is needed to get the message across. If you are looking for more detailed implementations, you are unlikely to find them within our few short posts - remember my first recommendation - (Recognise one size does not fit all – consider the level of risk/harm). Every organisations or individuals (even for security or privacy professionals) are different or have different circumstances when handling data.
If you are looking for something specific, you can reach out to me directly.
1. GDPR is a Good Thing so be positive about it within your organisation. Don't treat it as a tick box exercise or, as I heard someone describe it last week, 'a Great Depressing Pile of Regulation'. It is something we should all be doing anyway.
2. Sort out the basics first. Be sure of your processing activities, legal bases for processing and purposes. I've found that making sure those are rock solid is very helpful as what follows can be looked upon as a bit of an uphill climb. That's a lot more palatable if you have established a solid base camp.
3. Get legal advice. I am not a lawyer. There is no magic compliance checklist. I am a CISSP so have signed a code of ethics that includes not pretending I know everything.
4. Don't assume your only communication path is upwards. While it's important to make sure you get buy-in from the Board, your weak spots will probably lie elsewhere so a comms and awareness raising plan should be inclusive. Trying to strike a balance between shock and awe (we're going to get fined 20m euros) and boring people half to death with yet another reference to GDPR is difficult but not impossible
5. Don't panic
Here's my top five practical, biased and limited thoughts - not comprehensive, caveat emptor, etc.
1.Download the Law - read it, if nothing else it's a formidable work of legal minds, also read a few of the legal company references, the new e-Privacy Regulation and look at the WP29 opinions. Lastly with GDPR make sure your DPO/General Counsel doesn't forget the APEC Privacy Framework and all the other national privacy regulations that apply to you, your privacy program will have better longevity and be less brittle if it's addressing the broad issues.
2. Look at sending your guys on courses with IAPP(DPO Ready) and ITGovenance(GDPR F/P) - I've attended both and would say that IAPP offers more for the top end of town, whilst ITGovernance is interesting from a practitioner's standpoint. Both sets of training have value, there may also be others. Once they are trained, please share. If not build your own training program.
3.Get your privacy terms of reference defined and promulgated in your company/organization in a jargon busting way. Should I Gap Analyze my PIMS when set against my PIA or ensure that i practice PDB on my BCRs so they harmonize my Model Contracts? It will only be clear what the team knows what it all means, when this is done - if you are exposed, and you probably are then a CEO email linking the resource and emphasizing his/her commitment really helps.
4.Do your data mapping, focus on what is processed in priority order and take the elements of personal data you have (and because the is the ISC2) work with your friendly DLP, tagging, complince and monitoring guys to help. Security tools can't do all, or even most of the work but I feel they can really help look for spills. Focus them on the live processing first, before you try to boil the ocean crawling your databases and file stores;
5. Avoid, or dial down the weight of opinions of those offering certainty, there is as yet no GDPR case law as yet so we're really not sure what will happen - maybe it will be like just like Benny Hill, with all the supervisory authorities chasing Google, Facebook and Microsoft... and, hilarity ensues.
Hi Early_Adopter. Great post.
As you say, there is no case law for GDPR as yet and some organisations appear to be adopting a 'wait and see'/'let's stay under the radar' approach as a result of this. This may be a short-sighted approach, in particular for organisations that have resided in the EU for some time and are already subject to the decades-long privacy legislation that pre-dates GDPR.
Although there is no 'certainty' as yet, there are privacy legislative precedents and "history" to refer to and learn from. The EU's privacy community (eg Courts, Regulators, DPOs and other long-standing Data Protection Practitioners) will not regard GDPR as "new" or a completely fresh start with a level playing field. To them, GDPR is at least the "second wave" of privacy legislation, with the latest changes constituting about 30% of the Regulation and including carefully-worded clauses that address some of the problematic grey areas and potential legal loopholes that arose in the past. The responses to other GDPR changes, such as those associated with new technology, will be less predictable, leaving more opportunities for interpretation and challenge.
From a risk perspective, perhaps the most volatile and unpredictable aspects of GDPR in the long run will be associated with the world's political climate and fluctuating attitudes to privacy as a fundamental right. We shall see!
Absolutely agree with you - just because there is no case law for GDPR only adds to uncertainty in rulings - 'how much will it hurt...maybe I can get away..?' Is in my view a going out of business model.
Wait and see is really going to hurt if you have a breach or a supervisory authority comes calling can't prove you had considered the principles, privacy by design/default, legitimate grounds for transfer, hired a DPO, inventoried/mapped personal data and implemented 'appropriate technical and organizational controls', etc...
Just under thirty supervisory authorities all with slightly different goals and agendas an all wanting success won't make for a slow roll out IMHO.
Even though there is no case law mentioned GDPR directly, there are court decisions started referencing some GDPR approaches:
Let's work towards compliance and do not allow opportunities for regulators to make an example of us.