What are your personal 'Top 5' practical tips for implementing GDPR?
1. Remember that the fundamental purpose of GDPR is to PROTECT the personal data and rights of individual Data Subjects: It's the "General Data *Protection* Regulation. (This sounds obvious but is sometimes forgotten!)
2. Prioritise security awareness - don't leave it as an afterthought for your annual compliance "refresher" training! As soon as possible in the GDPR implementation, start training staff (eg Senior Managers, Project Managers and Security staff) to recognise typical examples of 'personal data' such as different types of personal unique identifiers, data that uniquely identfies an individual because they are the only person who has that Job Title, etc. Also, to always *consider* the extent to which personal data could be involved, from the outset of any project. (Broad statements such as:"There's no personal data involved in this project" usually require further investigation.) Aim to have all your staff trained to understand the Principles and the key Definitions that apply to their own roles by May 25 2018.
4. Unless you are authorised to do so, don't try to 'interpret' the meaning of any aspect of GDPR - check the meaning and its implications with your Data Protection Officer or other authorised data protection/privacy/legal lead.
5. The 'special categories' of personal data (broadly similar to 'sensitive personal data' under current EU legislation) require ADDITIONAL protection on top of any controls that will apply to 'personal data'. Security staff are well-placed to advise on "additional protection" - eg data classification, data handling and other data 'processing' requirements.
Article 42 supports GDPR certifications, but they need to be recognised by the supervisory authorities or the EDPB.
Unless of course you have a really rusty snake...
Their are products, people, process, codes of conduct, audit - probably if you are large you'll use OneTrust, TrustArc, Nmnity etc - but are any of these going to certify? I would simply doubt the sanity of anyone saying they could, and back away slowly with open body language and occasional eye contact...
'Certification' against GDPR in an organization will be a Herculean task, and one in line with the amount of effort you probably need to spend to be able to prove accountability, reduce impact when you have a breach and defend effectivley against spurious claims.
For the Supervisory authorities providing certification, well this is fine, but let's say an entity certifies and then has a massive breach of personal data caused by something the certification didn't adequately check. That same SA(probably) then has to throw the book at an organization they said was doing a good job.
It will come , but i expect some thing like a good practice shield/badge first, then you can maybe audit for a tick in the box.
Rathe than unilateral action, I Suspect the WP29 needs to reach it's final form and the EDPB will have a really good long think. SA's looking at the countries providing certification against their own data protection laws would also make sense.
I have seen a great deal of grandstanding from both technical professionals, and audit/risk/compliance professionals, claiming to have the key to silver bullet GDPR compliance.
Don't believe the hype.
GDPR, much like security practices in general, should be;
- a collaborative process involving all stakeholders e.g. operational, management, compliance, audit etc
- prioritized during the design process and not an "add-on" or "afterthought"
- a balance between compliance and operational considerations rather than sacrificing one for the other
- have an iterative, continuous approach to development and improvement
- be as simple, think user-friendly, as possible whilst maintaining the minimum require security posture baseline
I find myself repeating the same phrase of late.
"GDPR will fundamentally change our relationship with data."
Any future digital transformation, or governance, plans will need to prioritize this evolving relationship with data.
More on certifications as described in this European Union Agency For Network and Information Security (ENISA) publication:
A trustworthy Privacy training organisation in the UK is 'Amberhawk'.
They also have a good blog, "Hawktalk":
Although there have been some very good discussions at conferences and elsewhere, it is sometimes obvious that some comments and suggestions about privacy are largely theoretical whereas others are grounded in practical experience with the existing legislation (eg the practical considerations re. identifying SARs, retrieving data for SAR responses and the role of HR).
Fundamentally, people either "get" what GDPR/Privacy/a data-centric focus are about or they don't. The point of true realisation may occur when a topic is discussed which has a personal privacy implication for them, rather than from their corporate training (eg they attempted to obtain personal records from somewhere and found it difficult). When the penny drops, they often start taking the subject more seriously and the true changes begin to take place.
From an awareness perspective, Sian Phillips mentioned somewhere that it takes 5 years for the messages from a new security awareness programme to become fully integrated within a large organisation. As well as GDPR awareness, staff have to understand and commit to the changes they're being asked to make,as those changes apply to their own roles.
I agree to not try to interpret the meaning of GDPR and consult with a colleague, such as the Data Protection Officer, that has training in the matter. My only concern is that with any new law there will be a timeframe in which specific items are still open for discussion and interpretation. I am counting on organizations such as ISC2 to keep the information flowing on GDPR and through webinars or newsletters inform their members about how specific points have been clarified.
In law school i learned that every law is open to interpretation because otherwise why would we need lawyers. GDPR will be no different and as complex as GDPR is, I am guessing that for the next few years we will continue to learn about the specific meaning of the law for certain case examples.