Prior to the EU’s General Data Protection Regulation (GDPR) going into effect in May of 2018, companies from across the globe scurried to ensure that they had the necessary information to achieve compliance with the broad-sweeping regulation. In a post-GDPR world, the attention rests on which companies will be impacted by data breaches, what the total fines will be, and what the public scrutiny will entail. Though the impact of the fines—4% of a company’s annual worldwide revenue or €20 million ($22.9 million) (whichever is greater)—is certainly eye-catching, a data breach could leave a company destabilized for years afterwards.
Aimed at protecting EU citizens, GDPR applies to any company that processes the personal data of people who reside within the EU, regardless of the company’s location. We’ve already seen follow-on regulation in the U.S. The state of California passed the California Consumer Privacy Act in June 2018 that will require companies with large amounts of personal information to disclose the types of data they collect. Said to be the toughest data privacy law in the U.S. the act, which takes effect in 2020, also allows consumers to tell a business not to share or sell their personal information.
CIOs play an important role in ensuring that their software, data processing, and—on a larger scale—their companies, maintain compliance on an ongoing basis. What seems to be a daunting task can be broken down into a step-by-step program to make it a bit easier to know where to start.
STEP 1:Create and maintain a software estate inventory
CIOs and their IT teams should first begin by compiling a complete overview of their entire software portfolio to understand what is being consumed by employees across the company. Special attention should begiven to SaaS applications and programs installed on mobile devices, as they are often overlooked. CIOs must also identify who in the company is using applications that access personal data and what type of data is being accessed, i.e., names and addresses, financial or medical. With this information, the IT team can prioritize and focus efforts on checking whether access is necessary. If this access is required, it should be documented in the Record of Processing Activity (RoPA). From there, regular audits should be run to capture any changes.
STEP 2: Document how data is processed
To ensure that adequate security measures are in place, the IT team should create a list of processing activities and their respective categories. This list should include the name and contact details of the data processors and any third parties the company shares data with. It’s important for CIOs to remember that it is their team’s responsibility to ensure these third-party IT vendors also have compliant security measures in place for data.
STEP 3: Assess vulnerable software on all devices
To maintain compliance, CIOs should see that their teams identify unpatched and old software on all devices and prioritize the investigation and updating of software most critical to the company. During this step, IT teams should also look for software that has reached, or is close to reaching, its end of life. Often, companies will run old legacy software as if it’s brand new, but it’s important to remember that software vendors do not provide fixes or security updates to end-of-life software; it’s up to the CIO to upgrade or remove them.
STEP 4: Train the staff
For teams to monitor for and raise issues, they must know what rules are in place or have changed. When new members are hired, it serves as a great time to hold training sessions and teach employees about any updated or new regulations. Above all, IT teams should know the importance of personal data, and that if team members are negligent, they could cause a data breach. In the event that a breach impacts the rights and freedoms of individuals, it must be immediately reported.
Maintaining ongoing compliance is time-consuming, costly, and complex. As the process of maintaining compliance becomes more common over time, CIOs will find that the routine will be more streamlined and effective, equipping IT leaders of the future to be better prepared for maintaining the GDPR.
GDPR is potentially the strongest data privacy regulation enacted to date, but it certainly won’t be the last. Putting these best practices in place now will serve organizations well as they face increasing privacy regulation in the EU and beyond.