GDPR Best Practices and checklists (1 of 4)
This document is about knowledgebase to leverage awareness of GDPR compliance within an organization, and practice step by step procedures on how to holding users data in line with the EU data privacy regulation.
GDPR Part #1 — Takeaways and Action Plan
The GDPR is a set of rules that collets principles and best practices already existing since a while. This document lists those principles and best practices and explains how to be compliant to GDPR, providing concrete checklists and action plan. It doesn’t substitute the work of a compliance lawyer, or a DPO (Data protection officer) that is recommended to consult if the company collect and process PII (Personal Identifiable Information), particularly, if those data are sensitive like medical record and financial data.
The scope of this the document is split into four parts:
Part #1- GDPR definitions, key take ways, and action plan
Part #2- GDPR user’s rights and checklists
Part #3- Privacy and Security by design and checklists
Part #4- List of resources where this document comes from
NOTE: For a quick consultation, if you are already familiar with GDPR, I put the takeaways and action plan at the beginning in part #1 and jump on part #2 and #3 if you want to deep dive on the checklists.
The aim of this document is to: a) give an overview of what GDPR is; b) clarify concepts that can apply to GDPR and are mostly misunderstood; b) provide a step by step guide to creating a self-regulatory framework within your organization.
The target audience is small and medium companies that are starting their business and are still not well informed about GDPR and need a guide on how they could start dealing with this topic. This document can be also handy to the responsible for the compliance that wants to build up the knowledge base within the organization. Finally, this document is for all the others that are still disoriented and want to know, where GDPR come from, and its implications at technical and business process level.
1. Introduction
The European General Data Protection Regulation came to effect on May 25th, 2018, in all member states to harmonize the data privacy laws across Europe. Some describe GDPR, as a “Digital Declaration of Rights” because it places limits on the power of software platforms, and reflects a commitment to the principles of digital self-sovereignty. GDPR is a welcome replacement for its predecessor — the Data Protection Directive 95/46/EC — a law that has remained essentially unchanged since its adoption in 1995. Although GDPR is a European law, it has been considered a metric for the preservation of the user data rights, at a global level. After the Facebook–Cambridge Analytica data scandal and the application of the GDPR on May 25th, the attention on data protection has increased exponentially and become critical for each organization. Broadly speaking data protection is a general term that refers to data privacy and data security. The meaning of those terms are explained in the first paragraph, GDPR definitions.
2. Definitions
In order to develop a better level of awareness and compliance to GDPR, it is crucial understanding the mining of terms that most of the time are confused: data protection, data privacy, data security, and information security.
· GDPR is about DATA PROTECTION compliance.
· DATA PROTECTION is a broad term that includes data PRIVACY, data PRIVACY
· DATA PRIVACY is the use and control of data, ensuring only the correct people can see the data, what type of data is held, and for how long. In case of a data breach, the organization, under GDPR can face huge fine
· DATA SECURITY means securing data against unauthorized access, or the prevention of unauthorized access, modification or destruction of data in storage. Data security is specific of data storage and it is a layer of information security. It is the physical security of user data. When we speak about data breaches we refer to physical data, data security, that if compromised can ruin the reputation of an organization.
· INFORMATION SECURITY is the prevention of unauthorized access, modification, or destruction of information. Information security is a broader practice that encompasses end-to-end information flow
· DATA BREACH (or security bridge) is a security incident in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so
3. GDPR key takeaways
1) GDPR onboarding is about:
· Privacy and Consent
· Data Access
· Data Correction
· Data Export
· Data Deletion
2) GDPR: is a matter of following privacy and security by design principles that address the concerns related to Data Protection which include
· Data Privacy
· Data Security
3) Be compliant to the GDPR rules is quite challenging for every organization. There is an enormous gap between legislation and practice. It is recommendable to clarify which degree of compliance can be achieved and why (See GDPR Action Plan). Explain your choices and do a risks assessment as part of your risk management plan (identify risks and define a risks response)
4) Audit and review the contracts with your suppliers and conduct an information audit. Asses also privacy notice and procedures
5) Make sure you have the right procedures in place to detect, report and investigate a security bridge in 72 hours.
6) Identify who is responsible for data privacy and security (responsible and accountable). For example, in the US a company with over 250 employees must appoint a DPO (data protection officer), if they especially intend to carry out large-scale systematic monitoring of individuals, like online behavior tracking. In Europe, under GDPR, a DPO appointment is mandatory only for those controllers and processors whose core activities consist of processing:
- operations which require regular and systematic monitoring of data subjects on a large scale or
- of special categories of data or data relating to criminal convictions and offenses.
7) GDPR is only the skeleton of data protection regulation. Each EU country applies its own rules, it depends on the law of the specific country.
8) Not only the EU companies are subject to the GDPR rules, but also Non-EU “established”organizations who target, or monitor, EU data subjects
9) Privacy and security from a customer perspective: customers want to have easier access to their own data through transparency.
· Display why are collecting (PII) personally identifiable information, and all the ways this data is being used (18)
· On-boarding process in an application and in any new piece of information is collected and easy opted out
10) The major challenge to figure out in order to be GDPR compliant is the way user data are collected. Centralized storages with personal credentials poorly protected including passwords, PINs, biometrics, credit card numbers, and other personal information, brings the following issues: a) single point of failure; b) high risk of breaches; c) rising IT costs
4. GDPR Action Plan
This list of action items will facilitate the creation of a self-regulatory framework within your organization.
1. Awareness: send a communication within your organization with attached information related GDPR, the impact on your business, and next steps. Help the board understand the legislation and the resources required to handle personal data.
2. DPO: appoint a Chief data protection officer to drive compliance and a data protection officer to assess data protection requirements. The important is not the title of the person but the rule its self. Identify a person, or more than one, that is responsible and accountable for how to handle user’s personal data.
3. Data Audit: create a document where is documented how to collect, store, process, delete, transfer and disclose user data. Ether internally within your IT system, platform, application and infrastructure, and externally, with your providers.
4. Data Privacy and Security checklist: go through the two lists in this document Part #2
5. GDPR rules and business processes creation:
· Go through the eight GDPR rules. Following the checklists
· identify the tasks for each rule
· define the business processes involved
· identify who is responsible and who is accountable for each task
· specify and explain, for each rule, the level of compliance achieved
6. Make a Cost-Benefit Analysis and based on the trade-offs you will be willing to accept, do a Risks Assessment.
7. Risks assessment : create a Risks Registry spread-sheet , where for each risk to specify: the impact of the risk on your business, the level of risk (low, medium, high), who is going to manage it, who is going to respond in case the risk will take place and what to do.
· Risk ID
· Risk Description
· Impact
· Risk level
· Risk Owner
· Risk Response
Continue reading
Part #2- GDPR user’s rights and checklists
