12 Step approach for a GDPR Risk Management Framework.

The greatest risk has yet to come: “Failure to comply with "GDPR”.

On 4 May 2016, the General Data Protection Regulation "GDPR”, now numbered Regulation 2016/679, was published in the Official Journal of the EU. It will not apply until the 25 May 2018. Once the GDPR is in effect, the current Data Protection Directive 95/46/EC is repealed.  .  It carries provisions that require businesses to protect the personal data and privacy of EU citizens for transactions that occur within EU member states. The GDPR also regulates the exportation of personal data outside the EU.

The provisions are consistent across all 28 EU member states, which means that companies have just one standard to meet within the EU. GDPR takes a wide view of what constitutes personal identification information. Companies will need the same level of protection for things like an individual’s IP address or cookie data as they do for name, address and Social Security number. The GDPR leaves much to interpretation. It says that companies must provide a “reasonable” level of protection for personal data, for example, but does not define what constitutes “reasonable.”

Any company that stores or processes personal information about EU citizens within EU states must comply with the GDPR, even if they do not have a business presence within the EU. Specific criteria for companies required to comply are:

  • A presence in an EU country.

  • No presence in the EU, but it processes personal data of European residents.

  • More than 250 employees.

  • Fewer than 250 employees but its data-processing impacts the rights and freedoms of data subjects, is not occasional, or includes certain types of sensitive personal data. That effectively means almost all companies.

It will protect the following privacy data

  • Basic identity information such as name, address and ID numbers

  • Web data such as location, IP address, cookie data and RFID tags

  • Health and genetic data

  • Biometric data

  • Racial or ethnic data

  • Political opinions

  • Sexual orientation

Failure to adhere can be a disaster in terms of reputational and financial risk. The following sanctions can be imposed for non-compliance.

  • a warning in writing in cases of first and non-intentional non-compliance

  • regular periodic data protection audits

  • a fine up to 10,000,000 EUR or up to 2% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater.

  • a fine up to 20,000,000 EUR, or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.

The GDPR requirements will force U.S. companies to change the way they process, store, and protect customers’ personal data. For example, companies will be allowed to store and process personal data only when the individual consents and for “no longer than is necessary for the purposes for which the personal data are processed.” Personal data must also be portable from one company to another, and companies must erase personal data upon request.

Exceptions include that GDPR does not supersede any legal requirement that an organization maintain certain data. This would include HIPAA health record requirements.

GDPR Risk Management Framework.

1.     Establish a framework with a strong governance structure, with clear roles and responsibilities. Involving all stakeholders from all parts of the organization. The GDPR defines several roles that are responsible for ensuring compliance: data controller, data processor and the data protection officer (DPO). The data controller defines how personal data is processed and the purposes for which it is processed. The controller is also responsible for making sure that outside contractors comply. Data processors may be the internal groups that maintain and process personal data records or any outsourcing firm that performs all or part of those activities. The GDPR holds processors liable for breaches or non-compliance. It’s possible, then, that both your company and processing partner such as a cloud provider will be liable for penalties even if the fault is entirely on the processing partner.

2.     Ensure that you have clear policies in place to prove that you meet the required global data hygiene standards. Establish a culture of monitoring, reviewing and assessing your data processing procedures, aiming to minimize data processing and retention of data, and building in safeguards. Risk privacy impact assessments will also need to be conducted to review any risky processing activities and steps taken to address specific concerns.

3.     Conduct a risk assessment: You want to know what data you store and process on EU citizens and understand the risks around it. Remember, the risk assessment must also outline measures taken to mitigate that risk. A key element of this assessment will be to uncover all shadow IT that might be collecting and storing PII.

4.     Implement measures to mitigate risk: Once you’ve identified the risks and how to mitigate them, you must put those measures into place, this means upgrading existing risk mitigation measures.

5.     Test incident response plans: The GDPR requires that companies report breaches within 72 hours. How well the response teams minimize the damage will directly affect the company’s risk of fines for the breach. Make sure you are able to adequately report and respond within the time period.

6.     Prepare for data security breaches. Put in place clear policies and well-practiced procedures (PLAYBOOKS) to ensure that you can react quickly to any data breach and notify in time where required.

7.     Privacy risk needs to be written into the risk taxonomy, ensure that privacy is embedded into any new processing or product that is deployed.

8.     Analyze the legal basis on which you use personal data .Consider what data processing you undertake. If you do rely on obtaining consent, review whether your documents and forms of consent are adequate and check that consents are freely given, specific and informed.

9.     Check your privacy notices and policies.

10.  Bear in mind the rights of data subjects, such as the right to data portability and the right to erasure. If you store personal data, consider the legitimate grounds for its retention.

11.  If you are a supplier to others, consider whether you have new obligations as a processor; GDPR imposes some direct obligations on processors which you will need to understand and build into your policies, procedures and contracts. Consider whether your contractual documentation is adequate and, for existing contracts, check who bears the cost of making changes to the services as a result of the changes in laws or regulations. If you obtain data processing services from a third party, it is very important to determine and document your respective responsibilities.

12.  Cross-border data transfers with any international data transfers, including intra-group transfers, it will be important to ensure that you have a legitimate basis for transferring personal data to jurisdictions that are not recognized as having adequate data protection regulation. #risksmartinc