The 3 most important things you need to account for in order to become GDPR compliant

The General Data Protection Regulation (GDPR) is a European law that protects the privacy of European citizens on the one side and helps to create awareness in processing personal information on the other. Thanks to GDPR, CISO’s like you have a lot of extra work to do. The amount of administrative proceedings that result from the GDPR is huge, your organisation provides resistance and time has run out! After all, since May 25th 2018 the organisation had to be in accordance with GDPR.

This article describes the first three steps that every sensible CISO will take immediately. In our checklist we will discuss these three steps in more detail and will talk about the necessary follow-up steps.

GDPR is all about awareness

The legislator wants organisations to think about the processing (collecting, editing and documenting) of personal information. It does not matter whether we are talking about information about customers, leads or employees. In all cases we are dealing with personal information.

Within the GDPR the legislator therefore attaches a lot of value to reducing the amount of personal information as well as to map the potential risks. Next to this, measures to prevent data leaks,  verifying the effect of these measures and reducing the damage are important theme’s. Acting inaccurate or concealing incidents can lead to high fines.

We are talking about a data leak when sensitive personal information ends up in the wrong hands. In most cases, data leaks are the result of human errors without intent. For instance if someone sends a file to the wrong email address or shares sensitive information through a public service. The lack of a good privacy policy will intensify data leaks.

“The goal of GDPR is to create awareness on how to interact with personal information. We can see this in the fact that the legislator punishes not reporting a leak with a higher fine, than for the leak itself.” Erick van Veghel, CISO.

How do I start?

Start by putting together the right team. Nowadays, most organisations stock their information digital.  Many different systems and applications use this information and share it. The team that is going to advise your organisation on the new GDPR legislation has to have the right knowledge on board. Ideally, the core of your team exists of one legal expert, one privacy expert and one IT employee. In their work they will involve all the responsible managers and a specialist per department.

1. Acquiring understanding

Chu Chao, lawyer at HVG Law, advises starting with mapping your current data streams. Because there can be many data streams it is wise to start with the most important or most sensitive data streams. Here you need to ask questions like:

  • Which data do we collect, and where?
  • Where and how do we store this data?
  • Who receives or has access to this data?

This way you will get an understanding of the infrastructure and systems of your organisation.

2. Determining the impact on your organisation

Once you have mapped all the data streams of your company you need to mirror them to the GDPR by using a gap-analysis. In doing this you look at the current situation and compare it with the desired situation. This comparison will give you a set of measures that are necessary in order to fill up the gaps. In some cases there are existing policies that you just have to update. In other cases you need to start from scratch and create your own policies. It is sensible (but not always obligatory) since this based on a register.

Maintaining your processing register

If the company you are working for has 250 or more employees, you need to describe all changes of personal information in an internal register. If the organisation you are working for has less than 250 employees only a registration obligation is needed if:

  • Risky changes have occurred, for instance automatic profiling for targeted marketing or an automated rejection of health insurance.
  • An organisation processes sensitive information, for instance medical information.
  • An organisation processes a very great amount of information.

If you set up your processing register according to the regulations, you immediately comply with the registration obligation within the GDPR. The register can be managed in anything from a spreadsheet to a specialized software solution. The content of the register is bound by rules. Our checklist on GDPR compliance gives more detailed information on this matter. It should be clear that information in your register needs to be up-to-date and complete.

3. Creating and maintaining a policy

The processing register gives you an understanding of the processed personal information and obliges you to think about which personal information you are storing, why you are doing this and how you can protect this information. This is the foundation for the creation of an additional policy. According to Chu Chao, the reason the legislator does this is to make sure that we take privacy very seriously and are willing to think about which data we want to gather and store and why we want to do so. The term “data minimisation” is very important here. This means only storing the data that we really need with a minimal retention period. This is in strong contrast with how many organisations are working right know. Nowadays many companies have some kind of the following policy: “We store everything and as long as possible, you never know when you are going to need it”.  As a result of this, many companies see privacy as a burden. This illustrates the fact that we have gone a bit too far in the gathering of personal information. The GDPR corrects this.

Based on the register you will create a transparent privacy policy for both your clients (external) and your employees (internal). After this you make this policy accessible for all involved. This policy has a goal to inform those involved beforehand about the personal information that you have been gathering and to point them to their rights. At least, this document has to contain the following information:

  • The identity and contact information of the person responsible for the information. In most cases this is your company. If you have a privacy officer, the contact information of this person needs to be mentioned as well.
  • The goal of the processing of the information and the legal basis for this.
  • The third party that receives the information. If this party is located outside the European Economic Area (EEA) extra security measures need to have been taken in order to ensure the handover outside the EEA is permitted.
  • The retention period of the personal information.
  • Information concerning the rights of those involved, this includes:
  • The right to restricting, access, correction and deleting of the information.
  • The right of data portability, for instance to take along data from one organisation to another.
  • The possibility to retract processing permission, for example by using the opt-out function in an email.
  • The possibility to put in a complaint with the authorities.

An internal privacy policy also contains guidelines for employees concerning the use and security of sensitive personal information within the organisation. This internal privacy policy is often included in the employee handbook, which is included in the work contract. Besides this the internal privacy policy can often be found on the intranet of a company and is easy to consult for employees.

In order to make sure that all the employees will live up to the guidelines in the privacy policy, it is necessary that all the privacy rules are becoming part of their daily practice. Repeated training is needed for all employees that are dealing with personal information, not only the managers. If you make your colleagues aware of the privacy related risks in their work and combine this with easily accessible, user-friendly tools wherewith you can significantly decrease the risk of incidents, you have set a few huge steps towards an organisation that is fully GDPR compliant!

Checklist GDPR

We have described all the necessary steps you have to take in order to meet the GDPR legislation in our checklist. This document elaborates on things like creating a processors agreement, getting permission for processing personal information and security measures that have to be taken.

The_advantages_of_Email_vs_Fax and_Snail_Mail_zivver_blog_en

The Advantages of Email vs. Fax and Snail Mail

Before email came into popularity, fax transmissions presented the only way to send written communication quickly. They could provide paper printouts in a few short minutes over hundreds of thousands of kilometers. Nowadays, email has become the preferred method of communication. Consequently, most companies have entirely abandoned fax machines. […]

Read more
Data_Breach_vs. Data_leak_explained_zivve_blog_en

Data breach vs. Data leak explained

You probably remember when Facebook's founder Mark Zuckerberg testified before the American Congress and UK lawmakers regarding the Cambridge Analytica data leak scandal. The political consulting firm harvested raw data from 87 million Facebook profiles while working for Donald Trump's presidential campaign in 2016. You might also recall the massive data breach […]

Read more
Untitled design (2)

Encryption for beginners 2: PGP and Hashing

If you want to prevent unintended recipients from gaining access to emails containing sensitive personal data, it is imperative to use encryption. Encryption is an interesting and yet complex subject, not widely understood by the general public. We started covering the topic with the encryption for beginners 1 blog post, in which we highlighted the differences between […]

Read more

ZIVVER set to expand its sales channel for email security in the UK

Fresh off a media tour to support the recent launch of ZIVVER’s secure email and file transfer solutions in the United Kingdom, ZIVVER is poised to announce new channel partners shortly. These partners will help support the company’s aggressive growth strategy in 2020 and beyond. […]

Read more

Cybersecurity Awareness Month: Email and File Transfer Security

When people think about email security, they typically associate it with widely reported hacking incidents, often nefarious in nature. These breaches tend to be higher in profile for a multitude of reasons, but actually account for a lower percentage of data breaches overall. For many organizations, the biggest threat to protecting privacy-sensitive data simply comes […]

Read more
How_does_the_Data_Protection_Act_2018_DPA 2018_supplement_the_GDPR_in_he_UK_ZIVVER_EN_blog

How does the Data Protection Act 2018 supplement the GDPR in the UK?

Overview:  Makes the previous data protection laws fit for the digital age when an increasing amount of data is now being processed. Empowers individuals to take control of their own data. Supports Organisations and UK businesses with this change. Ensures the UK is ready for the future after BREXIT. DCMS Secretary of State, Matt Hancock stated: "The Data Protection Act […]

Read more