GDPR: One month to go - what's left still to do?
Iland's Frank Krieger runs down some of the issues that organisations will have to sort out before 25 May
There is just one month to go before the General Data Protection Regulation (GDPR) comes into force, meaning that by Friday 25 May 2018 organisations must be able to demonstrate that they are compliant or show evidence that they are working towards being able to satisfy the Articles that will govern data protection for the foreseeable future.
So, where should businesses be right now in the process of ensuring cloud workloads will be compliant with GDPR?
Finalising controller/processor contracts
Organisations that originate the collection of personal data (data controllers) and operate in a cloud environment must be able to provide evidence that the data they have gathered is protected as far as possible in all instances of transit, storage and processing. It's commonplace for organisations to use a chain of third parties to host and process data - the cloud being an obvious example - but that doesn't absolve an organisation from its GDPR responsibilities.
As a data controller you should now be at the final stages of formulating the contracts that will commit your data processors (such as your cloud hosting service) to handling your data to your defined standards of security, geographic location and access required by the GDPR. Part of this should include a system of audit to actively monitor your data processors and ensure that they are continuously meeting your GDPR requirements.
This oversight should include visibility into the activities of your data processor through a review of policies and defined audits, insight into any sub-processed functions that the data processor may be performing and assurances that those sub-processed activities themselves are compliant to the data controller's needs.
It's also important that the contract identifies the types of personal data that will be under scope, agreements of auditory bodies to be utilised as well as the procedure of informing the controller if the processor suffers a breach of the data or the terms under which it is being processed.
Data processors should be fully engaged with you at this stage, demonstrating through their own compliance procedures how they align with what you need to ensure you meet your GDPR obligations.
Educating the organisation on its data protection responsibilities
The GDPR is much more than a tick-box compliance exercise that can be contained within audits and contracts. It requires a full commitment by every organisation to build data protection into its culture and all aspects of its operations - from support through to accounting to product development. The GDPR is not specific to just IT, it must permeate all aspects of the organisation to ensure a culture is built.
By now, employees should be aware of the impact of the GDPR and the changes it has brought to their daily work processes and responsibilities. Departments will be affected in different ways and to different degrees: some will have been living and breathing the Regulation for several years, for others it may be new. But being data protection-aware is no longer optional, it's critical and regulated. An ongoing continuous programme of education - from induction through regular refresher sessions - is essential.
Part of this process should include furnishing employees with their own data privacy notice, informing them of the way in which their employer will manage and safeguard their personal information. This will help make data awareness relevant for everyone from the chairman of the board to the customer service team and beyond.
Wrapping up data mapping, risk and access reviews
By this stage, you should know what data you hold, why you hold it and where it's located. You should have established the level of risk associated with that data and the levels of access permitted to the data in the course of operations and mechanism to measure and oversee the effectiveness of those activities. The flow of data through your organisation should be clearly understood and systems in place to identify any changes in data flow that might cause elevated data risk.
Modifications to applications, services or procedures should be evaluated through data protection impact assessments (DPIA) processes noted within GDPR, and overseen by your organisation's data protection officer (DPO). Linkage between your DPO and your processor's DPO needs to be in place with processes to ensure that data-subject queries are handled in the correct manner and that program oversight is functioning correctly.
DPIAs should have uncovered any high-risk data, and strategies should be well advanced to mitigate the risks to an acceptable level. The level of access employees have to data should also have been reviewed, with the principle of limiting access to the minimum number that is required for them to do their jobs.
Locking the doors on EU data stores
The separation and restriction of EU citizens' data, plus confirmation of its secure geographic location, should be in its final stages. This ties in with the point above about data controllers and processors and is particularly relevant to the cloud. Controllers need to know that data pertaining to EU citizens is locked down to that geography and will not be inadvertently accessed by staff from other territories. Processors must commit contractually to meeting and sustaining that requirement.
For entities that utilise cloud services, it is important that you verify that the proper legal data transfer mechanisms are in place as well. If your data processors are not actively engaging with you on this and all other issues relating to data protection by this stage, you need to start asking questions.
Appointing and embedding the data protection officer
If your organisation is a public body, systematically monitors data subjects on a large scale, or you handle special categories of protected data, you must employ a DPO who reports to the highest level of the organisation. By now your DPO should be in position, fully resourced and supported to lead your GDPR compliance programme.
Even if you do not officially need to appoint a DPO under the terms of the regulation, you will need to ensure that you have sufficient staff with designated responsibilities for ensuring compliance. There appears to be a shortage of qualified data protection specialists in the UK at the present time, which is not surprising. One alternative is to consider appointing a third party specialist to assist in your GDPR compliance activities.
As we approach the run-in to zero day, these are the kinds of activities that should be well under way for businesses that are on track. As a data processor for our customers, iland is working closely with them to ensure that they know just how we will fulfil our side of the deal with robust security, audit and management.
For organisations that are less well-prepared, the key at this stage is to be able to demonstrate that they are at least working towards compliance.
Remember, of course, 25 May is just the start of a continuous commitment to improving data privacy for everyone. So even if your organisation has met all its GDPR deadlines, the work will be ongoing and security, policies and procedures will need continuous assessment and re-assessment - it isn't a one-off project.
Frank Krieger is vice president of governance, risk & compliance at secure cloud hosting and backup specialist iland