With the May 25 deadline looming to achieve compliance with the European Union's General Data Protection Regulation, the new set of guidelines should be more than a blip on the radar for CIOs. The time for GDPR preparation is now, but doing so still intimidates many in the industry.
To help with the process Nicholas Merker, a partner and co-chair of Ice Miller's Data Security and Privacy Practice, recently led a SearchCompliance webcast presentation to guide IT execs through the intricacies of the EU's new data protection regulation.
Nicholas Merkerco-chair, Ice Miller
During his presentation, Merker outlined measures CIOs can take to meet GDPR compliance requirements. The first step, Merker stated, is to create a "map" of all personal data being processed in a given network. To explain the importance of this map, Merker asked a few simple but important questions: "If you don't know where your personal data is, and how it's flowing in and out of your company, and how it's being processed in your company, how can you possibly assess your compliance issues? How can you possibly build a compliance program if you don't know where anything is?"
Next, Merker stated, it is important for CIOs to understand exactly why they are processing data. This is important because one of the most discussed parts of the GDPR is its restrictions on the reasons why companies can process data. Under GDPR compliance requirements, data processors can now only process personal data when:
- An individual provides consent
- Contracted to by the individual
- Mandated to do so by EU law
- Protecting the individual's vital interests
- Protecting public interest
- It is in their legitimate interest to do so
One problem data processors could run into, Merker said, arises when data is processed during the last three entries on the list above. Merker stated that details describing these circumstances are very flimsy in the GDPR, and data controllers processing data solely on these grounds should look for other reasons to do so. This is especially important because of the GDPR's emphasis on individual rights that makes it easier for individuals to object to how their personal data being processed.
To prepare for the GDPR, Merker said that data processors should implement GDPR compliance procedures, review vendor contracts, ensure they have consent from individuals to process new personal data and then update their security programs if necessary. Merker noted in his presentation that there is no GDPR compliance checklist to follow, despite illegitimate claims by vendors claiming that they can guarantee that customers will meet GDPR their compliance requirements.
The next step Merker recommended for organizations to meet GDPR compliance requirements was to test their data breach response plan. The GDPR's data breach response mandate is aggressive, giving data processors only 72 hours to report breaches after becoming aware of them. This quick turnaround period makes it pivotal that CIOs ensure their response to data breaches is as efficient as possible. The optimal way to ensure this, according to Merker, is to conduct a dry run to practice their data breach response plan.
One final task for CIOs to do before the GDPR takes hold May 25 is to designate a data protection officer (DPO). A data protection officer ensures all data processing within a company complies with the regulations. Merker emphasized to beware the potential conflict of interest should a CIO serve as DPO, because someone overseeing data processing would struggle to remain impartial when monitoring their own compliance. Merker added that a DPO can be a third party or a contracted service provider.
Finally, CIOs should establish specific processes to meet GDPR compliance requirements and document how these processes will be implemented, Merker said.