The General Data Protection Regulation (GDPR) recently took effect in May, and companies in the European Union (EU) aren’t the only ones that it will impact. In fact, it has already affected many businesses and organizations in the United States.
Even if your business isn’t located in the EU, as long as you’re doing business with or selling or marketing to consumers in the EU, your site may still need to be GDPR compliant. However, even if you don’t need to be compliant, in the security-risk averse environment we operate in today, all organizations that collect or store data should consider implementing some key security practices. So, how exactly will GDRP impact businesses outside the EU and what are the necessary steps to determine whether you need to be GDPR compliant or just make your data more secure?
GDPR can be a bit confusing and there are many requirements that may or may not apply to your business depending on your situation and your online visitors. So how do you determine how secure your site needs to be and whether you need to go so far as to be GDPR compliant? For the most part, unless you have a large number of European users, the cost of implementing compliance may outweigh the benefit of having a European user base at all. If your business doesn’t sell or market to EU citizens but rather works or partners with EU organizations, then you may still need to be GDPR compliant. If only a small portion of your users or partners are located in the EU, you should at least make sure the data that’s rolling in is secured.
Either way, it’s always a good idea to improve security measures in today’s data-risky environment as specific rules and requirements are still a bit confusing. The key steps outlined below, in part one of this two-part series, will help you to secure your data through better business processes. Part two of this series will examine how technical implementations help with data security.
The Business Process Toward Better Security
1. Identify all “personal data” for ALL systems
The first step toward enhanced security and GDPR compliance is to identify and locate all of the data that you collect and maintain. Most of the heavy lifting comes in the first step, because you could potentially have personal data in many different places including email messages, accounting systems, documents, and other files. The next step is in aggregating all of that data into one space.
In order to locate the data that is spread out, a thorough business audit will be needed to dig up the personal data that has been collected across your business. You will need to examine all of your systems in order to collect everything, and once you do, an automated system like a customer relationship management (CRM) software, such as Salesforce, can really help keep your business compliant. Keep in mind that the algorithm within your CRM can differentiate personal from non-personal data and can ensure it is properly managed and secure. Without identifying what you consider as personal data, these algorithms cannot be properly configured.
2. Determine retention policies for all data
Defining your data retention policies can be tricky. Some companies might want to retain data indefinitely, though it would seem that method would not align with GDPR’s intentions or security best practices. There aren’t specifics as to the amount of time (minimum vs. maximum) that a business must retain information, but there are some timelines set for specific cases like pension transfers and suitability records depending on your type of business.
Ultimately it’s up to the data controller to decide when data is no longer required for business purposes and to ensure personal data is deleted when it is no longer needed in order to reduce risk. So how do you set those specifications?
● All data is NOT created equal. Think about the type of data you have stored and what you really need it for or how you intend to use it.
● Data retention isn’t as big of an issue during your client and customer relationships, but more of a concern after both parties have parted ways.
● If the data that has been collected is no longer needed, you should dispose of it if it does not fall under the special case examples (pension transfers and suitability records).
● Your business could always set a maximum retention period for past clients. For example, retaining information for 5 years after a client has moved on.
There are a lot of scenarios to consider and the information around data retention has been a little murky in the beginning phases of GDPR. As businesses go through the process and cases come to light, we should have a better understanding of data retention baselines and conflicts.
3. Make decisions on how user data will be provided or removed upon user request
When data is no longer being used or if a user requests to know what data you have on them or wants to have their data removed, for example, businesses should have a secure system in place for that process. Depending on your business and the number of resources available internally, there are different approaches that can be taken toward discarding user data. The first option is a manual approach which means a designated staff member manually removes the data or provides it to the user based on the request. The second way to discard data is to configure your system to automatically receive requests, consolidate the data, and then remove or provide it to the user.
4. Audit and assess what might constitute a data breach
GDPR requires businesses to notify people of data breaches, which is becoming an accepted best practice by companies and it’s being expected by users. Under GDPR, failure of notification will result in a hefty fine that could potentially be added on top of other fines for failing to properly secure said data. Even if personal data is lost or unavailable for a short period of time, it will still be considered a data breach.
When assessing breaches, consider the type of breach that has occurred. There a 3 basic types of breaches that can occur:
● Confidentiality Breach (Privacy): Personal data that has been disclosed, and was provided in confidence, to any third party without consent
● Availability Breach (Security): Data that is lost, non-accessible, or destroyed
● Integrity Breach (Consistency): Data that has been altered or modified in any way by unauthorized people
Once you’ve identified the type of breach, there are many other factors to consider. Businesses must take into account how much data was breached and the sensitivity of that data. There is data that is considered sensitive and non-sensitive: Sensitive data being any personal beliefs or orientations vs. non-sensitive data like cookie IDs.
If a breach does occur, under GDPR, businesses are required to notify a Data Protection Act officer as soon as the data controller becomes aware of the breach or within 72 hours. If the situation is very complex to the point where an investigation is necessary, then businesses may be allowed to delay notification beyond the 72 hours. As long as the DPA is initially notified, businesses could provide additional details after completion of internal investigations.
Assessing Your Tool Belt
It’s good practice to take a look at the current tools that your business is using to access customer data. Say your current tools are working great and you have good security measures, but want to add a few more tools to the toolbelt. Would other tools accessing that data constitute a breach? Auditing those new tools to make sure they won’t cause any accidental breaches is very important. A way to try and combat any data breaches from internal or external sources, a Security Information and Event Management (SIEM) system will come in handy and acts as a cyber psychic. A SIEM will send out an alert when there is a potential threat that could cause a data breach. It looks for malicious activity and could help your company avoid any serious fines in the long run.
5. Document all security policies and access control
Part of the GDPR requirements is documenting security policies and access control, which helps lay out the requirements and processes of managing user data and handling certain cybersecurity issues. It’s a way to help establish a foundation and delegate important security roles for employees.
Information Security Policy
The information security policy will ensure that all employees understand and comply with the rules and guidelines and explain that there are consequences for disregarding those expectations. Businesses will want to make sure that the items prioritized in GDPR regulation are included and specified.
Access Control Policy
The Access Control Policy will specify which employees have access to the data that is being collected. The policy typically outlines control standards and implementation along with the process that employees must follow from securing workstations to removing employee access when they leave the company.
Data Retention Policy
Most people save documents because they think they might need it later or they keep it for legal reasons. Both reasons are valid, but it’s important to be judicious about the documents that are retained. When assessing data retention, it’s important to think about what data would need to be archived and what data needs to stay on your servers. Other things to think about include, the type of data you have collected, how long that data has been stored, and the last time that data was accessed.
Inside or outside of GDRP, it’s always a best practice to ensure that personal data is secured and managed properly in order to avoid any potential data breaches which can affect your business’ finances and even its reputation. Having well-maintained and up-to-date business practices in place is key to securing user data.
Check the Web Insights Blog next week for part two of this series: GDPR’s Impact on Data Security: Technical Processes.