Has COVID-19 made local government less cyber secure?
The General Data Protection Regulation (GDPR) is a European law that protects the privacy of European citizens on the one side and helps to create awareness in processing personal information on the other. Thanks to GDPR, CISO’s like you have a lot of extra work to do. The amount of administrative proceedings that result from the GDPR is huge, your organisation provides resistance and time has run out! After all, since May 25th 2018 the organisation had to be in accordance with GDPR.
This article describes the first three steps that every sensible CISO will take immediately. In our checklist we will discuss these three steps in more detail and will talk about the necessary follow-up steps.
GDPR is all about awareness
The legislator wants organisations to think about the processing (collecting, editing and documenting) of personal information. It does not matter whether we are talking about information about customers, leads or employees. In all cases we are dealing with personal information.
Within the GDPR the legislator therefore attaches a lot of value to reducing the amount of personal information as well as to map the potential risks. Next to this, measures to prevent data leaks, verifying the effect of these measures and reducing the damage are important theme’s. Acting inaccurate or concealing incidents can lead to high fines.
“The goal of GDPR is to create awareness on how to interact with personal information. We can see this in the fact that the legislator punishes not reporting a leak with a higher fine, than for the leak itself.” Erick van Veghel, CISO.
How do I start?
Start by putting together the right team. Nowadays, most organisations stock their information digital. Many different systems and applications use this information and share it. The team that is going to advise your organisation on the new GDPR legislation has to have the right knowledge on board. Ideally, the core of your team exists of one legal expert, one privacy expert and one IT employee. In their work they will involve all the responsible managers and a specialist per department.
1. Acquiring understanding
Chu Chao, lawyer at HVG Law, advises starting with mapping your current data streams. Because there can be many data streams it is wise to start with the most important or most sensitive data streams. Here you need to ask questions like:
- Which data do we collect, and where?
- Where and how do we store this data?
- Who receives or has access to this data?
This way you will get an understanding of the infrastructure and systems of your organisation.
2. Determining the impact on your organisation
Once you have mapped all the data streams of your company you need to mirror them to the GDPR by using a gap-analysis. In doing this you look at the current situation and compare it with the desired situation. This comparison will give you a set of measures that are necessary in order to fill up the gaps. In some cases there are existing policies that you just have to update. In other cases you need to start from scratch and create your own policies. It is sensible (but not always obligatory) since this based on a register.
Maintaining your processing register
If the company you are working for has 250 or more employees, you need to describe all changes of personal information in an internal register. If the organisation you are working for has less than 250 employees only a registration obligation is needed if:
- Risky changes have occurred, for instance automatic profiling for targeted marketing or an automated rejection of health insurance.
- An organisation processes sensitive information, for instance medical information.
- An organisation processes a very great amount of information.
If you set up your processing register according to the regulations, you immediately comply with the registration obligation within the GDPR. The register can be managed in anything from a spreadsheet to a specialized software solution. The content of the register is bound by rules. Our checklist on GDPR compliance gives more detailed information on this matter. It should be clear that information in your register needs to be up-to-date and complete.
3. Creating and maintaining a policy
The processing register gives you an understanding of the processed personal information and obliges you to think about which personal information you are storing, why you are doing this and how you can protect this information. This is the foundation for the creation of an additional policy. According to Chu Chao, the reason the legislator does this is to make sure that we take privacy very seriously and are willing to think about which data we want to gather and store and why we want to do so. The term “data minimisation” is very important here. This means only storing the data that we really need with a minimal retention period. This is in strong contrast with how many organisations are working right know. Nowadays many companies have some kind of the following policy: “We store everything and as long as possible, you never know when you are going to need it”. As a result of this, many companies see privacy as a burden. This illustrates the fact that we have gone a bit too far in the gathering of personal information. The GDPR corrects this.
- The identity and contact information of the person responsible for the information. In most cases this is your company. If you have a privacy officer, the contact information of this person needs to be mentioned as well.
- The goal of the processing of the information and the legal basis for this.
- The third party that receives the information. If this party is located outside the European Economic Area (EEA) extra security measures need to have been taken in order to ensure the handover outside the EEA is permitted.
- The retention period of the personal information.
- Information concerning the rights of those involved, this includes:
- The right to restricting, access, correction and deleting of the information.
- The right of data portability, for instance to take along data from one organisation to another.
- The possibility to retract processing permission, for example by using the opt-out function in an email.
- The possibility to put in a complaint with the authorities.
We have described all the necessary steps you have to take in order to meet the GDPR legislation in our checklist. This document elaborates on things like creating a processors agreement, getting permission for processing personal information and security measures that have to be taken.