Navigating the Seven Key Principles of GDPR
When it comes to expectations around the necessity for securing and protecting customer data, GDPR is very clear. What isn’t quite as clear is exactly how organizations should go about securing the data. We don’t know what to expect when it comes to GDPR enforcement, and some regulations are left up to interpretation as to how organizations should design their strategy. Also, the path to compliance will probably be different for everyone, even though the end result will be the same.
When it comes to getting GDPR compliant the good news is that it really doesn’t matter where you are in the process of developing your GDPR strategy. We just encourage you to put the anchor down long enough to evaluate some of your key processes and assess your level of risk based on these seven key GDPR principles:
Lawful, fair and transparent processing
This principle emphasizes transparency for all EU data subjects. When the data is collected, it must be clear as to why the data is being collected and what the data will be used for. Organizations also must be willing to provide details surrounding the data processing when requested by the data subject. For example, if a data subject asks who the data protection officer is at that organization or what data the organization has about them, that information needs to be available.
Purpose limitation
This principle means that you need to have a lawful and legitimate purpose for processing the information in the first place. Consider all the organizations who make you fill out a form with 20 fields, when all they would need to sell you that gadget is your name, email, shipping address and maybe a phone number in case they need to get ahold of you. Simply put, this principle says that organizations shouldn’t collect any piece of data that doesn’t have a specific purpose, and those who do can be out of compliance.
Data minimization
This principle instructs you to ensure the data you are capturing is adequate, relevant and limited. In this day and age, businesses collect and compile every piece of data possible on you for various reasons, such as understanding customer buying behaviors and patterns or remarketing based on intelligent analytics. Based on this principle, organizations must be sure that they are only storing the minimum amount of data required for their purpose.
Accurate and up-to-date processing
This principle requires data controllers to make sure information remains accurate, valid and fit for purpose. To comply with this principle, the organization must have a process and policies in place to address how they will maintain the data they are processing and storing. It may seem like a lot of work – you can expect it to be – but a conscious effort to maintain accurate customer and employee database will help prove compliance and hopefully also prove useful to the business.
Limitation of storage in the form that permits identification
This principle discourages unnecessary data redundancy and replication. It limits how the data is stored and moved, how long the data is stored, and requires the understanding of how the data subject would be identified if the data records were to be breached. To ensure compliance, organizations must have control over the storage and movement of data. This includes implementing and enforcing data retention policies and not allowing data to be stored in multiple places. For example, prevent users from saving a copy of a customer list a local laptop or moving the data to an external device such as a USB. Having multiple, illegitimate copies of the same data in multiple locations is a compliance nightmare.
Confidential and secure
This principle protects the integrity and privacy of data by making sure its secure (which extends to IT systems, paper records and physical security). An organization that is collecting and processing the data is now solely responsible for implementing the appropriate security measures that are proportionate to the rights and risk of the individual data subjects. Negligence is no longer an excuse under GDPR, so organizations must spend an adequate about of resources protecting the data from those who are both negligent or malicious. To get compliant, evaluate how well you are enforcing security policies, utilizing dynamic access controls, verifying the identity of those accessing the data, protecting against malware/ransomware, etc.
Accountability and liability
This principle ensures that you are able to demonstrate compliance. Organizations must be able to demonstrate to the governing bodies that they have taken the necessary steps comparable to the risk their data subjects face. To ensure compliance, be sure that every step within the GDPR strategy is auditable and can be compiled as evidence quickly and efficiently. For example, GDPR requires organizations to respond to requests from data subject as to what data is being held on them and promptly remove that data, if desired. You would not only need to have a process in place to manage the request, but it would need to have a full audit trail to prove that you took the proper actions.
There are a lot more details within each of these requirements, but gaining a basic understanding is a great starting point. Take the time you need to evaluate your risk and remember to be as honest as possible with yourself when evaluating where you are today. Then, start charting your course, and plan to come across unplanned challenges along your journey.
We have passed the GDPR compliance deadline of May 25, 2018.
GDPR Risk Assessment
Gauge your own GDPR readiness and discover how much risk your organization may face around the key data protection requirements. After you complete the survey, we will provide some strategies that you should consider adding to your GDPR compliance plan to help you prepare for the compliance deadline.