White Paper

The procrastinator’s guide to the General Data Protection Regulation

By Richard Harpur

May 25th, 2018 is the effective date for the General Data Protection Regulation (GDPR). On this date, significant changes to European Union (EU) data protection laws will be in place, users will enjoy significant control over how organizations manage their data and organizations found not compliant could face fines up to 4% of annual turnover or €20 million. A reminder: the GDPR applies to any organization that is processing data or providing goods or services, whether paid for or not, to citizens residing within the EU. 

With little time remaining before the May 25th deadline, what can leaders do if they are struggling to comply with the new law? 

The following steps don’t represent a comprehensive task list to achieve compliance with the GDPR, but these recommendations provide a starting point for activities to prioritize as the deadline nears. 

Data inventory icon

Conduct a data inventory

Being unaware what data an organization is holding and responsible for after May 25th won’t be viewed favorably by supervisory authorities (regulators in each EU country). Because many organizations don’t pay close attention to data retention and inventory, some may be shocked to discover the volume of unnecessary data they store or process. As part of the inventory, organizations should determine the category of data being processed. Is it Personally Identifiable Information (PII)? Are there special categories of data being processed, such as biometric data or health data?

Data processing icon

Minimize data processing

Under the GDPR, the mere act of saving data is deemed to be processing. Once a data inventory is complete, steps should be taken to minimize the volume of data processed. Any data no longer required to be retained should be securely deleted with a record kept of the deletion.

Risk assessment icon

Undertake a risk assessment

Using the data inventory, organizations should undertake a risk assessment. The GDPR requires a risk-based approach is taken to ensure organizations are GDPR compliant. More information about how to successfully undertake a risk assessment is described in my ISO/IEC 27001 Big Picture course. 

Security controls icon

Protect data through security controls

Ensuring an organization has sufficient technical and organizational controls in place to protect data is a mandatory requirement of the GDPR. A formal security program is expected with technical, administrative and physical safeguards in place to protect data.

Data protection icon

Determine if a Data Protection Officer is required

Under the GDPR requirements, some categories of organizations will need to appoint a Data Protection Officer (DPO). The role of a DPO has significant power and independence within an organization, and may be an employee or an outsourced service by a specialist provider. If you determine a DPO is not required, the reason for this decision needs to be formally documented.

Education icon

Provide education for staff

Your teams need to be aware of new responsibilities that will be ongoing post-May 25th. All team members with access to data need to be fully trained on what obligations the GDPR places on organizations, and the enhanced rights users acquire in relation to the management of their data.

Plan icon

Document a plan for the future 

It’s likely that organizations will have some work remaining after May 25th. In addition to the obligations already mentioned, organizations must also prepare more fully for a data breach, ensure clarity of consent from users, provision the ability for users to take all their data from an organization in digital form, honor the right for a user’s data to be erased, and more. Being able to provide supervisory authorities with a detailed plan for GDPR compliance will help demonstrate that you take the new law seriously. This will also keep your teams focused until all requirements are met and your organization is fully compliant. 

The GDPR marks a shift in data protection worldwide. This is new territory for leaders and their respective supervisory authorities as the GDPR provides regulators the power to take action against organizations that fail to comply. To jump start your GDPR preparation, commit to understanding the data being held by your organization, undertake a risk assessment to identify vulnerabilities, then ensure there are technical, organizational and physical controls in place. These are critical first steps to running a digital business come May 25th—and beyond. 

About the author

Richard Harpur is a highly experienced technology leader with a remarkable career ranging from software development, project management through to C-level roles as CEO, CIO, and CISO. Richard is highly rated and ranked in Ireland's top 100 CIOs. As an author for Pluralsight - a leader in online training for technology professionals - Richard's courses are highly-rated in the Pluralsight library and focus on teaching critical skills in cybersecurity including ISO27001 and Ransomware. As a Certified Information Security Manager (CISM) Richard is ideally positioned and passionate about sharing his extensive knowledge and experience to empower others to be successful. Richard also writes extensively on technology and security leadership and regularly speaks at conferences. When he is not writing for his blog www.richardharpur.com Richard enjoys hiking with his wife and 4 children in County Kerry, the tourist capital of Ireland. You can reach Richard on twitter @rharpur.