The GDPR is big news. There seems to be an endless stream of organisations coming to the market with silver bullets or magical applications which will “take away all of your pain and GDPR requirements”, but the reality is, these solutions can only support your compliance. The idea behind the GDPR is to promote a standard practical requirement to data protection, but it doesn’t say how you should do it…
There is no mention of Firewalls, Data Loss Prevention (DLP) solutions or File Integrity Monitoring because the GDPR is applicable to all organisations processing personally identifiable information; from banks to managed service providers, to local councils and corner shops. The above controls may not be applicable to all those types of organisations. What Falanx recommends is a pragmatic, common sense approach to compliance.
It is imperative that organisations understand what information they have and justify it. Once an organisation goes through this process, they are in a much better place as they can remove unrequired information (from PCs, laptops, and emails etc) and understand exactly what information they need to protect. How can an organisation justify that they have protected their data if they don’t know where their data is?
The GDPR states that all processing should be lawful – this does not only mean consent! There are lots of reasons that processing is lawful and consent is just one of these. Organisations should assign a lawful justification to all personally identifiable information within the organisation.
Once you know what information you have, you ned to protect it through privacy by design and privacy impact assessments. It is important that organisations can evidence that they have actively understood the risks associated with their data processing activities and have implemented controls or solutions to reduce the risk to an acceptable level.
The GDPR mandates several “Rights of the data subject”, including the right to access data or the right to be forgotten. Organisations should define processes for these requirements to ensure they can be met in an orderly, pragmatic fashion without undue delay.
Should an organisation collect data directly from a data subject, there is a very detailed subset of information that they must provide to the data subject at the time of collection. This information is clearly defined within the GDPR standard and must be presented to the data subject on forms, websites, and contracts.
3rd Party Management
If an organisation receives data from a 3rd party, it is the organisation’s responsibility to ensure the data it has received is lawful. If the organisation is giving the data TO 3rd parties, it is the organisation’s responsibility to ensure the 3rd party manage the data securely. This can be managed within a robust vendor management process and should be evidenced in the form of contractual agreements and diligence processes.
The requirements around incident response have been strictly defined:
- The controller must notify the ICO within 72 hours of a breach being identified.
- The controller must notify the data subject without undue delay (once identified)
- The Processor must notify the controller without undue delay (once identified)
This should be formalised in an incident response process, and employees, as well as 3rd parties, should be made aware of their obligations.
If you want to find out more about the GDPR, we will be launching a free GDPR guide this month. In the meantime, you can get in touch with us to find out how we can help.
Nigel Gildea, Head of Consulting, Falanx Cyber