In our blogs, “Initiating Steps On The Path To GDPR Compliance” and “GDPR Compliance – Assessing Data Controls and Risk Management”, we discussed data mapping and risk assessments. Today, we are going to discuss governance.
7 Key Components of the GDPR
There are seven key components of the GDPR:
- Consent – You need a clear and affirmative action from an individual to possess and process their personal data.
- Right to Access – An individual has the right to know what personal data you have and what you are doing with it. You must provide them an electronic copy upon request.
- Right to Erasure – An individual has the right to require the deletion of their personal data if the continued processing is not justified.
- Data Portability – Individuals have the right to require companies transmit their personal data to another company.
- Breach Notification – Individuals must be notified with 72 hours of a data breach involving their personal data.
- Privacy by Design – Data protection must be incorporated into the design of systems from the beginning, not just added later. And companies can only hold and process the data absolutely necessary to complete its duties (data minimalization) and limit the access to that data.
- Data Protection Officers – Certain large-scale data processing companies must hire a Data Protection Officer, who acts independently to assess the company’s compliance to the regulations.
These components specify the “What needs to be done”, but not the how. That is where governance comes in. Governance ties everything together into a thought-out, systematic approach. If you undertake your data mapping and risk assessment without your governance program in place, your efforts are going to be scattered and unfocused. Governance starts at the top, meaning the C-Level. If the executive level isn’t involved and supportive, your compliance to the GDPR regulations will eventually falter and fines will result.
The Importance of Data Mapping
The first four key components of the GDPR discussed above require a recordkeeping system to prove your compliance. You must be able to prove you received consent, that you know who has access to the data, and that is was deleted. Data mapping is not a one-time event. You must revise your data maps as processes are added, changed, or deleted. Similarly, risk assessment must be update as technology changes and new attack vectors are discovered. And since insider mistakes account for a large portion of data breaches, employee education and training is an ongoing concern. Your governance program must include a process to verify all of these things are occurring and being tracked. Privacy by design and data minimalization require a revamping of processes to only provide the necessary information (Does your shipping department need to see a customer’s phone number or email address to send out a box?) The protection of privacy has to become a paramount concern within your organization. A governance program must start in the beginning, incorporated into design reviews and process rollouts to eliminate these issues before they are a problem. The American healthcare industry underwent a similar paradigm shift fifteen years ago with the implementation of the HIPAA privacy rules. Previously, you talked to pharmacist in front of everyone in the store. Now, it is common practice to have privacy barriers and small discussion cubicles in all medical environments. It was a fundamental shift in how privacy was addressed. This change is now coming to all data controllers and processors. Learn more about how Optimal IdM can help you achieve GDPR compliance by contacting us now.