First things first
Start by raising awareness of privacy and personal data within your organisation. A broad base of support and understanding is essential. Get the top people and decision makers on board, as they will have to provide the push... and the money! But also reach out to everyone else in the organisation, as they will all have to 'live' GDPR and data protection on a day-to-day basis, in every practice.
Make sure that everyone sees the business benefits of complying with privacy rules, and being careful and secure with data. In particular, the business benefits, such as improved revenue through increased customer trust.
Start from the current situation
A GDPR exercise is highly data centric, but never lose sight of infrastructure and organisational aspects.
Start by looking for ‘personal data’ in the broadest practical sense, but take note of all important data, that needs to be protected (financial and commercial information, intellectual property, etc.). Be aware that the GDPR concerns all data and combinations of data elements that allow for the identification of a specific person (data subject). Including technical elements as e.g IP-adresses.
Look for this data in obvious places (databases, etc.), but also in those pesky ‘Excel’-files, small ‘ad hoc’/DIY databases (MS Access,…), in unstructured datasets (documents, social media, etc.), on all kinds of data storage devices (cd-roms, memory sticks, data tapes, in cloud storage, etc.), both in electronic format… and on paper (on site and off site, including paper archive services)! Use GDPR to regain control of data proliferation and bloat.
Check and document which applications and solutions make use of personal data; who has access to this data and who the users are who use applications with personal data. Do the same also for other important data. Of course, don’t do this for all solutions at once: start with the logical ‘suspects’ (customer data, HR, etc.).
Document your datamodel
Map the data flows between processes/solutions/internal departments/external parties. Data flows by what means (data transmission, API’s, etc.) and at what level of privilege?
Check the active access management means and procedures (IAM, multi-factor authentication, etc.) and security measures (e.g. encryption of data at rest, in transit - as required by GDPR).
Look at the business and organisational side of ‘personal data’ use. Map the use of this data throughout business processes across different parts of the organisation (and perhaps different sites, countries, continents). Is all of this documented, both from a technical/infrastructure point of view, as well as from the user perspective?
Are personal data being processed by parties outside the organisation? Outside of Europe? Check the contracts with these outside parties whether they guarantee the necessary level of data protection, regardless of the geographical location of the processing and/or data storage facility.
When handling personal data of data subjects from outside the European Union: be sure to check which data protection laws apply!
Go for GDPR compliance
Make sure that all your GDPR-oriented efforts benefit the appropriate handling of personal data, but also help protect all other important data!
Consider an enterprise architecture from a data perspective; of data classification; of data categorisation.
Create a register with records of processing activities (see Article 30) and keep it up to date!
Carry out a gap analysis between the present state of data protection and what’s needed to be GDPR compliant (and to protect all important data). Select a security management framework to structure improvements. Plan a roadmap to achieve the required/desired level of protection.
When starting a project with potential high risks involving personal data processing (e.g. introducing a new technology; use of particularly sensitive data; etc.), it may be necessary to perform a Data Protection Impact Assessment (DPIA).
Ensure that personal data is protected ‘by default’ and ‘by design’, whichever way it is processed or stored (electronically, on paper), throughout the whole use/life cycle (data acquisition, use, access, storage, archiving, deletion), and by all parties involved.
Provide for all the necessary procedures and resources to inform data subjects, and to handle requests from data subjects and data protection authorities.
Be prepared to deal with incidents (data leaks, data theft, misuse/abuse, damage to data integrity, etc.). This includes detecting problems, stopping and mitigating a problem, and being prepared for all related communications (including reputation damage control).
The GDPR imposes particular restrictions on the use of sensitive data, such as medical data, biometric data and more, or regarding the use of data of young people. Make sure to comply with these restrictions!
This is not a solo job
GDPR compliance is a tough challenge. Every organisation should, at the very least, appoint a person responsible for privacy/personal data protection at the highest decision-making level (board, CxO), as well as a person that checks on the actual implementation. For some organisations, the GDPR includes the obligation to appoint a ‘data protection officer’ (DPO). For larger organisations, that’s preferably a team with a variety of experts and stakeholders. Even if your organisation is not legally obliged to appoint a DPO, do have an internal (or external) reference (person, team) for help or advice on privacy/data protection. If there’s a person/team responsible for ‘artificial intelligence’ applications, they should also be involved in GDPR compliance, given the privacy pitfalls in AI.
Finally, GDPR - as with any kind of compliance - is a never-ending effort! Always be ready to do better … in order to reap the benefits of a more trustworthy business environment! Always have an eye on how GDPR/privacy compliance can strengthen your organisation’s business operations and strategy. Make your GDPR efforts pay off with greater success!
Assistance with writing this article
Guy Kindermans wrote this article in collaboration with Christiane Vandepitte, who is an experienced business analyst and software designer.
Guy Kindermans, with over 30 years at Belgian IT magazine Data News, has covered a broad spectrum of IT topics, from microchips to enterprise applications, including software development environments. Focused on information security and privacy, he speaks on these issues for organizations such as IIBA, as well as national and local organizations.