Navigating the Seven Key Principles of GDPR

The job of a ship captain is to safely navigate their vessel – whether it is a fishing boat, cruise ship or an ocean barge – through rough water or stormy seas to ensure they get to their destination in the end. Even with today’s unbelievably accurate radar technology, they can never be totally sure what to expect from mother nature. Also, their path isn’t always the same or completely defined for them. There is a level of nervous excitement and uncertainty every time the ship leaves the dock.

It can be a similar experience for enterprises who are navigating their way through new compliance standards such as the upcoming General Data Protection Standards (GDPR). When it comes to expectations around the necessity for securing and protecting customer data, GDPR is very clear. What isn’t quite as clear is exactly how organizations should go about securing the data. We don’t know what to expect when it comes to GDPR enforcement, and some regulations are left up to interpretation as to how organizations should design their strategy. Also, the path to compliance will probably be different for everyone, even though the end result will be the same.

When it comes to getting GDPR compliant within the next year, maybe your organization hasn’t even left the dock? Or, maybe you have been out to sea for a while, but are hitting rough waters? The good news is that it really doesn’t matter where you are in the process of developing your GDPR strategy. I encourage you to put the anchor down long enough to evaluate some of your key processes and assess your level of risk based on these seven key GDPR principles:

  1. Lawful, fair and transparent processing – This principle emphasizes transparency for all EU data subjects. When the data is collected, it must be clear as to why the data is being collected and what the data will be used for. Organizations also must be willing to provide details surrounding the data processing when requested by the data subject. For example, if a data subject asks who the data protection officer is at that organization or what data the organization has about them, that information needs to be available.
  2. Purpose limitation – This principle means that you need to have a lawful and legitimate purpose for processing the information in the first place. Consider all the organizations who make you fill out a form with 20 fields, when all they would need to sell you that gadget is your name, email, shipping address and maybe a phone number in case they need to get ahold of you. Simply put, this principle says that organizations shouldn’t collect any piece of data that doesn’t have a specific purpose, and those who do can be out of compliance.
  3. Data minimization – This principle instructs you to ensure the data you are capturing is adequate, relevant and limited. In this day and age, businesses collect and compile every piece of data possible on you for various reasons, such as understanding customer buying behaviors and patterns or remarketing based on intelligent analytics. Based on this principle, organizations must be sure that they are only storing the minimum amount of data required for their purpose.
  4. Accurate and up-to-date processing This principle requires data controllers to make sure information remains accurate, valid and fit for purpose. To comply with this principle, the organization must have a process and policies in place to address how they will maintain the data they are processing and storing. It may seem like a lot of work – you can expect it to be – but a conscious effort to maintain accurate customer and employee database will help prove compliance and hopefully also prove useful to the business.
  5. Limitation of storage in the form that permits identification This principle discourages unnecessary data redundancy and replication. It limits how the data is stored and moved, how long the data is stored, and requires the understanding of how the data subject would be identified if the data records were to be breached. To ensure compliance, organizations must have control over the storage and movement of data. This includes implementing and enforcing data retention policies and not allowing data to be stored in multiple places. For example, prevent users from saving a copy of a customer list a local laptop or moving the data to an external device such as a USB.  Having multiple, illegitimate copies of the same data in multiple locations is a compliance nightmare.
  6. Confidential and secure – This principle protects the integrity and privacy of data by making sure its secure (which extends to IT systems, paper records and physical security). An organization that is collecting and processing the data is now solely responsible for implementing the appropriate security measures that are proportionate to the rights and risk of the individual data subjects. Negligence is no longer an excuse under GDPR, so organizations must spend an adequate about of resources protecting the data from those who are both negligent or malicious. To get compliant, evaluate how well you are enforcing security policies, utilizing dynamic access controls, verifying the identity of those accessing the data, protecting against malware/ransomware, etc.
  7. Accountability and liability – This principle ensures that you are able to demonstrate compliance. Organizations must be able to demonstrate to the governing bodies that they have taken the necessary steps comparable to the risk their data subjects face. To ensure compliance, be sure that every step within the GDPR strategy is auditable and can be compiled as evidence quickly and efficiently. For example, GDPR requires organizations to respond to requests from data subject as to what data is being held on them and promptly remove that data, if desired. You would not only need to have a process in place to manage the request, but it would need to have a full audit trail to prove that you took the proper actions.

There are a lot more details within each of these requirements, but gaining a basic understanding is a great starting point. Take the time you need to evaluate your risk and remember to be as honest as possible with yourself when evaluating where you are today. Then, start charting your course, and plan to come across unplanned challenges along your journey.

We are less than one year away from the GDPR compliance deadline of May 25, 2018.

GDPR Risk Assessment

Gauge your own GDPR readiness and discover how much risk your organization may face around the key data protection requirements. After you complete the survey, we will provide some strategies that you should consider adding to your GDPR compliance plan to help you prepare for the compliance deadline.