The new EU General Data Protection Regulation (GDPR) came into effect in May 2018. It has a definite impact on the daily lives of companies, large or small, as it forced most of them to make significant changes to their information management, their approach to data protection and security when processing and managing personal information.
However, despite the enormous media hype, it must be noted that 12 months after its implementation, the new regulation is far from being fully or correctly implemented in many companies.
In addition, given the complexity of the regulations, some companies simply limit their risk exposure rather than aim for full compliance. As a result, they are exposed to fines of up to 4% of their annual turnover.
The fundamentals of GDPR
The intent of this article is not to explain the ins and outs of the new regulations. A large number of publications have been published on the subject. The Belgian DPA website (Data Protection Authority) should answer any questions you may have.
The GDPR applies to all companies that process personal data of EU citizens. The scope of personal data has been extended as well as the rights of individuals (right of access, to rectification, to erasure or even to data portability).
Personal data protection and security is the responsibility of all those who access and process them (“subcontractors” included). It is therefore important to implement control processes to avoid any infringement or violation of individuals’ rights.
Impact of GDPR on IT management
Regardless of your industry, your IT department processes a large amount of personal data (information about visitors, users, prospects, customers, employees, suppliers, etc.).
To comply with the GDPR regulation, companies must be able to demonstrate that they process personal data securely and communicate transparently about their use.
Here are the 7 key points that have an impact on IT management :
- Right to be informed : companies must communicate precisely what data are collected and for what purposes, who is involved in the processing, the storage period and any sharing with third parties.
- Right to be forgotten: the company must be able to quickly identify the personal data processed and modify or delete them upon request.
- Right to data portability : obligation to return all personal data of a customer who so wishes, in a readable digital format.
- Concept of « privacy by design »: which implies minimizing data collection, securing data throughout their lifecycle and erasing unnecessary data.
- Records of processing activities : each company shall maintain a record of data processing activities and, in some cases, appoint a DPO (Data Processing Officer).
- Security breach reporting : the GDPR requires data controllers to report security breaches to the supervisory authority within 72 hours and obliges companies to take measures to remedy the breach provide guarantees to avoid a recurrence of the incident.
- Impact assessment : prior to launching a new project, companies are required to assess the risks associated with data processing.
The above implies tracking personal data throughout its life cycle, from collection to storage, from exchanges to deletion.
New IT governance principles
As a result, IT departments must take concrete steps to comply with the GDPR. In short, they must
- Strengthen data management policy: this involves identifying where personal data are stored, ensuring traceability (monitoring and managing their use), defining a security policy and making employees aware of the need for secure data processing.
- Secure and control access to data: As soon as you handle personal data, you are accountable. Information sharing is never 100% secure. Implementing role-based access permission based on needs and actual usage is a minimum.
- Monitoring Personal Data flows: Constant monitoring is the new rule to prevent leaks, suspicious activities or potential security incidents. This implies adopting appropriate tools, especially in terms of collaboration and file sharing, blocking access to sensitive information, etc.