Get To Know the GDPR
The 4 Phases of GDPR Preparation
By Kris Lahiri, Data Protection Officer for Egnyte
An in-depth look at how organisations should be preparing for the upcoming General Data Protection Regulation.
A report produced by the Close Brothers, June 16, revealed that only 4% of British small to medium sized companies (SME) understand the impact of the European Commission’s upcoming General Data Protection Regulation (GDPR). A staggering 82% of companies surveyed have either not heard of GDPR or don’t understand its importance. The remaining 14% are seeking further advice on how it will impact their workflows.
On May 25, 2018, new rules concerning the accumulation and usage of data will come into effect. The good news is you are going to find it easier to adjust to the new rules if you have been complying with the EU Data Protection Directive 1995 since the GDPR draws on the ECs Directive.
So what are the phases for GDPR preparation?
Phase 1: Awareness
By now you should have raised awareness of the GDPR within your organisation. Develop an approach that your organisation will take, collect information on your current policies and practices, and create a project plan. Gather the appropriate personnel to form a steering group and inform decision-makers on the impact of the GDPR. Understand whether you are a data processor or data controller; maybe you are both.
Egnyte is both a processor and a controller. We control the personal and sensitive data of our EU employees. We are also a processor as our file share sync solution, Egnyte Connect, processes clients’ data. However, we do not have access to that client data; our technology simply processes their data for them.
The next step in Phase 1 is to get a complete information audit off the ground and fully understand your personal data processing protocols, as well as how you process your customers.
Ask the following questions: –
- Where is personal data stored?
- How secure is it?
- Who has control?
- Is it shared?
- Do you hold data for non EU residents?
- Is data transferred across borders or outside the EU?
What is your process for maintaining internal records? If you don’t have one, you should create a template for recordkeeping as this is a requirement under the GDPR. Understand the legal grounds on which you currently collect and use data. In particular, examine how consent and legitimate interests are used as the basis for processing personal data and document these.
Get your IT department involved and conduct a review your IT systems and procedures. Can they cope technically with new individual rights in a timely manner? If your organisation suffered a breach or if a subject requested access, can you meet the response timelines? Can you also comply with subject access requests, data portability, right to be forgotten, recording objections or withdrawal from processing, and deletion of information? Has your HR department reviewed staffing requirements for data protection compliance, and worked through the questions above if you have employees in the EU?
Phase 2: Planning
By now you should have a steering committee in place, meeting regularly to develop the plan. That steering group should include the following personnel: Legal Counsel, HR, IT, CISO/ Head of IT Security and Operations. It’s time to start to prioritise key areas, appointing a Data Protection Officer (DPO) and identifying areas with the highest risk and biggest potential impact. The DPO is required to act independently and report to the highest level of management. Smaller organisations can outsource this function to a consultant or firm. They will be responsible for understanding the legal basis for processing and the new requirements on getting consent:
- Processing of sensitive personal data
- Compatibility of systems with new rights such as data portability
- Shorter time frames for subject access requests.
Once you have appointed the DPO, have them conduct a Data Protection Impact Assessment (DPIA). This is required for controllers where the processing of personal data is likely to be under much more scrutiny due to the involvement of individuals’ rights and freedoms, DPIAs will particularly be required when they are dealing with automated processing of data or processing data on a large scale.
Now that you have outlined your processes and appointed the DPO, next is to review and strengthen technical security measures and prepare for data breach notifications.
Set up internal procedures/strategy for data breach identification; establish the process for notification to the Information Commissioner’s Office (ICO) and affected individuals; explore what “risk” to individuals means; build in effective ways of detecting breaches.
Phase 3: Implementation
Now you are on to the changing and implementing of a new processes, updating old policies, revising contracts and methods of collecting data. Ensure privacy is integrated by default – collect the minimum amount of information and consider privacy from inception of the product, service or project.
Review and improve the transparency and legibility of all public facing documents. Review and audit supply chain and update contracts. Review and revise legacy contracts to consider mandatory terms; examine the adequacy of mechanisms for cross-border transfers, i.e. contracts with cloud providers. Controllers need to review selection criteria for processors and update contracts; Processors need to understand new obligations and assess impact.
Phase 4: Training
Keep up-to-date with GDPR and UK plans for data protection reforms through the Information Commissioner's Office (ICO). Implement the appropriate processes and policies in order to effect culture change and demonstrate compliance with all obligations under the GDPR – including training for staff across the organisation. Understand how codes and certifications can help with compliance on security. Investigate the possibility of having data training be part of your onboarding programmes.
While the GDPR may appear overwhelming, it presents an opportunity for organisations to approach data privacy and compliance more strategically.
Adapted from: How Organisations Should Be Preparing for the GDPR
8 Things to do Before May 2018
While every business will have unique needs that go beyond what I have included here, this will serve as a useful guideline of action items for those who will be affected by GDPR.
1. Assess Your Data
Take a comprehensive look at all of your data. Assess what kind of data you have, how sensitive it is, where it is held, and how you process it. Make sure you and your team understand the difference between the structured and unstructured data you are currently dealing with.
2. Define Your Processes and Procedures
After taking a look at the data your organisation is dealing with, it is probably safe to assume that you are dealing with some level of sensitive data; whether that is insurance information, bank account details, national insurance numbers, etc. With that in mind, your next step will be to define the processes and procedures around how you handle that data. For example, does the repository you use to handle your data have the ability to be structured with subfolders so you can properly organise your sensitive files? Can you properly define who has access to those folders and set up a protocol for how those files are shared internally and externally? Do you need to set up an archiving process for when an employee leaves? And most importantly how do you handle data sovereignty, i.e. where should the data be stored, in the EU, in the US, or elsewhere?
3. Implement Your Processes and Procedures
Everything you have identified and outlined in steps 1 & 2 are vital in getting you to the implementation stage. When it comes to implementing your new or improved processes and procedures, I highly suggest looking into hiring a Data Protection Officer (DPO), even though it may not be required. While some may opt to give this responsibility to Human Resources, investing in a DPO can be a better choice because it will provide you with a dedicated resource whose sole job is to keep your business compliant from top to bottom. Make sure your company focuses on the organisation’s accountability in terms of data privacy and mandate that they build a comprehensive privacy compliance program. The best advice I can give here is to integrate privacy by design and be transparent.
4. Create a Monitoring System
I cannot stress enough how important it is to have full visibility into your company’s data handling processes and procedures. Prioritise compliance activity and remedial measures based on areas with the highest risk and most significant impact. Priority areas will include those that are subject to legal action based on the new, more specific GDPR requirements; such as getting proper consent, processing of sensitive personal data, compatibility of new systems, and shorter time frames for subject access requests. The easiest way to maintain visibility is to be highly communicative and keep an open line of communication with everyone involved, reviewing and updating privacy policies with them on a regular basis.
5. Implement Checks & Balances
After you have implemented all of the aforementioned processes and procedures, it is vital for your company to stress test itself on an ongoing basis. If your company can spot problems before the EU, it could mean avoiding harsh penalties and millions in fines, which can cripple your business. One form of checks & balances that can be extremely helpful for a company is to conduct Privacy Impact Assessments (PIAs). PIAs are essential in helping privacy professional identify and guide the use of personal information across the organisation. PIAs require tight collaboration between your company’s compliance team and its business leaders in order to address privacy related regulatory requirements. Given that GDPR calls for conducting Data Protection Impact Assessment (DPIA) in order to meet compliance, conducting regular PIAs with a similar template will be extremely helpful.
6. Plan for the Worst-Case Scenario
While nobody wants to imagine failure, it is always important to have a plan for every scenario, even the worst-case ones. Should your company find itself in the midst of a breach I suggest setting up a plan for proper communication, as well as pre-emptive courses of action your company can attempt to take in order to fix the error. As a part of the new GDPR the EU will be enforcing a new breach notification duty for all organisations, which mandates that any breach resulting in the harm of an individual, such as identity theft or a confidentiality breach, will have to be reported to the Information Commissioner's Office (ICO). Failure to report these breaches properly could result in more fines, on top of the initial penalty for the breach itself. While not every breach needs to be reported, it is best practice to treat every breach with equal significance so that you are well prepared for even the worst-case scenarios.
7. Assess Potential Costs
There are two types of potential costs relating to the GDPR, the readiness and compliance setup cost and the infringement cost if you suffer a data breach. For the readiness and compliance setup, you will actualise the financial impact during this stage. This cost will vary depending on the size and makeup of your organisation. For example, data-heavy businesses are likely to face higher costs coming from the more burdensome requirements of the new GDPR. For the infringement cost, this is hopefully something you will never have to feel the financial impact of, but it should be something you are prepared for nonetheless. Every organisation should run theoretical scenarios of how they would handle the financial repercussions of a breach, even the previously mentioned worst-case scenarios. Sound preparation and planning here can be make or break your business when it comes to surviving a breach.
8. Look into Purchasing Cyber Insurance
The last thing to do before the GDPR goes into effect is to check on a cyber insurance policy. If you do not have one, I strongly advise looking into one. If you do have a policy already, I would suggest reviewing your policy with your provider to ensure you are covered for GDPR. The changes in the data protection landscape and regulations are likely to have a knock-on effect on the cyber insurance market and the availability of insurance policies. It is likely that businesses will now seek increased insurance protection for data breaches under GDPR. GDPR has introduced a provision for voluntary codes, which presents a number of implications. These ‘best practice’ standards give businesses the opportunity to demonstrate their willingness to comply with GDPR requirements. It is quite likely that we will see insurers consider rewarding companies with discounts on premiums if they show adherence to these codes. The additional requirement for organisations to report data breaches could also feasibly increase awareness in organisations for the need for cyber security and the impact of breaches. This means that insurance companies will demand better and more vigorous risk management strategies to reduce the likelihood of breaches. Companies could also see increased premiums where these measures are not in place.
While the new GDPR has a number of changes to it and the transition is creating a significant amount of extra work for organisations, it is a good thing. The new GDPR is holding us accountable for the way we process and handle sensitive information, making ourselves and the people we do business with safer in the digital world we live in – not only today, but in the future. Hopefully this checklist will help you and your organisation through the transition, whether you are just getting started or are already on your way!
Adapted from: The Ultimate GDPR Checklist: 8 Things Everyone Needs to Do Before May 2018 By Kris Lahiri, Data Protection Officer for Egnyte
The Biggest Myths about GDPR
There has been a lot of information shared from many different sources. Unfortunately, not all of that information is relevant or completely accurate. In fact some if it is wrong and could prove costly for those that listen to it. As a result, we have compiled 6 GDPR myths that you should know about.
MYTH 1: GDPR Only Affects EU Companies
GDPR will not only apply to organizations located within the EU but it will also apply to organizations located outside of the EU if they offer goods or services to, or monitor the behavior of EU data subjects (any person residing in the EU). It will apply to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.
MYTH 2: GDPR is a Single Point Project with a Defined End Date
Some business are thinking of GDPR as a “box” they need to check by May 25, 2018, and then they’re done. This is definitely not the case.
GDPR will require businesses to work differently. It’s like running a series of marathons. You will need to take the time to prepare, then run your first race by May 2018, and then continue to be prepared to run the next marathon whenever you need to do so. In other words it’s an ongoing process.
MYTH 3: No One Will Really Get Fined
The fines for noncompliance are quite large. They can be up to €20 million or 4% of a company’s total global revenue whichever is larger. Some think that these fines are exaggerated and no businesses will ever have to pay such fines. But think again.
Granted, the EU will not have the resources to investigate every incident, but many will be reviewed. There will be companies that knowingly choose not to comply, and the supervisory authorities may choose to make examples of them. The biggest fines will possibly be levied against larger businesses to get the attention of other large businesses. But smaller businesses that don’t comply will also see some fines. Any fine for a smaller business could have dire consequences.
MYTH 4: All Security Breaches Have to be Reported Within 72 Hours
Only personal data breaches need to be reported to the supervisory authorities. A personal data breach may result in loss of control over personal data, identity theft or fraud, financial loss, or many other forms of personal damage. Personal data breaches are generally a sub-component of security breaches.
Breach notification obligations also depend on whether a firm is a data controller or data processor. A data controller is an entity that determines the purpose, conditions and means of the processing of personal data, while the data processor is an entity which processes personal data on behalf of the controller.
As soon as the controller becomes aware that a personal data breach has occurred, the controller should notify the authorities within 72 hours. However, if the controller is able to demonstrate that the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons, then it is not required to report the breach. If the controller cannot produce this type of proof and fails to report the breach within 72 hours, the controller is required to submit a notification explaining the reasons for the delay. The notification and information may be provided in phases.
If the controller determines that the personal data breach “is likely to result in a high risk to the rights and freedoms of individuals,” it must also communicate information regarding the personal data breach to the affected persons.
A data processor must notify the controller after becoming aware of a personal data breach. No specific time limit is given for the processor. The GDPR article simply states “without undue delay.”
MYTH 5: Becoming Compliant Will Prevent Breaches
There is a concern that achieving regulatory compliance such as GDPR will give some companies a false sense of security.
Yes, GDPR does require a baseline level of privacy and security protections, which is a good thing, but the flip side is that compliant companies that do the bare minimum will be considered easier targets than those companies that go above and beyond. Remember, cyber criminals are smart and are constantly adapting their strategies and tactics, so you need to do the same to minimize your exposure.
MYTH 6: You Will Know When Your Business Gets Breached
After GDPR enforcement begins, you will still need to focus on building up defenses against cyber threats and design your systems to limit damages. Implementing methods to detect threats is critical, as is having a way to know when those detection methods fail.
Breaches can go unnoticed for extended periods of time, but not knowing does not give you a pass in the eyes of GDPR officials. It’s like you need to assume you’ve been breached, and work extra hard to find the source. One possible solution is to start compiling a list of the types of incidents your business and similar businesses face, and develop baseline scenarios of your own. Use those scenarios as a guide for investigating possible breaches.
As you wade through your GDPR journey, look for a solution that can:
- Locate all employee and customer private data regardless where it resides (in the cloud and on premises) and classify it, which helps enable you to better protect that data.
- Provide real-time alerts for when specific types of content is accessed or shared, which could help to prevent data leakage.
- Maintain a comprehensive audit trail of all file and user actions helps with total visibility of everything that’s going on with all your employee and customer data.
This can help prevent personal data breaches and give you the tools to stay on top of the regulations.
3 Reasons Egnyte Built a European Data Center Back in 2010
By Kris Lahiri, Data Protection Officer for Egnyte
When it comes to the enterprise, a majority of organizations engage in international business. Companies who expand their global footprint have to factor in the international impact on production, sales, marketing, and a number of other mission critical departments. The common thread amongst all of these functions is the data they create.
Whether a U.S.–based ad agency has clients across multiple continents or a UK-based construction firm is working on a U.S.–based project, data is being exchanged worldwide. We established a European data center in Amsterdam back in 2010, knowing how important it would be to address the specific needs of our international customers.
While this wasn’t necessarily the easiest of decisions —due to cost and logistics —we knew it would be the right one, long-term. Here are a few reasons why:
With a hybrid solution that involved both cloud and on-premises deployments we wanted to make sure customers were always going to be as close as possible to their data. By building out a data center in Europe, we were able to provide a superior experience for our customers that far surpassed cloud-only competitors that only had data centers in the U.S.
While the U.S. government has its own policies on privacy, the EU data privacy and security laws have been significantly more robust, as far back as 1998. We made a conscious decision to follow the stringent levels of data privacy and security with our own European data center. Egnyte customer data is not accessed unless explicit permission is granted and European customer data does not leave the EU. This is true even when a support ticket is opened.
As our business grew, so did our customer base. As I briefly touched on before, the majority of our enterprise customers were conducting international business, so it made perfect sense for us to accommodate them. In the Silicon Valley, SaaS company growth numbers would tell you that 20-25% of revenue would eventually come from Europe. In order to scale we needed to commit and ensure our customers that we would support their growth by building a European data center.
Egnyte is constantly investigating options for our customers to keep their data as safe and secure as possible. With our European data center in place since 2010, we are confident in our ability to provide a safe environment for not only our customers and their data, but our own data as well.
A Practical Guide to GDPR Compliance
A simple step–by–step guide of things to do now.
What is GDPR? Separate the Facts from Fiction
GDPR is the most important data privacy regulation change in the last 20 years. It impacts any company that handles an EU resident’s personal data, not just companies located in the EU. Watch this video to get a better understanding of what you should know about GDPR and why it’s important on a global scale.
Simple, Comprehensive, GDPR Compliance
GDPR will provide EU residents with unprecedented access to their data, creating a major challenge for businesses. See how we can help to simplify your journey to GDPR compliance.
A Solution Overview for GDPR Compliance
Do you know what personal information is stored by your company? Is it classified for compliance? Can it be accessed or deleted promptly upon request?
Take a look at Egnyte Protect in action to see how simple it is to classify and protect confidential data in accordance with the GDPR.
Our experts will show you:
- Actual examples of how our SaaS solution provides simple GDPR compliance
- How we classify and protect data in accordance with industry and regional regulations
- How our open and secure architecture meets the needs of business users and IT
The Framework for GDPR Compliance
The General Data Protection Regulation (GDPR) is changing the rules of data governance and converting privacy as a human right into a force of market disruption.
- Understand the data your organisation has and what needs to be done now
- Discover the true cost of a data breach, beyond the enforcement of GDPR
- Prepare your company to demonstrate compliance for GDPR regulators
- Find your company’s unique path to GDPR compliance
5 Steps to Jumpstart Your GDPR Journey
Watch this on-demand webinar to learn from legal and security experts:
- Get actionable insights to begin your journey to GDPR compliance
- Discover the 5 essential action items IT professionals need to know
- Discover the tools that will protect your data in all 28 EU countries
GDPR is the most important data privacy regulation change in the last 20 years. Here are some responses to frequently asked questions on GDPR compliance, data governance, data breach policy, and data protection strategy.
The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of personal information of individuals within the European Union (EU). The GDPR sets out the principles for data management and the rights of the individual, while also imposing fines that can be revenue based. The General Data Protection Regulation covers all companies that deal with the data of EU citizens.
Information Commissioner’s Office (ICO)
The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
Determines the purpose, conditions and means of the processing of personal data.
Processes personal data on behalf of the controller.
Data Protection Officer (DPO)
An enterprise security leadership role that GDPR requires in certain cases. DPOs are responsible for overseeing data protection strategy and implementation to ensure compliance with GDPR requirements, and must have expert knowledge of data protection law and practices.
A DPO must be appointed if your business is in one of the following categories:
- Public authorities that process personal data
- Organizations that engage in large scale systematic monitoring
- Organizations that engage in large scale processing of sensitive personal data
If your organization does not fall into one of these categories, then you are not required to appoint a DPO.
Privacy Impact Assessment (PIA)
Privacy risk mitigation tool that helps to identify the potential impact on individual privacy and compliance with data protection law. According to the UK Information Commissioner’s Office’s PIA code of practice, “An effective PIA will allow organisations to identify and fix problems at an early stage, reducing the associated costs and damage to reputation which might otherwise occur.”
Privacy by Design
Privacy by design is an approach to projects that promotes privacy and data protection compliance from the start. Unfortunately, these issues are often afterthoughts or ignored altogether.
Right to Be Forgotten
This right enables an individual to request the deletion or removal of personal data where there is no compelling reason for its continued processing.
Officially known as the Directive 95/46/EC, it protects individuals with regard to the processing of personal data and on the free movement of such data. It was adopted by the European Union in 1995. GDPR supersedes this directive.
A United Kingdom Act of Parliament designed to protect personal data stored on computers or in an organised paper filing system. It follows the 1995 EU Data Protection Directive which protects the processing and movement of data.