SEVEN

STEPS TO
KICKSTART YOUR
GDPR COMPLIANCE
INTRODUCTION The May 2018 enforcement deadline for GDPR compliance looms. Establishing compliance
is a mountainous effort requiring personnel additions, process changes, and technology
implementation. Instead of being overwhelmed by the mountain organizations should focus
on the immediate path ahead of them, establishing the key preparations and foundations of
compliance.

The hardest part of any long journey is starting.

Don’t let fear, unknowns, or analysis paralysis stop you from taking that first step.

“On 25 May 2018, less than 50% of all organizations impacted will fully comply with the GDPR.” 1

1. GDPR Clarity: 19 Frequently Asked Questions Answered, August 2017, Bart Willemsen /1
1
DETERMINE As a European Union directive, it might tempting to believe the GDPR
applies only to EU-based organizations. The mandate, however,

IF YOU ARE extends to all companies that process data to offer goods or services to
European residents or that monitor the behavior of European residents.

SUBJECT Any company that collects – or even just processes – personal data of
EU citizens is subject to the law. The GDPR does consider whether the

TO GDPR services offered are paid or free when determining applicability.

For example, an American free cloud storage service or social network
must comply if the service is also offered to users within the EU.

If none of these apply to you, count yourself lucky, you may be off the
hook. For all others, keep reading.

/2
2 The GDPR defines personal data quite broadly, well beyond the personally
identifiable information (PII) standard of earlier legislation. PII refers to a

LEARN
relatively narrow range of data such as name, address, birth date, Social
Security number and financial information such as credit card numbers or
bank accounts. Personal data, in the context of the GDPR, covers a much
THE BASICS wider range of information that can include social media posts, photographs,
lifestyle preferences, transaction histories and even IP addresses.

At the heart of GDPR legislation is a push to give consumers greater In addition to strengthening data protections, the GDPR establishes new
visibility and control over how their personal data is used. It builds guidelines for alerting consumers and regulators about data breaches. It
on and replaces earlier European data privacy regulation, creating also enshrines a “Right of Erasure” (aka right to be forgotten) in which an
standardized, comprehensive rules around the protection, use and individual can request the deletion or removal of personal data where there
dissemination of personal data. is no compelling reason for its continued processing.

TIP: IGNORE THE ALARMISTS.

Many GDPR consultants and software vendors menacingly tout the law’s
maximum fine of €20M or 4% of annual revenue, whichever is greater. The
truth is, fines of this size are reserved for repeated serious violations. Initial
penalties will be far lower or more likely just a warning. The real risk is that
unprepared organizations spend time scrambling to respond to regulator
questions, taking precious attention from business goals.

/3
3
FOCUS Article 32: Security of Processing
Within Article 32 is the “Technical and organizational measures” language

ON THE KEY
which states that organizations must “implement appropriate technical and
organizational measures to ensure a level of security appropriate to the
risk.” While the regulations give very little guidance as to what “appropriate”
ARTICLES means, some reasonable assumptions include maintaining anti-virus
software on all devices and identifying and patching known vulnerabilities.

Spanning 11 chapters and 99 articles, GDPR legislation can be pretty TIP: BEST EFFORT AND DOCUMENTATION.
overwhelming. Fortunately, not every article is created equal and there A common scare tactic by those pushing GDPR solutions is to say that the
are a few foundational articles to focus on first. GDPR requires your enterprise be “vulnerability free” or that you absolutely
must own this or that network security solution. The truth is that GDPR
Article 30: Records of processing activities (RoPA) language provides few specifics on required security measures. Details will
The RoPA is centered on identifying where personal data is being likely be forthcoming in the first few years of enforcement. What is clear is
processed, who is processing it and how it is being processed. It is that organizations must make a best effort at protecting personal data and
important to identify all repositories of personal data, not only well be able to produce documentation to prove such efforts.
known sources of such as CRM systems.

/4
Article 35: Data Protection Impact Assessment (DPIA)
Article 35 demands that organizations identify data processing activities that are especially
sensitive and then make sure they take extra security precautions to protect this data.
A DPIA is the documentation of this sensitive data processing and the protection measures
that have been established. While the language describing when a DPIA is required is scant,
a few examples are provided, including data processing involving legal matters such as
criminal convictions, data processing utilizing new technology, and processing very large
amounts of personal data.

TIP: GET A LAY OF THE LAND.

Before creating a DPIA process, it is critical to know
what information your organization has, where
those data are located, and how they flow through
the organization. It is important to develop a data
inventory, and map the organization’s business
process flows or systems.

/5
4
APPOINT The Data Protection Officer (DPO) role, having been established by earlier
legislation, may be familiar to some. Not every organization will need

A DATA
a DPO. Under the GDPR, a DPO is required for all public authorities,
organizations which regularly process personal data on a large scale, and
when sensitive data is processed.
PROTECTION GDPR language is, once again, maddeningly short on what terms

OFFICER such as “large scale” and “sensitive” mean, but recent guidance from a
GDPR “Working Party” provides some clarity. DPOs will be needed by
organizations that process personal data as a core part of their business,
but not when processing is done for support activities such as payroll
or IT. DPOs will also be required for any organization that captures or
processes any form of tracking and profiling on the internet, including for
the purposes of behavioral advertising. Clarifications released in December
20162 and April 20173 provide additional guidance.

2. https://www.twobirds.com/en/news/articles/2016/global/article-29-working-party-publishes-guidance-on-dpo-provisions-of-the-gdpr
3. https://www.twobirds.com/en/news/articles/2017/global/article-29-working-party-issues-final-guidelines-on-data-protection-officers

/6
In spite of being a company employee, the DPO is effectively an in-house
representative of the GDPR regulatory body. The DPO looks after protection
of the data, develops and implements the organization’s privacy policies
and processes, assists in complying with legal obligations, and addresses
principles such as openness, fairness and transparency about personal data.

PRO-TIP: NO DOUBLE DUTY AND NO “A LA CARTE.”

The DPO must be involved in all data protection issues and their key
concern is monitoring compliance with the GDPR. In order to successfully
do this they must remain independent and cannot hold a position within
the organization that determines the purposes and means of processing.
German privacy commissioners, operating under regulations very similar
to the GDPR recently fined an IT Director for taking on DPO responsibilities.
In addition, DPO responsibilities cannot be divided up among multiple
individuals. The appointed DPO must be responsible for all the data
processing activities carried out by the organization.

“The International Association of Privacy Professionals estimates

75,000 organizations will need to hire a DPO.” 4

4. https://iapp.org/news/a/study-gdprs-global-reach-to-require-at-least-75000-dpos-worldwide/

/7
5
ESTABLISH But these large systems often represent just a fraction of the systems that
process personal data. Like an iceberg, the vast majority of applications

ENTERPRISE are often effectively invisible, unconsidered by the GDPR team. One of the
causes of this invisibility is often SaaS applications purchased by business

VISIBILITY
units with little to no involvement by IT. Snow Software calls this gap
between what IT thinks they know about technology usage and what is
actually happening across the enterprise the Disruption Gap.

Most organizations, beginning their journey to Examples of the Disruption Gap may include the CRM software Insightly,
GDPR compliance, understand the importance of customer data tracker SalesTracker, and recruiting software Enlist. You
identifying the location of personal data repositories. may not think you have many of these SaaS applications – and personal
Many err, however, by focusing too heavily on the data repositories – in use. But are you sure? It is critical to be aware of all
most obvious systems which touch large parts of on-premises and cloud applications in use by your organization. Without
the organizations such as SAP, Oracle databases and full visibility, any claims of “GDPR compliance” are hollow, create a false
middleware, Marketo, and Salesforce. sense of security, and expose the organization to GDPR audit findings.

/8
6
ELIMINATE Full visibility requires automated, multi-platform IT asset discovery
that extends from mobile devices to desktops, from datacenters to the

PERSONAL DATA
cloud. A number of technologies contain discovery capabilities but they
vary widely in coverage. Effective discovery solutions are able to find
and identify all asset types including SaaS subscriptions, IaaS virtual
BLIND SPOTS machines, PaaS containers, mobile devices, datacenter applications,
and virtualized environments.

Having accepted that you likely don’t have full visibility of PRO-TIP: BEWARE OF MOBILES.
on-premises and cloud applications, the next step is to Mobile devices are regulated by the GDPR as are all technologies used
establish systems and processes to eliminate blind spots, for the processing of personal data. Not only do these devices maintain
shining a light on unknown personal data repositories. personal data, they also process information on the user. In addition,
they are especially susceptible to be being lost, potentially running foul
of GDPR directives on maintaining control of personal data.

/9
7
BUILD
YOUR PEOPLE,
PROCESS, AND
TECHNOLOGY ARSENAL
There is no silver bullet to GDPR compliance. No single application you can buy or consultant
you can hire. Instead, GDPR compliance takes a combination of people, process, and
technology.

It’s a tall order – you’ve now established whether you need to be adhere to the Directive, know
what the risks are if you are not compliant, where to focus your efforts, ensure you have the
right people in place and establish enterprise visibility into all personal data repositories.
However, there is no silver bullet to GDPR compliance. No single application or consultant can
you hire. Instead GDPR compliance takes a combination of people, process and technology.
People. Set up a cross-functional data Process. Once the data governance team Technology. There are a number of solutions
governance team, made up of the DPO, IT has defined what personal data means, they that can accelerate and maintain GDPR
leaders and business leaders from a range need to share this understanding across the compliance including:
of functions including Compliance, Legal, HR, organization. In addition, privacy rules must
• Case management systems for handling data
Customer Service, and Marketing. This team be documented and shared across all lines
subject requests
will own the responsibility for GDPR compliance of business. This protects against violations
• Data discovery systems for finding applications,
and, befitting of the critical nature of the GDPR, of GDPR based on personal data access by
structured data, and unstructured data
should report to the board of directors. They disallowed individuals. To achieve this, roles
• Consent management systems that track all
will own documentation of processes and and definitions must be established in a
relevant consent provisions
decisions and policy development and do governance model. Then you can link business
• Identity and Access Management to track role
regular reviews of policies, processes, and terms to physical data sources, and establish
management and who has access to which data
technology choices. data lineage from the point of creation to the
• A range of system and network security tools
point of consumption. This provides you with
including anti-virus and Cloud Access Security
the required level of control.
Brokers
• An extremely helpful solution, especially at the
early stages of the GDPR journey is Software
Asset Management which can help create the
system, users, and device visibility required to
ensure claims of “compliance” are based on a
complete understanding of the enterprise

/ 11
Copyright © 2018 Snow Software AB, All Rights Reserved. 201803(1)
Share this on
[email protected]