Checklist for Data Transfer and File Sharing
The General Data Protection Regulation is the self proclaimed “toughest privacy and security law in the world” (here) Since its inception in 2018, it has served as the basis for all subsequent data privacy and security legislation to follow all around the world. While the GDPR itself is over 80 pages, we’ve reduced it to a very basic checklist to give you a general overview of what exactly the GDPR does. This article is meant to be a free resource and is by no means exhaustive or legal advice. That being said, this should begin to get you familiar with the process of the GDPR and familiarize yourself with some of the language it utilizes.
Appoint a DPO
The first requirement of the GDPR is appointing a Data Protection Officer. This individual can be either internal or external but has to have a level of understanding and literacy of GDPR. Similarly to how HIPAA requires a Privacy Officer, this member heads up the GDPR efforts of the organization. GDPR has a bit more to say about the requirements of the individual compared to HIPAA, but the main point here is that the person needs to be qualified for this role. The Data Protection Officer is responsible for implementing and maintaining compliance to the GDPR as well as having a certain degree of authority and access to upper level management and officers.
Data-mapping is pretty state forward. It is the responsibility of an organization to trace and identify all areas of the business where data is being utilized as well as which individuals and departments are utilizing the data. Another important aspect of data-mapping is giving a legal basis as the why behind utilizing the data. This is similar to the idea of minimum necessary standard as laid out in HIPAA, and essentially as far as the GDPR is concerned, you need to be able to give a reason as to why the data is being used and to what extent is it necessary.
Any area with which your organization is interacting with data of any kind needs to be clearly documented. This may sound like a bit of a headache but it is important that every way your organization is utilizing data is documented in order to maintain compliance to the GDPR. Like any sort of compliance in the event of an audit, it is your responsibility to have tangible evidence that you were compliant with the regulations. Unfortunately, lack of documentation doesn’t bode well for organizations that claim to have been compliant but have nothing to show for it. Do yourself a favor and if you think it could be important just go ahead and document it. You’ll thank yourself later. The entire idea here is creating tangible evidence that your organization has policies and procedures in place to maintain continued compliance.
It is important to be quick to respond to data breaches as well as open and honest communication with your customers. This is best practice as well as avoids further penalties in the event of a breach. Breach reporting is an integral part of compliance to the GDPR and should be taken accomplished in a manner that is both transparent and efficient. It is important to inform consumers of exactly what information has been stored as well as the extent of the breach. According to the GDPR guidelines, you are required to inform the pertinent governing bodies within 72 hours of the breach no matter the extent of the breach. However, if the data has been encrypted and passed the point of recognition and the data controller has taken necessary steps to ensure rights or freedoms have not been infringed on, then it is not necessary to report the breach.
Data Subject Access Requests
These Data Subject access requests are a unique right brought to us first by the GDPR. Essentially, this means at any point in time a user can request access to the data that the organization has collected from them. These requests require a response to the organization, however the organization is allowed to charge the individual whatever administrative costs result in delivering this data. The GDPR outlines that these fees cannot be excessive and are strictly to offset the administration of performing the Data Subject Access Request. Overall, the GDPR establishes the data subject Access Request as a right of the individual. While many companies already have a practice like this in place, the GDPR ensures an even playing field and mandates everyone to follow this best practice.
A technical checklist is an integral part of ensuring compliance with the GDPR. This would be the equivalent of the security procedures requirement of HIPAA. This would be a clearly laid out list of the technical safeguards that your organization utilizes to ensure privacy and security. This could be anything from dedicated wifi networks, dual authentication, encryption, VPN’s for remote access users. The GDPR itself lays out minimum requirements, but there are best practices procedures that many companies follow in addition to the minimum requirements as laid out in the GDPR. In terms of an audit, this technical checklist is going to play a large role in mitigating penalties. This goes back to document everything. It is important to have traceable practices in places that have been implemented to mitigate loss. That way, in the event of a breach or audit you have clear policies and procedures to fall back on and ensure that you have done everything in your power to achieve compliance.
I cannot stress enough that this is a very brief overview of what to date one of the most complex and arduous data privacy legislation in the world. Please take this article as a brief synopsis of a few keep points of the GDPR rather than an exhaustive resource. It is integral to consult with a legally backed product or service that specialize in the GDPR compliance rather than self-educating online and winging it. Penalties related to GDPR can result in up to 20 million British pounds or 4% of global revenue. The GDPR is the toughest privacy and security laws in the world and should not be taken lightly. It is important to have robust safeguards in place to not only maintain compliance, but also ensure that your customers' data is secure and handled properly.
All in all, the GDPR has drastically increased the requirements of organizations and how they manage personal data. It goes without saying that while this might be a headache for businesses it is a step in the right direction in terms of consumers rights and protection. Ultimately, it will be a matter of time before we see consumers demanding more rights in terms of their personal data, but the GDPR brings us one step closer to putting control back in the hands of the owners of personal data.