The Corporate Director’s Guide to GDPR

On May 25, 2018, a major new piece of data protection regulation will come into effect across the European Union (EU), and with it comes the potential for hefty fines or penalties for your organization. Even if you do not directly operate in the EU, chances are that the General Data Protection Regulation (GDPR) still pertains to your company.

The regulation covers any entity that processes the personal data of EU citizens (referred to as “data subjects”), even if the organization does not provide goods or services to EU citizens and only handles or processes their data. Unless you are categorically sure that your organization does not and will not process EU citizens’ personal data, compliance is not optional.

The fine for an infringement can be €20 million (approximately $23 million at today’s exchange rate), or 4 percent of your worldwide annual turnover, depending on which is the higher amount. It is essential for directors to pay attention to the data and information security practices in place to ensure that the organization is prepared and compliant.

The Policy Details of GDPR

The GDPR was written to ensure that organizations:

• protect the personal data of ‘EU Natural Persons’ (i.e. living people);
• are transparent, fair, and lawful about the processing of personal data;
• only request and process necessary personal data;
• do not share data with third parties or countries unless the correct legal agreements and processes are implemented; and
• gain consent from data subjects to process their data.

Personal data is defined in the policy as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

There are six principles that apply to the processing of personal data. According to the policy, personal data shall be:

• processed lawfully, fairly, and in a transparent manner;
• collected for specified, explicit, and legitimate purposes;
• adequate, relevant, and limited to what is necessary;
• accurate and, where necessary, kept up to date;
• kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; and
• processed in a manner that ensures appropriate security of the personal data.

Data subjects are provided with a set of legal rights under GDPR, including the right:

• to lodge a complaint;
• to effective judicial remedy against a supervisory authority;
• to effective judicial remedy against a data controller or processor;
• of access;
• to rectification;
• to erasure;
• to the restriction of processing;
• to data portability; and
• to object.

Each EU member state has a designated supervisory authority. These regulatory bodies are responsible for monitoring the application of GDPR, and have the power to audit organizations and determine relevant warnings, reprimands, and fines for violations of the organization. When breaches of personal data occur, companies will be subject to a high level of scrutiny, and will have only a 72-hour window to report on the breach. A personal data breach is described as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.”

There is a requirement for some organizations to appoint a data protection officer (DPO), whose responsibility it is to advise and inform on GDPR and to monitor compliance within the organization. The DPO acts as the main contact for both data subjects and the supervisory authority, must report to the highest level of management within the organization, and cannot perform any tasks or duties which result in a conflict of interest.

You need to ensure your organization has fully investigated the nuances of the requirements to ascertain whether you need to appoint such a role or prepare to meet other personnel or technical demands.

Where do we start?

Your organization first needs to define the team that will drive GDPR compliance and management. Within the C-suite this should include the chief information officer and the chief information security officer, in addition to representatives from legal counsel, human resources, risk and compliance, and privacy. Determine if you need to appoint a DPO. Once your team is assembled, assess your current state, so that you can plan next steps accordingly. This team should present results at least to your board’s audit committee, if not the full board, given the financial and reputational risks involved.

Understand your personal data retention

You should ask your GDPR team the following questions to determine what categories of personal data your organization is dealing with:

• To whom does data you collect and retain pertain?
• Is it necessary to collect and keep this data?
• If so, how long do you need to keep it?
• Do you have permission from the data subject to process the data?
• How is consent obtained from data subjects for each method of personal data collection?

Encourage your team to follow others’ personal data on its journey through and beyond the organization. Doing so will help the GDPR team understand how the data is collected, stored, transmitted, accessed, and secured, and understand where and how it is passed on to any third parties. 

Review how your organization collects consent from individuals to process their personal data

EU citizens must be able to give and rescind consent for their personal data to be processed. Consent means any “freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”

In a contractual situation, the provision of a service may require personal data to be processed in order for the service to function correctly. In this case, this has to be made clear to the data subject when they register for the service.

Identify partner and supplier risk

Review third party legal agreements to ensure the EU citizen’s personal data provided to a third party is handled in a compliant manner. Otherwise, your organization will be held accountable for vendors’ data breaches or a data loss scenario. If you process personal data on behalf of another organization, you will need to demonstrate your compliance with GDPR, and ensure your legal agreements reflect this accordingly.

Ensure your cybersecurity programs are up to par

Your security posture and processes impact the journey and security of personal data, and should be assessed accordingly. GDPR Article 32 stipulates that you must ensure a level of security appropriate to the risk involved with the data. This might require adjustments to your security program, especially if you have weighted your security setup to focus primarily on prevention and are lighter in the areas of detection and correction. Visibility across your ecosystem is vital for determining risk. Knowing your weak points will help you understand where to bolster your security, and testing out your processes will determine whether they are fit for purpose.

Get regular updates on progress and status

As individual reviews are completed, have each leader report back to the core and leadership teams with a set of prioritized actions and milestones. Set up a frequent cycle of reporting to understand the progress of your GDPR compliance status. The spring of 2018 is clearly too late to be finding problems.

In conclusion

If your organization employs, partners with, or serves people who are citizens of the European Union, you are subject to GDPR. Given the detailed stipulations of the regulation, along with the threatening risk of steep fines, it’s not something you can get away with ignoring or procrastinating. As a board member, you’ll want to ensure the organizations you serve are prepared to meet the challenge and reduce the risk.

Corey E. Thomas is president and CEO of Rapid7. He is director of Blue Cross Blue Shield of Massachusetts and the Greater Boston Chamber of Commerce.