This Sunday is Data Privacy Day, “an international effort held annually on January 28th to create awareness about the importance of respecting privacy, safeguarding data and enabling trust”[1]. With GDPR regulations coming into effect May 2018, data privacy is even more top of mind for all organizations.

If you have the responsibility for ensuring that your business meets the obligations under the GDPR, you are most likely either already down the path to compliance, or at least getting serious about plans to become compliant. Data exposure is becoming increasingly important as local, national, and international legal obligations bring about greater responsibilities for organizations to protect customer data in terms of compliance, notification, and monitoring.
Data Privacy Day Info Image

Source: StaySafeOnline.org

Here at Digital Shadows (now ReliaQuest), we focus on providing our clients with comprehensive data loss monitoring and management across the widest range of intelligence sources found in the open, deep, and dark web. Through the combination of data science and machine learning, and more than 50 intelligence analysts, our service enables them to mitigate risk and demonstrate a long-term commitment to European and other regulators on this important issue.

The GDPR regulations are an evolution of existing European Union (EU) privacy legislation ensuring that companies respect privacy, gain proper consents, and responsibly protect information and data under their control. While we recommend clients seek legal support, a great deal can be achieved by the following 8 activities:

  1. Scope Your Data – Make sure that you understand which data is in scope for your organization. This should include data about your customers and employees (as a Controller), as well as data your process on behalf of other organizations (as a Processor). GDPR encompasses protection of EU citizen data, regardless of where it resides. This also requires organizations identify any new sensitive data types, such as health information or information relating to children.
  2. Understand Data Transfer Agreements – Businesses need to clearly understand in which jurisdictions data is being held and accessed from and ensure that the transfers that take place are properly accounted for. This is especially important if some of that data is held outside of the EU as concurrence will be required.
  3. Update Consent Methods or Legal Basis for Processing – Update the methods via which consent is sought from individuals, or how the legal basis for lawful processing of that data is established. This should include assurances that the spirit of the data protection principles has been respected.
  4. Prepare for Subject Access Requests – Individuals can already request to see a copy of the information an organization holds about them. Under GDPR, businesses cannot charge EU consumers for access of data that may be held and must respond within one month of receiving the request. Consumers have additional rights such as ‘the right to be forgotten,’ and the right to modify and export records that must be properly addressed.
  5. Prepare for 72-Hour Notification – New rules exist for how quickly authorities must be notified in the event of a data breach. This new legislation requires data controllers to notify the national data protection regulator within 72 hours of a “breach.” This applies when the “data breach is likely to result in a high risk to the(ir) rights and freedoms.”
  6. Update Your Contracts with New Obligations – The legal contracts and policies must reflect suppliers’ obligations to their clients and the updated consent and requirements set out above.
  7. Update Your Privacy Policies and Statements – Ensure that the privacy policies and statements to consumers appropriately reflect obligations. The policies must be concise, transparent, intelligible, and free of charge. This includes the tailoring of language to different age groups; privacy information for children must be written appropriately.
  8. Designate a Data Protection Officer – Most organizations are legally required to nominate a Data Protection Officer (DPO) ). This applies to organizations that store a large amount of information about employees or other individuals. In particular, the rule applies to public authorities or those organizations that carry out large-scale monitoring of individuals.

To learn more about becoming GDPR compliant, check out our recent paper, The Path to GDPR Compliance, where we provide recommendations  and the key resources that organizations can utilize to instill customer trust and brand protection.

If you want to get involved in this year’s Data Privacy Day efforts, visit StaySafeOnline’s website for more information.

Subscribe here to get the latest threat intelligence and more from Digital Shadows (now ReliaQuest) in your inbox.

 

[1] StaySafeOnline.org https://staysafeonline.org/data-privacy-day/about/