- June 13, 2019
GDPR Compliance One Year Later: How’s Your Privacy Posture?
Although preparing for the General Data Protection Regulation (GDPR) compliance was a different challenge than being ready for Y2K, both deadlines had one thing in common—the sky didn’t fall once they came and went. But when it comes to compliance, the deadline never really passed.
If you met the GDPR compliance deadline last May, your work is still ongoing—being prepared for it, like any other privacy regulation, is a continuum of internal readiness. At first glance, GDPR readiness appears to be just another security exercise, but it should have prompted you to think differently about the data you store and process.
Know your data is—in transit and at rest
As much as GDPR is about privacy, it requires you to be transparent in that you must have complete visibility as to where your customer data is stored and where it flows—how does it move across borders within the European Union and beyond? Remember, the data you must keep private is dictated by European citizenship, even if you’re based in Canada, and it’s a living entity. Documenting it for the initial deadline wasn’t enough.
If you’re handling sensitive financial data or Personally Identifiable Information (PII), any documentation and data processing activities must be transparent and demonstrate accountability today and tomorrow. You should always be re-evaluating your current data governance practices and policies as part of your GDPR compliance and improving them as needed.
Plan for the worst
Long before GDPR was even a spark of an idea, data breaches were par for the course. The European privacy legislation is just further impetus for having a clear picture of where your data is most vulnerable.
GDPR requires that you have a disclosure process in place if a breach occurs—affected customers must be informed within 72 hours—although there are a few exceptions. You should be conducting regular fire drills to test the effectiveness of your data breach response procedures, just as you would any disaster recovery plan. This testing can also be applied to breach notification guidelines for the updated Canadian privacy legislation, the Personal Information Protection and Electronic Documents Act (PIPEDA).
Do you still have consent?
A key aspect of GDPR, as with PIPEDA, is getting a person’s consent to process their data. Even more importantly, you must be able to honour a request to have that consent withdrawn—that’s why understanding how your data flows is so important. You can’t be certain someone’s data is no longer be used if you don’t know for certain where it’s been collected and stored—it also could have been duplicated. You must also ask for reaffirmation of consent if how you use PII changes.
The consent aspect of privacy regulation further cements the need for pristine record keeping. This includes disclosing to the data subject as to whether any third parties need access to their data to deliver products and services. Your data auditing for GDPR or PIPEDA must reflect any changes to the processing of the data, even backing it up.
Be ready to the roll with the changes
Being prepared for any privacy legislation means maintaining a constant as there will be changes and updates.
GDPR will likely evolve over time, just as PIPEDA has been reviewed updated since being introduced more than 15 years ago. You can’t sit on your laurels for having met last year’s deadline. Privacy regulation compliance should be integrated into your operations. Customer data is rarely static, so your procedure for tracking and protecting it shouldn’t be either.