Preparing for General Data Protection Regulation (GDPR) – part IV

25 May Preparing for General Data Protection Regulation (GDPR) – part IV

Guest blogger Richard Hancock continues his series on GDPR preparation.

Today is a very important day.  Exactly 1 year / 12 months / 52 weeks / 365 days, until enforcement of the biggest revolution in data protection, subject’s rights and organisation’s increased obligations!

At the very core of the GDPR principles, right alongside process and procedure documentation are both identity management and consent management.  Here, we’re going to look at both in some detail.

Let’s take consent management first.  At the heart of this principle are several guidelines:

• Opted out by default
• Consent must be explicit and in response to ‘clear, concise language’
• For a specific purpose
• Accurate, up-to-date and relevant
• Changeable at any time, preferably by the user

This is in stark contrast to how the clear majority of organisations handle consent today.  You’ll find that upon purchasing a product or service from many vendors, you’ll be opted in for everything, including ‘marketing stuff’ and this was all buried in section 29 subsection f paragraph iii of the T&C’s.  First things first, you’ll have to analyse your website, your purchasing workflows, your contracts and make some big changes.  ‘Marketing stuff’ now becomes a tick box for every reason you want to use it for so changes to your product feature set, alerts of new products coming soon and your spring flash sale equate to 3 checkboxes.

Once you’ve collected all of that consent, you’re going to need some way of managing and maintaining it.  Consent management tools are highly encouraged here.  They are purpose built for this requirement and can streamline this process for you.  Don’t attempt to handle it all in Excel – it just won’t work.  Some companies I’ve spoken with want a ‘simple effective way’ of dealing with this area and believe me, a tool is the way to get it.  Anything larger than a couple of dozen customers and anything else will very quickly become messy and unwieldy and consequently won’t get touched – instant violation.  Additionally, how are your customers meant to set and configure their own preferences on an excel sheet in your local network drive?

Now you have all of the data and permission to use it, but not everybody in your organisation, or even department, will need to have access to it so you need to demonstrate access control and justification.  If you are following the current trend and moving to paperless filing system, make sure user rights are appropriate and adhere to “least privilege” practices.  Just because somebody manages that data does not mean they need access to it.  Are all of those documents encrypted at rest (see episode 3 for more information on this)?  What data classification and risk profile are assigned to those documents?  Where is the document repository hierarchy and structure detailed?  All of these things need to be considered and addressed properly.

In this area, again technology will be your friend.  Use a tool to perform Identity Access Management.  No other, manual, method is going to give you on demand reporting ability on who has access to what, why and under which authorisation do they have that access.  IAM solutions will streamline your process flows and increase efficiency by tangible amounts.  The administrative overhead of provisioning, managing and maintaining AD accounts, CRM accounts, network resource access, file level access is immense and nigh on impossible without a digital assistant.

If you are keeping some paper based records, remember the regulation also applies here.  Also note that you need to be able to demonstrate “additional security measures” around the storage and access of PII.  Can you put an extra lock on the HR office door?  Do you need a dual authorisation safe?  Document who has keys to which cupboards and why.  Think laterally about the information you are collecting as some might not be instantly obvious as sensitive.  Your employee’s healthcare registrations, for example, likely name their partner as a beneficiary and instantly declares their sexual orientation.  Sensitive data attracts even greater responsibilities and stronger controls.

Richard Hancock is a guest contributor and is Data Protection Officer for GMO GlobalSign, a leading Certificate Authority and encryption solution provider. 

Read a brief intro how Ubisecure can help your company towards GDPR compliance, or check out the first of our configuration tips. Or contact Ubisecure to discuss your GDPR project and how building in consent management can help.