With record-breaking GDPR fines and penalties reaching 50 million euros, it might be time to revise your GDPR compliance strategy.
Fear of fines should not hold you back from achieving the best from your marketing or business endeavors. Using a well-trusted compliance provider can save you headaches and high GDPR penalties.
Read on to find out how you can avoid heavy levies.
The GDPR has been in effect for two years now. It’s possible that your organization has reached its threshold of regulatory fatigue, and we don’t blame you. Here are the basics of the GDPR and what it is attempting to accomplish as a quick refresher.
- The GDPR is a data privacy regulation that protects the Personally Identifiable Information (PII) of EU citizens and residents, known by the law as Data Subjects.
- In effect, since May 2018 and any organization interfacing with EU data must comply with the regulation.
- It is privacy-oriented and geared toward the protection and privacy of PII of data subjects.
The regulation is infamous for its hefty fines.
The GPDR has set out two separate brackets of chastisement in the cases of regulatory breach.
- Lower bracket: 10 mill euro or 2% of global turnover, whichever is higher
- Higher bracket: 20 mill euro or 4% of global turnover, whichever is higher
With the two brackets laid out, the minimum fine for a GDPR breach is 10 million Euros. This circumstance seems incredibly steep for SMEs. But fret not; it takes a while before a “fine verdict” is reached, with ample opportunities to take corrective action.
We know the worst-case scenario for regulatory breach, now we know what we need to avoid, but how do you do that?
Easy. All it takes is compliance…
Well, that is easier said than done. But there are some general principles that you can follow that will set you on the right path toward compliance, and more importantly, put you in good standing with regulators, and those are (in no particular order):
- DPO, DPIA
- Data Mapping
- Purpose of Storage
- Avoid Data Lakes
In the coming sections, we will explore each of these principles in more detail.
A few articles in the GDPR asks the organization to employ encryption techniques, so one easy way to avoid GDPR penalties is to encrypt your data.
The regulation only requires that you “pseudonymize” personally identifiable information. In the wider security community, this concept is difficult, if not impossible, to do. So as a measure of privacy best practice, you should anonymize as much, if not all, PII.
This anonymization works exceptionally well in a data breach, as the data effectively becomes useless to any attacker.
Encryption is also a great way to anonymize data without it losing processing controls. As long as you hold the keys to decipher, the data will remain useable to you and your organization but not to attackers.
You can take this a step further and encrypt communication channels within the organization so that bad actors can not intercept data in transit.
Keep in mind that this is the only real “technical” requirement laid out by the organization. So if you are concerned about GDPR fines and penalties due to lacking technical application, do not worry too much about that.
Most reputable data storage vendors will apply some form of encryption when using their services, and it is best to only use those that have prioritized security.
Other requirements are mostly focused on people or processes, which we will get into now.
Make Use of Your Data Map
Data mapping will become your best friend if your organization finds itself in the middle of a security event or after the dust has settled.
A good data map may be the one thing that could save your organization from a fine. With the data map, a Data Protection Authority (DPA) could see that all measures were taken to secure data in storage, transit, or during processing. So ensure that your organization takes the right approach and develop a robust data map.
Data Mapping in the GDPR
You can think of a data map like a detailed inventory of organizational assets, but including only PII.
With data mapping, you take it one step further by noting the data collection, storage, and processing, and its connected network. Below we have a simple example of what one might look like.
The regulation requires that you know exactly where your data is being stored and processed, and a data flow map will show you and the regulators that you have a handle on the situation.
Why a data flow map will be useful in the event of a breach:
- You can track systems that have been hit and lockdown any connected vulnerable systems, making containment easier.
- You know what is missing because you know where it should be and where it shouldn’t.
- You and authorities can assess the severity of the breach more effectively.
- Shows good practice in the face of the local DPA.
- It becomes easier to implement incident response plans when a data flow map is present.
Data flow mapping is a way to avoid GDPR fines and penalties. And combined with everything else in this article, you are on the road to GDPR compliance.
Know Why You are Storing Data
You may have a cupboard in your house known as “that cupboard.” You fill this cupboard to the brim with knick-knacks that you find around the house; you do this because you have not organized a place for those things. One day you might even question the reason you still have these items.
Organizations often do the same with data.
Your organization should be asking themselves; “Just because I could doesn’t mean I should”. For example, you could collect customer’s birthday information (or even shoe size) if you are a SaaS provider, but should you? (i.e is it really necessary to your business operations)
Most of the time, the answer will be no. There are occasions where specific industries will need a more detailed KYC (know your customer), but for most, this is just excessive data collection levels, and regulators do not look kindly to that.
These excessive levels are referred to as “data lakes.” Currently, there is no incentive not to collect that amount of data, but regulators will inquire why you are collecting that type of data, and if your answer is “I don’t know,” then you are in trouble.
So step one would be to know the purpose of collection and processing; here is an example of correct and incorrect purpose.
Pharma Company LTD.
- Collects Medical Data
- Purpose of processing:
- Prescribe the correct medication
- Collects Customer Shopping History
- Purpose of Processing:
- Recommend new medication via advertising
In the above example, case one, even though it deals with highly sensitive PII (health records), the GDPR sees this as a “legitimate interest.” This is because it is critical to the business operation of the organization. As long as the proper consent mechanism is set up and adequate protection is implemented, this data processing is legal.
However, in case two, this is not so. The purpose of processing is not conducive to a pharmaceutical company.
Although his type of collection is akin to that of a marketing company, this does not mean that the data can not be processed or even collected, but the “legitimate interest” is no longer valid here.
And without express consent from their customers, this would be seen as illegal processing.
So just one thing to note, data collection for marketing purposes is, in most cases, not necessary to the business operation, and consent must always be asked.
Use A DPIA
Is your organization thinking of taking on a new project or developing a new product?
Before you go on, you must think about the Data Protection Impact Assessment (DPIA).
This tool is a process laid out by the regulation that requires the organization to think about whether new projects, products, or services could affect data subjects’ privacy.
A DPIA is an excellent way to avoid regulatory headaches during the product or service lifecycle.
What should a DPIA contain?
A DPIA should outline the risks of new projects. Generally, the type of information that a DPIA contains is:
- Context, nature, and scope of the project
- Is it a product?
- Is it intended to be used as an internal or external tool?
- What kind of data needs to be collected
- What are the risks to the data subjects?
- Could the breach lead to increase fraud and identity theft? Very high risk
- Loss of data results in menial exposure to data subjects’ privacy. Low risk
- What measures will be taken to mitigate the risks?
- Staff awareness in the handling of PII
Once you have this information, you can develop a DPIA template. Anyone in the organization can then use this template for initiating new projects, and it will form part of the organizational cyber risk management framework.
Integrating the DPIA into the broader cyber risk framework will also show good standing with regulators. The privacy impact on data subjects becomes a matter of cybersecurity risk within the organization and not just a compliance checklist feature.
Finally, the better you understand the risk of privacy breaches, the more informed your decisions will become going forward. Which will inevitably reduce the chances a DPA will fine you for GDPR breaches.
Hire a DPO
The most impactful way you can avoid GDPR penalties is to have an active Data Protection Officer (DPO). Under the regulation, larger organizations and public bodies will be required by law to have a DPO. Smaller organizations that may not have the resources are not required to have a dedicated DPO, but it is good to have someone on hand, possibly in the form of DPO as a service.
The DPO is an individual whose responsibilities are to keep the organization on the right side of the regulation. The DPO should remain unbiased, so they should not form part of the organization’s primary business entity. This detachment ensures that there is no conflict of interest.
How They Can Help You Avoid GDPR Penalties
The very roles and responsibilities of a DPO are to help you avoid GDPR penalties. They can help you map out a compliance strategy, advise you on the newest best-practice data privacy models, and let you know the organization’s shortcomings so that you may make amends.
One thing that you should keep in mind if you are worried about GDPR penalties is that the DPA is on your side. Regulators don’t prosecute for the sake of it. Most fines occur due to gross misconduct.
Your organization’s attitude matters the most; yes, you should comply with the regulation; yes, you should attempt to implement the tips outlined in this article. But most importantly, you should care about the privacy and protection of individuals’ data.
With this attitude, you will surely avoid any penalties as the organizational culture will build the compliance structure, and it is unlikely you or your staff will mishandle PII.
Are you looking to comply with the GDPR? Or are you concerned about the privacy and data protection situation in your organization?
We can help; RSI Security are compliance experts, and if you are looking for a compliance strategy, get in contact today, and book a free consultation.