GDPR – The 20 Million Euro Elephant In The Room

Where do we start and where do we look for the personal data?

The GDPR was published and came into force back in May 2016,  regardless of people thinking it comes into play in May 2018. Therefore enforceable by the Supervisory Authorities from 25th of May 2018. So in essence organisations have had nearly a year to start complying and now have just over a year to become compliant.

Many organisations have already started their programmes but astonishingly over 50% are yet to do anything about a legislation that will bring balance sheet breaking fines for non-compliance. Many organisations are struggling to define a strategy or an approach to tackling this juggernaut. Others with a good grounding in DPA and information or cyber security have made strides already. Those organisations that are struggling are asking:

  • Where do we start?
  • How do we find out where our data is?

Indeed, I have been asked to present to 20 or so CISOs from top UK companies, struggling to answer exactly these questions.

So where should organisations start? Firstly there are three milestone that organisations should be aiming for. These are:

  1. There’s the work required to get you to the starting line.
  2. The work required to get you the finishing line before midnight of 24 May 2018.
  3. Then the continuous compliance to ensure privacy and security of data is maintained.

As people are struggling with the first I will try and explain at least what can be done to get going. Two and three will require a much longer series of articles and are the scope of this discussion.

Why is it so difficult?

As with any projects or programmes resulting in major expenditure,  support of the organisation’s top level management is needed. Having worked in Security for some 20 odd years, it has been drilled into me that security initiatives to succeed you nee senior management buy-in.  Especially as security is rarely seen as a tangible or positively affecting the balance sheet until you have breach, then they say well, what did we spend all the money on. They never say, well this could have been much worse or we could had many more breaches, if it wasn’t for security. However, regulatory compliance.Board need convincing?

Do you really need to convince your Board about GDPR?

The huge fines and the reputational damage it will cause should get their attention. This is not the same as certifying to ISO27001. Other than loss of potential business or  data breach there is no great legal driver for a business to certify to ISO27001 and this you find many just conform or comply. Same with PCI-DSS, which has more clout than ISO27001 but it is an industry certification not a legal requirement, GDPR is. It is a must for small to large organisations if they process EU personal data. Regardless of BREXIT, if you are an UK organisation but especially if you are an EEA organisation. So this one should be straight forward, a no brainer to get the Board on board.  Yet, many organisations, indeed greater than 50 percent have not done anything about it. Some can’t get the board to release budgets, others just don’t know where to start.  Start with getting your boards on side, but how do you do this?

Marshall some help

You can do two things,  if you are the CISO/CIO, you need to first educate and enlist the heads of your businesses, including Legal and Marketing. These are the people who will be most impacted by the GDPR. They will be your greatest supporters. The legal department has interest because they do no want the company to break laws and the marketing people because they cannot do their jobs with-out personal information.

Brief the Board on GDPR, the impact of non-compliance on the organisation. Send them to seminars, or present to them on GDPR. Even bring experts in to explain. The ICO website and most large legal firms have lots of bite size information on GDPR. The ICO’s 12 Steps to GDPR is a good start. The IAPP provides an awareness guide provides an excellent overview.


Which Ocean to boil first?

Now that you have your funding, support, your project brief in hand and PID and assembled the project team. You now need to understand the scale of the issue, to do this you need to understand:

  • What personal data you hold?
  • Where the data is stored?
  • What the data is used for?
  • Who is the data controller?
  • Who is the data processor?
  • Do you have valid consent and or other legal reason for processing?
  • Can you still use this data or will you need to obtain consent
  • Who uses the data?
  • Where was the data obtained from?
  • How was it obtained?
  • Are there any data belonging to under 16s?
  • Are there any special categories of data?
  • Do you have adequate security controls around the data?

There’s lot more that needs to be done but this is a good start.

Where can the personal data be?

To be able to answer the first fundamental question as to what data you hold, you need to know where the data is held. This will include data stored any structured non-digital filing system. As a security conscious organisation you should already know the answer, you just have to look at your asset register right? Well, perhaps not. The problem is that a lot of organisations do not have an asset register of their critical data let alone personal data, if they do, its not always accurate, up to date or authoritative.

Okay, so where can the data be?  Well, I will hazard a guess. How about starting with your CRM, most organisations, hold a list of their customer data in some form. Some top CRM systems may include:

  • Salesforce.
  • Microsoft Dynamics CRM
  • HubSpot
  • Insightly
  • Infusionsoft
  • Zoho CRM
  • Oracle CRM On Demand
  • SAP

What about marketing databases, service desk/helpdesk systems, mailing lists, SharePoint, surveys or just plain contact lists or spreadsheets? It should be noted that GDPR Article 30 requires organisations to keep a register of personal data.

For internal data, you would want to include your HR database, Global Address List,  Directory Services. And what about all the CVs in emails and draws of hiring managers?  Don’t forget the backups and archives and cloud based  such as:

  • Google Drive
  • Box
  • Microsoft OneDrive
  • Hightail.
  • Citrix ShareFile.
  • Dropbox Business

Don’t forget the social media presence, security monitoring logs, analytics, web chats, emails, security logs will contain some personal data.

What next?

Once you have accounted for your personal data, you can start on assessing your readiness for GDPR. The above set of basic questions will help you assess your readiness and provide an indicator of where your risk for non-compliance is and therefore where your focus should be?

You will want to follow this up with a more detailed GAP analysis against the Principles and Articles. Starting with the Principles and then the Articles. At the highest level, the Principles should give you the 50000 feet view of where a  DPIA should be executed. As there are material changes bought on by the GDPR, a DPIA would be required to assess the impact on the data subject.  In any case the GDPR requires a DPIA Compliance Review every two years at least and on changes to processing of the data.

You can, in parallel start looking at your policies and processes, starting with your data protection and privacy policies, cookie policy, data retention policy. The privacy policy (our sample privacy policy) will need a complete overhaul, to include all the new subject rights afforded by the GDPR, including consent, consent withdrawal, right to correction and cessation of automated processing, retention period, DPO contact details etc.

Organisations will have contracts with data processors, outsourcers, both onshore and offshore contracts will be impacted and therefore will need to be updated. This too can be done in parallel. You will want to check with your processors to ensure they too are becoming GDPR compliant.

This is no way meant to be a comprehensive list of where your data could be and what you need to do to get started but is a starters for 10. I hope the article provides some signposts for organisations to start tackling some of the pertinent GDPR issues.


About the author: Moyn Uddin is a data protection professional. He is an IBITGQ certified GDPR Practitioner.