ControlCase

IT Certifications, Continuous Compliance and Cybersecurity Services Provider

You are here: Home / Blog / GDPR Starter Guide

GDPR – Starter Guide

“Data is the new Oil” – is a statement which resonates the underlying philosophy for any information security regulation in today’s world.

Securing and protecting this data is one of the most important tasks at hand for organizations as well as nation-states. Thus, we are observing a huge surge in data privacy regulations being adopted or enforced by nations including Singapore, China, Europe, UK, India, US and more.

GDPR (General Data Protection Regulation) is one of the most widely recognized privacy regulations. GDPR was adopted by EU in 2016 and was enforceable from 2018 for all the organization working in the EU (including UK) and handling data for EU citizens or residents.

In preparing their companies to comply with this regulation, the question which continues to haunt CIOs, CTOs, CISOs is “Where to Start?”

Download the GDPR Starter Guide Checklist here:
GDPR Starter Guide Checklist

This blog will act as a quick starter guide for GDPR.

Step One – Is GDPR applicable for my organization?

Personal data qualifies under the GDPR standard when any individual can be directly or indirectly identified from the information in question. This can be a single identifier or a collection of identifiers.

Assess whether your organization handles (stores, transmits, processes or controls) personal data for professional or commercial activity.

  • If yes, then whether your organization operates in the EU or UK. If yes, then GDPR applies.
  • If no, then is your organization operating in EU / UK and processing personal data, then GDPR applies as well.

Step Two – Are we a Controller or a Processor?

Identifying whether you are a Controller or Processor, based on the kind of business or operations that you run is also critically important.

  • Controllers are entities who exercise overall control over the purposes and means of the processing of personal data. Controllers are the decision-makers when it comes to handling or processing personal data. If two or more controllers jointly determine the purposes and means of the processing of the same personal data, they are joint controllers. However, they are not joint controllers if they are processing the same data for different purposes.
  • Processors act on behalf of, and only on the instructions of, the relevant controller. In most cases, processors act as outsourced partners or third-party partners for the controllers.

Step Three – Appoint a DPO

Data Protection Officers are required if you are a public authority or body, or if you carry out certain types of processing activities. However, having a DPO role is a good-to-have whether you are required to have one or not.

  • DPO should be an independent role reporting directly to the highest management in the organization.
  • DPO should be responsible for all matters related to data protection. DPO will be tasked to monitor internal compliance, inform, and advise on organization’s data protection obligations, provide advice regarding Data Protection Impact Assessments (DPIAs).
  • DPO’s contact details should be published internally to all employees and available to everyone including regulators.

Step Four – Data Minimization

Data minimization requires you to identify the personal data being handled or processed by your organization. Additionally, you will need to identify the locations where this personal data is present. It is recommended to use an automated data discovery tool like ControlCase Data Discovery Tool.

Once the personal data location and data types are identified, you need to maintain a data matrix. All unnecessary data processed or stored should be securely removed from the environment.
You must ensure the personal data you are processing is:

  • adequate
  • relevant
  • limited to what is necessary

Step Five – Consent

GDPR mandates that personal data from the customers cannot be stored, handled, or processed by the organization without written consent from customer/consumer.

Consent can be registered and archived in one of several ways:

  • Countries where there is a legal requirement for hard copies, the organizations can have download links for forms which the customers can read, sign, and then share with the organizations as their consen
  • The other most accepted and implemented method is have a disclaimer page covering all the necessary terms for consent regarding the storage of data or website cookies and a accept checkbox which once clicked will act as formal consent from the user.

It is recommended that the terms should include the exact personal data parameters which will be captured, processed, and stored. It should also include guidance about how the data is going to be protected and have brief outline of controls which will ensure that the data is maintained with integrity intact and without loss of unauthorized access or theft.

The organization also needs to provide assurance that the data will not be shared with any other entities without an explicit consent from the customers. The organization should have a well-documented and implemented plan to ensure the safety and security of the personal data which will be at rest within the organizational environment.

Data retention policy and guidelines based regulatory, legal, and other law of the land requirements should be documented and implemented as well.

A sample template used for Consent Form can be downloaded here:
GDPR Consent Form Download

Step Six – Privacy by Design & Security

Privacy by Design is a concept in GDPR where privacy requirements need to be an integral part of any project from the conceptualization or design stage, which will ensure that we can achieve ‘data protection by default’.

Along with the privacy aspect, the security aspect is also covered in the data protection by default. This is where a “defense in depth” approach would be an ideal methodology looking at controls for data protection from physical security down to data or endpoint security.

Some of the aspects which can be covered in this include:

Step Seven – Rights of Individuals

Standard Operating Procedures and defined processes need to be identified and implemented to ensure rights of individuals are addressed.
These rights include, but not limited to, the following:

  • Right to be informed
  • Right of access
  • Right to rectification
  • Right to erasure
  • Right to restrict processing
  • Right to data portability
  • Right to object
  • Rights related to automated decision-making including profiling

Step Eight – Data Protection Impact Assessments (DPIA)

Post completion of all the above steps, performing a DPIA is a recommended option.

A Data Protection Impact Assessment (DPIA) is a process that will help identify and minimize the data protection risks of a project.

  • This should be conducted by an independent organization with expertise in assessing or auditing data protection and data privacy risks.
  • The DPO should be consulted in performing the DPIA and would be expected to sign-off on the findings documented in the DPIA.
  • In case of critical high-risk findings in the DPIA, there needs to be a concentrated effort to mitigate the same, monitored and guided by the DPO.
  • In case any of that cannot be mitigated and may result in a breach the regulatory body needs to be informed. The regulatory body will revert with actions to be taken prior to commencing the processing of data

The above steps are good as starting points in the GDPR journey, however this being a complex and comprehensive regulation, there are multiple nitty-gritties which will vary from organization to organization. There are exceptions which can be used for further optimizing the GDPR implementation.

For a detailed understanding of GDPR applicability for your organization or to perform a Data Protection Impact Assessment (DPIA) with the ControlCase Privacy Experts please contact us at contact@controlcase.com.

 

Contact our team today to get started

Related Blog

HIPAA, CCPA, and GDPR: Privacy or Information Security?
Modern enterprise security teams must address many different types of requirements as they create their cyber defenses. These requirements can be internally generated, customer requested, legally defined, mandated by a court, or driven by an incident. They typically involve adding new protections such as cyber security platforms or increasing assurance such as through penetration testing.
CCPA vs. GDPR
¡Todo es Privado! ....No Significa No….
The push towards digitization across the globe means that various industries like retail, healthcare, F&B etc. have moved a significant amount of their business / services to online mode. This requires consumers to share their personal or sensitive data (e.g. Card Numbers, SSN Numbers, Health Records, Identification data etc.) on these online channels.
Désormais tout est privé .... Non signifie Non ...
The push towards digitization across the globe means that various industries like retail, healthcare, F&B etc. have moved a significant amount of their business / services to online mode. This requires consumers to share their personal or sensitive data (e.g. Card Numbers, SSN Numbers, Health Records, Identification data etc.) on these online channels.
It’s All Private!!!! - No Means No…
The push towards digitization across the globe means that various industries like retail, healthcare, F&B etc. have moved a significant amount of their business / services to online mode. This requires consumers to share their personal or sensitive data (e.g. Card Numbers, SSN Numbers, Health Records, Identification data etc.) on these online channels.
Importance of building a culture of security and compliance within your organization

About Us

ControlCase is a global provider of certification, cybersecurity, and continuous compliance services. ControlCase is committed to empowering organizations to develop and deploy strategic information security and compliance programs that are simplified, cost-effective, and comprehensive in both on-premise and cloud environments.
ControlCase offers certifications and a broad spectrum of cyber security services that meet the needs of companies required to certify to PCI DSS, HITRUST, SOC2, CMMC, ISO 27001, PCI PIN, PCI P2PE, PCI TSP, PCI SSF, CSA STAR, HIPAA, GDPR, SWIFT, and FedRAMP.