Recommendations from The United Kingdom's Information Commissioner's Office (ICO) to Prepare for May 2018. The European General Data Protection Regulation, better known as GDPR, will take effect on May 25, 2018. When it does, every business, organization, or government agency that collects information on European Union (EU) citizens (in other words, just about everyone) will be forced to radically change how it manages customer data and security. If you don’t, the cost of noncompliance is significant: fines can reach up to €20M ($23.5M) or 4 percent of annual sales, whichever is higher.

1. GDPR GUIDE:
12 STEPS TO TAKE NOW
Recommendations from The United Kingdom’s Information
Commissioner’s Office (ICO) to Prepare for May 2018

2. When the European General Data Protection Regulation (GDPR) takes effect on May 25,
2018, every organization that collects information on European Union (EU) citizens will
be forced to change how it manages and secures customer data.
Hopefully you’re already taking steps to ensure GDPR compliance, which includes
facilitating better data access, security, and management. This could impact your
organization well beyond just your development team, so getting a head start on
compliance is a good idea.
In the remaining time before GDPR takes effect, the United Kingdom’s Information
Commissioner’s Office suggested “12 steps to take now” to get ahead of GDPR’s impact
on your operations and processes. Here’s a quick recap.
GDPR is Fast Approaching

3. Building
Internal
Awareness
1

4. GDPR will impact your business in many ways, so make sure every decision-maker starts
to consider how GDPR affects their department. That means elevating security to the
board level, explaining what’s required for compliance, and making it a recurring topic.
It’s important to stress to others in your organization that GDPR isn’t just a data security
burden. The rules will influence how your product, communications, legal, and other
teams approach security. In bigger and more complex organizations, GDPR could even
force significant resource reallocations in order to have people focused on mitigating
risks, reacting to data requests, or ensuring compliance.
With a $20 million or more in potential fines, this is your opportunity to make security a
boardroom topic.
Building Internal Awareness1

5. Documenting
Your Data
2

6. GDPR focuses on user data, user access to their data, and your treatment of the
data. To fully comply, you need to understand what data you currently have, where
it comes from, what you do with it, where it’s stored, and who you share it with.
Depending on your data processes, this might be a significant, audit-like
undertaking.
Next year, if you’re compelled to take a GDPR-related action, such as deleting a
user’s data, you have to take that action along the entire process. If you don’t have a
detailed map of your data flow, you won’t be able to comply.
As you audit your data processes, document what you find and keep detailed
records. GDPR’s rules force you to prove compliance, which means having
documented policies and procedures in place.
Documenting Your Data2

7. Review Your
Privacy Policy
3

8. GDPR requires that specific privacy and data information be publicly accessible. This
includes details around data retention periods and users’ right to file complaints.
These new statements should be in your privacy policy, so it may need an update.
That means reviewing your current policy against GDPR to identify gaps and
potential conflicts.
Next, you’ll need to have your security, communications, and legal teams to
determine what needs to be changed, added, or deleted. Since this may take some
time, best to get started early.
Review Your Privacy Policy3

9. Define How
You’ll Facilitate
Users’ Rights
4

10. GDPR affords users many rights, such as access to their data, deletion of data, and
more. Unless you already offer avenues to manage many of these requests, you’ll
need to think about the processes, staff, and systems to put in place.
Think about what would be involved. How will users make a request? Who will
manage and respond to requests? How will you identify a particular user’s data?
How will you delete it, from where, and who will do it? If a user requests their own
data, in what form will it be transferred to them?
These types of requests will come up and GDPR only allows 30 days to comply.
Asking the questions now will save both time and resources later.
Define How You’ll Facilitate Users’ Rights4

11. Define Your
Data Request
Process
5

12. This is an extension of the previous step. You’ll need a mechanism for individuals to
make requests regarding their data, and if you have many users, it may become
overwhelming.
What’s more, you’ll only have 30 days to comply or to explain your refusal. That’s not
enough time to figure out your process on the fly, so get it defined now.
Also consider how you might handle a large volume of requests. If your process is
to have an individual or small team managing requests, what happens when they’re
out sick or can’t support dozens or thousands of simultaneous requests?
Think about the nuts and bolts as well. How will individuals submit requests (and
how will they know how to submit requests)? How will you communicate with
individuals? How will you comply with the 30 day requirement, and who will track
the duration of each request?
Define Your Data Request Process5

13. 6
Explain Why
You’re Collecting
the Data

14. GDPR requires that you state the reasons for collecting data, then document it and
explain it to your users. It further provides just 6 situations where lawful data
processing is allowed, such as the user has given consent and processing is
necessary for performance of a contract.
Beyond defining why you’re collecting data, you’ll need to allow review of your data
processing activities, and if requested, explain why you do it and why you believe it’s
lawful. Once again, your legal team will probably get involved, so acting now gives
them ample time to prepare.
Explain Why You’re Collecting the Data
We’re only halfway through, but the recurring theme here is that GDPR
requires accountability, so be sure to document everything.
6

15. Determine
How You
Gain Consent
7

16. A major consideration of GDPR is the consent you gain from users before you
collect or process data. But more than just gaining consent, GDPR’s rules might
impact how you seek, record, and manage that consent.
What’s important about how you treat consent is that it cannot be implied, inferred,
or even gained via pre-selected check boxes. It must also be informed consent, and
the language has to be unambiguous. The opt-in must be positive and separate
from that of other terms and conditions. Furthermore, if past consents don’t comply
with GDPR, you need to refresh the consent to meet the standard.
How you currently gain consent may need to change.
Determine How You Gain Consent7

17. Children
Have Special
Considerations
8

18. GDPR has two special statements directly concerning children and the protection of
their data. You may need to verify ages and potentially gain parental consent for
data processing if children accessing your systems are under age 16. Adding
complexity, individual EU member states can enforce GDPR’s rules to children as
young as 13.
What might take additional effort is GDPR’s rule that any attempt to gain a child’s
consent has to be in a “concise, transparent, intelligible and easily accessible form,
using clear and plain language,” which implies that it must be written in language a
child would understand.
If you do collect data from children, you’ll also need to determine how you’ll gain
their parental or guardian consent. GDPR further requires that consent to be
verifiable, so an audit trail is important.
Children Have Special Considerations8

19. Define How
You React to
Data Breaches
9

20. GDPR compels you to notify organizations or individuals in event of a breach that
concerns their data. Procedures should be in place to ensure you’re also working to
detect and prevent those data breaches.
Documentation is clearly a major part of GDPR, and you’ll need time to prepare the
documentation that supports your breach response process.
This step might also force you to look deeply into what types of data you hold, then
highlight when and where breaches would compel you to notify the appropriate
authorities.
Define How You React to Data Breaches9

21. Prepare for Data
Protection Impact
Assessments
10

22. GDPR requires “data protection by design and default”, meaning you have to
document how you design data protection into your overall organization. You’ll
further need to run data protection impact assessments when certain situations
occur, such as deploying a new technology.
Again, since these assessments could ripple throughout your organization, it’s
another reason to raise GDPR to the board level so everyone understands the
importance of any new workload.
For now, determine the situations where you would be required to run an impact
assessment and how you would facilitate it.
Prepare for Data Protection Impact Assessments10

23. Designate a
Data Protection
Officer
11

24. Someone needs to be responsible for complying with GDPR, and that’s your Data
Protection Officer, or DPO. It’s a role to be taken seriously, since they DPO is required to
have both the knowledge to understand their role as well as the authority to carry it out.
GDPR specifically states that “the data protection officer shall be designated on the basis of
professional qualities and, in particular, expert knowledge of data protection law and
practices and the ability to fulfil the tasks” related to their role. In other words, it’s not a light
responsibility to add to someone’s job description.
Furthermore, GDPR requires organizations provide DPOs with the “resources necessary to
carry out those tasks and access to personal data and processing operations, and to
maintain his or her expert knowledge.” And, also, “the data protection officer shall directly
report to the highest management level of the controller or the processor.” Those details
imply another level of expertise and authority that might impact your choice for DPO.
Designate a Data Protection Officer11

25. Determine Your
Supervisory
Authority
11

26. If you operate in more than one EU member state, you’ll need to determine your
one “lead authority”. It will generally be the member state where your EU “main
establishment” is located. Or it could be the member state where you make the
decisions about data processing.
This might be an easy decision, or it may require you to map out your EU
organization, where decisions are made, and how data is processed and stored.
Determine Your Supervisory Authority12

27. More to
Think
About

28. As GDPR looks to update and consolidate data regulations across the EU, many
questions still remain. If you collect data on EU citizens, you’re bound by these rules
and it’s imperative you understand how your data, security, development, and other
practices and people will be affected by these new rules.
Here are two additional items to consider:
○ Our recent blog post, Ready or Not, Here Comes GDPR, offers additional insights
into how GDPR might impact your business, specifically your security team.
○ GDPR requires you to look for, prevent, and investigate breaches. A great first step
is to define a process for white-hat hackers to alert you when they find
vulnerabilities in your applications. It’s called a Vulnerability Disclosure Policy
(VDP), and here’s a quick guide to help you create and publish your own disclosure
policy following industry best-practices.
More to Think About

29. Get Started with
Hacker-Powered
Security CONTACT US