How to Implement General Data Protection Regulation (GDPR) in your Organization?

By 25th May 2018, most of the organizations, either located in EU or offering services to EU citizens, shall have adopted the requirements of General Data Protection Regulations (GDPR). Or, at least, they will be required to. In case you are a late adopter, we would like to share with you our proven approach to implementing GDPR-compliant Information Security Management System in an organization.

GDPR introduction

General Data Protection Regulation defines our fundamental rights, as individuals, in the context of the personal data processing. Then, it also defines the bases for the processing of personal data by an organization and lists requirements towards personal data security that such an organization should meet.
GDPR is applicable in the following cases (Article 3):

1. An organization is located in EU and is engaged in personal data processing, regardless of whether the processing takes place in the Union or not
2. An organization is located outside of EU but:
   1. processing takes place in the context of offering goods or services to EU citizens
   2. processing takes place in the context of monitoring EU citizens

In case you would like to understand your Organization’s obligations, please read more in our article about General Data Protection Regulation (GDPR): What does it change?

GDPR implementation

So what does it take to implement GDPR in your organization? At this point, we recommend a tool called Organization Management System that specifies, implements GDPR requirements as well as focuses on secure processing of personal information in your organization . Sounds scary? It shouldn’t – with the help of ins2outs it is not that complicated.

Document personal data categories

The first step is to document what categories of personal data you have processed as an organization. You can be either a Controller or a Processor. As a Controller under GDPR, your Organization decides about the purpose of the data processing. As a Processor, you process the data at the request of the data Controller. In both cases you should create a record of processing activities or categories of processing activities. Both records are part of a standard GDPR know-how set on ins2outs
Should you wonder what the examples of data categories there could be – here comes the list of some examples:

1.  Your clients’ data
2. Your marketing data
3. Employees’ HR data
4. Employees’ company e-mail – I would advise treating it as a separate category, as it is commonly shared, and has a different risk level from the other categories
5. Candidates for employment (CVs)

Conduct risk assessment

Secondly, as you know, if you have the record of categories of personal data you process, you should conduct risk assessment for each of those categories. Risk assessment is about identifying threats to personal data and calculating a risk level for them, based on the probability and the risk impact on the organization. It might sound complicated but with the process at hand and the templates for risk assessment it can be easily accomplished.

Decide on risk treatment

Then, as you have your risk assessment ready, you should concentrate on those risk levels which are unacceptable for your organization. You will be selecting and deciding about security measures which, once implemented, will help you to bring the risk level down to the acceptable level. From the GDPR perspective, you can treat the risk in three main ways:

1. Technological measures – data encryption, backups, and monitoring of your infrastructure are some of the security measures referenced directly in the GDPR.
2. Organizational measures – it’s all about defining your information security management system. You will introduce policies and train your employees , as the security of each system depends on competent and security-conscious personnel.
3. Contractual measures – when using other companies’ services for data processing, you will be obliged to regulate the way another company offers its services or products in respect to GDPR and personal data security.

Your decision will be then documented in a Risk Treatment Plan which is used to guide and control the implementation of ISMS in your organization.

Implement personal data security measures

Now it is time to implement the security measures you have chosen. We identify that as a separate step, as this is usually a longer project. You will be basically implementing the selected security measures documented in Risk Treatment Plan. The list below presents some examples of the typical elements here.

Technological measures:

• introducing encryption for your HDD, server storage, cloud services (generally data at rest)
• introducing encryption for your communication channels (HTTPS, e-mail, and so on)
• monitoring your Information Communication Technology (ICT) infrastructure
• making and testing the backups of your systems at regular intervals
• testing your security measures, ICT infrastructure, and effectiveness of the system

Organizational measures:

• defining Roles and their responsibilities
• introducing policies about personal data security
• if needed, creating Standard Operating Procedures for the execution of personal data security activities
• handling and processing any events and security accidents

Contractual measures:

• providing information to individuals about their personal data processing
• signing contacts with personal data processors
• updating contracts with your employees in the scope of personal data processing
• managing users’ consents

Protect personal data in operations

The goal of this step is to make sure that all activities around keeping your systems are safe and operations are in place. In the GDPR know-how set, the process describing that is called Operations Management Process. In practice, once you have defined your Information Security Management System, that is the most important process on a technical level. You will prepare the Operations Management Plan on a quarterly basis, define the tasks to be accomplished and assign the person in charge of their execution. Usually, the IT System Administrator will be engaged in such activities. Within the Operations Management Process, you will be also implementing the risk controls from the approved Risk Treatment Plan.

Review security of personal data

The goal of this activity is to monitor and review the effectiveness of your Information Security Management System vs. personal data privacy objectives. The review can be achieved with the help of such elements as:

1. ICT Infrastructure Monitoring
2. Checking if all tasks from Operations Management Process have been completed
3. Audits on both technological and organization levels
4. Overview of security incidents handling
5. A yearly management review meeting

The management review meeting is recommended to be held at least once a year. Top Management should be then presented with a bird’s-eye view of the Information Security Management System as well as with the recommendations for the next year changes/updates. This way, the organization assures the fit-for-purpose of its Information Security Management System.
After the review, the whole cycle should start again, but with the focus on maintaining and keeping your ISMS up-to-date.

GDPR Summary

These are all the steps required to define and implement GDPR-compliant Information Security Management System in your organization. If you would you like to learn more about how to do it, please refer to our Know-how set: GDPR – General Data Protection Regulation which is the first of the given steps required to implement ISMS in your organization.