I'm going to start this two-part series with some definitions. Part 1 will define and describe actions you may need to consider taking to be compliant with the GDPR. Part 2 will delve deeper into some of these thoughts and provide examples that may help.
First, the GDPR, which stands for the General Data Protection Regulation. In May 2018, compliance with this data privacy law will be required for anyone handling the personal data of European Union (EU) residents.
Next, the European Union. The EU is a political union that envisions common economic, security, foreign and justice policies. It's based on the Maastricht Treaty (signed in 1992). Countries in the EU consist of the following 28, with the UK moving off the list later (due to Brexit):
- Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Lativia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, UK (for now).
Countries not in the EU consist of the following 14 (not counting the UK):
- Albania, Armenia, Belarus, Gibraltar, Iceland, Kosovo, Lechtenstein, Macedonia, Norway, Russian Federation, Switzerland, Turkey, Ukraine, Vatican City State. (The UK will be added to this list later.)
What do the new GDPR regulations encompass?The GDPR requires an organization-wide focus on the handling (and reporting) of personal data. That could mean deleting this same personal data when required and then reporting that the action was completed. Deleting the data may entail data stores as well as logs and any hard-coded records or streams of data.
Compliance could affect any organization that stores or processes any EU customer and/or employee data.
What is personal data?
Personal data can include any data that resides in any data store (structured, unstructured, data streams, logs, etc.) that could be used to put together information about a real person. Personal data could include address, location (hello smartphones!), name, birth dates, any identification numbers, income information, etc. This data could be static or in action for processing.
While we don’t want to run around screaming “The sky is falling,” we do want to consider some action steps for personal data protection:
- Assess your current data management practices in relation to the GDPR. Are these practices in compliance with GDPR, or do you need to ramp up a bit? For example, consider extending reporting capabilities to show audit and compliance information, based on requirements.
- Assess your current governance and security programs in light of the GDPR. In some cases, current governance practices may not include every data store for the organization – but they should. Consider temporary stores of data too, like staging tables and temporary files. Security must include access and integration with any EU personal data, provided in a reportable fashion. Security must show:
- Who accessed the data for READ.
- Who pulled certain data elements for use in a downstream process.
- Proof that EU personal data was deleted from all involved data stores.
- Identify personal data within your organization (as stated in number 1) in a reportable fashion. This could tie in nicely with auditing scenarios.
- Identify all data stores and data flows that use any EU personal data for processing or reporting. Also, the reports must be documented, because they are part of the entire flow of data.
- After gathering all this information or ramping up existing technical information, you might want to consider both internal and external auditing scenarios. Practice does make perfect!
- Recognize that long-term incident management will need to be maintained and reported.
Part 2 of this series will dive a bit deeper into these areas and will suggest some considerations for your organization as you move forward with the GDPR for EU personal data.Download a paper The GDPR: What It Means and How SAS Data Management Can Help