With the General Data Protection Regulation in effect, most data managers have gone through the basics of setting up policies and processes to maintain compliance. The new regulation threatens hefty fines for violations, so it's a good idea to take a step back and build a GDPR checklist for data uses and processes that may have been ignored.
Important items include inventorying department business processes, automating GDPR queries and preparing for a data breach. It's also important to evaluate partner practices.
In addition, data managers should determine if personally identifiable information (PII) is transferred between company departments outside the European Union (EU) boundaries.
1. Inventory business unit data
An entire world of nonrelational database management system (RDBMS) data exists in enterprise systems. Data managers might consider adding individual department check-ins or companywide meetings with department managers to create a GDPR checklist.
"These systems are often conducted at the business-unit -- not enterprise -- level, making them more difficult to track and inventory," said Greg Reid, managing director and information privacy leader at BDO USA in Boston.
Some of these systems include shared drives, SharePoint, Box, Dropbox, Egnyte, Livelink, Documentum and, of course, email. These systems and technologies are not exempt from the GDPR and may contain a significant amount of PII. Thus, they can't be ignored by the data manager, Reid said.
2. Automate queries
The activities associated with data subject rights (DSRs) outlined in detail within the GDPR have direct implications for both the data architectures and the data processing activities within the RDBMS technologies.
Data managers should develop SQL reporting and query capabilities to support DSR requests as part of their GDPR checklist. These are not built into many systems. Therefore, data managers must integrate these queries into their systems or streamline the ability to do it manually through ad hoc SQL calls.
Data managers also need to think about the implications of referential integrity when deleting data records.
"It's not just conducting certain DSRs on certain systems; it's conducting those DSRs on the systems in a particular order to avoid invalid backward lookup SQL calls," Reid said.
3. Prepare for a breach
Even with the most robust security measures, hackers are constantly finding new ways to breach systems. A good practice is to understand and inventory all the data and data processes in the organization. This includes RDBMS and non-RDBMS systems, like email, document and web content-based systems.
It's important that an EU-based legal counsel review the data, content and process inventory to determine which of the data elements are subject to GDPR breach protocols. This should be done before a breach occurs, as there is a 72-hour requirement to report certain breaches.
4. Audit partners
Data managers should include a survey of their business partners in a GDPR checklist. Data that has been sent to the company's vendors and sub-processors also falls under the GDPR obligations for data managers. The company that controls the data is also accountable to a certain extent for how the information is managed by third-party vendors.
Organizations engaging processors or sub-processors that receive personal data are required to work with only those organizations that can meet certain responsibilities with regards to GDPR compliance. This includes timely breach notification, a guarantee to delete or return data at the end of the contract, an agreement to process data only under written instruction, and an agreement not to transfer the data onward without the controller's written permission.
"Many organizations have failed to examine existing data processing contracts to ensure that these terms are adequately captured," said Paul Sonntag, director of commercial services, GDPR at Coalfire, a cyber-risk management service.
Implementing strong vendor management practices has never been more important than with GDPR, as the regulation includes provisions for shared liability between controllers and processors in the event of a breach or unlawful data processing.
Organizations should take a careful look at all their service contracts that include the transfer of personal data and ensure that only those vendors that can meet their regulatory responsibilities are retained. Contracts and vendors should be re-evaluated on at least an annual basis.
5. Consider internal data transfers
Data managers should also evaluate internal data transfers across different offices as part of a GDPR checklist. The regulation requires organizations to maintain records of data processing activities, which includes a description of any data transfers.
"We have a number of clients who have neglected to consider data transfers within their own organization when the organization has business units both in Europe and the U.S., and the data is being transferred between them," Sontag said.
It's important for managers to develop and maintain a detailed understanding of what data is being collected and processed within the organization and where it is being transferred, even when those transfers don't necessarily involve a third party. Every major use case involving personal data should have a corresponding data processing record, and all transfers should be recorded.