Passing new legislation will inevitably require change and GDPR is no different, leading to modifications in both the way data is processed and the protocols that must be followed. IT security teams predominately control and manage the network infrastructure or operations for an enterprise. But as GDPR fast approaches, who will be responsible for ensuring data compliance is met?
Responsibilities – Who looks after the data?
Organizations should be made aware that under GDPR, the rules are clear: they will be held accountable for the security of their own data. Therefore, IT teams and data controllers, with the help of a Data Protection Officer, need to converge and implement a data security solution that will meet these strict compliance requirements.
The role of the DPO
Article 37 of GDPR created a statutory position called the Data Protection Officer (DPO) who’s main responsibility is to guarantee data security and that GDPR compliance is met. All organizations that either control data or process data are required to have a DPO, especially for the following circumstances: where the processing is carried out by a public authority or body; where the core activities of the controller or the processor consist of processing operations, which require regular and systematic monitoring of data subjects on a large scale.
Understanding whether or not an organization requires a DPO is dependent on the extent of the data processing operations and if they fall within the remit of Article 37.
Recruiting a DPO could potentially be one of the most important appointments an enterprise could make, as her primary concern is to protect data and enable full compliance towards GDPR. She will also be motivated to help the enterprise avoid potential fines of up to 4% of the organizations global revenues. The DPO will monitor the implementation of data protection policies and processes and ensure all staff are fully educated and trained in regards to protecting data. She will also be charged with communicating and cooperating with the supervisory authorities on issues related to the processing of personal data. This will also include notifying the necessary authorities about any personal data breaches as well as documenting public and regulators requests regarding the removal, destruction and accessibility of data.
This does not mean the DPO will work alone. Far from it. The enterprises IT, legal, risk and compliance teams must essentially become the guardians of the business and the data it stores. This is no longer just an IT data security issue but, instead, a matter of compliance.
Encryption can help reduce the scope of GDPR
Encryption or tokenization are ideal defense methods because they protect each piece of Personally Identifiable Information (PII), rendering it useless to anyone without possession of the key to decrypt it. If the data is securely encrypted, with the organization as the data controller maintaining full control over the encryption keys, it will give absolute authority to the organization and relinquishes third party or external access worries.
Furthermore, should any third party data processor, in the cloud for instance, be breached, if the data controller organization is in full control of the encryption keys, it can avoid reporting the incident to the authorities. This is because the data will be unreadable outside of the controlling organization and the company can avoid fines altogether.
In the next and final instalment of the getting to grips with GDPR series, we’ll look at how not all encryption options are created equal and what enterprises need to look for in solutions in order to comprehensively meet compliance regulations.
EU GDPR: The Essential Facts at a Glance - Series:
Part 4: Responsibilities – Who looks after the data?