Join David Booth for an in-depth discussion in this video Securing data and preparing for breaches, part of GDPR for Marketers.
- According to a 2017 IAPP survey, the number one overall riskiest obligation organizations are worried about comply with is preparing for and handling data breaches. It's not that surprising that this is an issue, with the now common headlines of global corporations being hacked and personal data being stolen, and less surprising that it's an issue the GDPR addresses. For most organizations, putting in place a plan to deal with a breach of personal data means another item on the GDPR readiness checklist, and there are some key items to be aware of.
First, this applies to both data controllers and data processors. If you're acting as a data processor and you become aware of a personal data breach, the GDPR states that you'll need to notify the controller without undue delay. This phrase is used in a few places around the GDPR, and it's yet to be determined exactly what that means, but the intent is clear. You should be doing this as quickly as you're able. Once a controller has become aware of any breach, it must report this breach to the GDPR supervisory authority as fast as is feasible, and within the time limit of 72 hours.
The controller also has to inform data subjects of the breach whenever it's likely to risk an impact on their rights and freedoms, and again, do this without undue delay. Beyond reactionary measures once a breach has been detected, the spirit of protecting the consumer is extended through the GDPR to aspects of data security. Organizations will need to take measures to ensure that the personal data being collected is handled and stored securely. From an access and governance perspective, this means putting in place different roles with different levels of access to personal data.
It means encryption or hashing of any identifiers linked to all the various accounts that may exist, and anonymizing or pseudonymizing any personal details. And it's important to note the difference between anonymization and pseudonymization. Let's take a quick example. Let's say you're selling a number of different products and you want to understand purchasing behaviors. If you were to look at a list of all the products you sell and every buyer was made anonymous, you would essentially just have a long list of products sold and you wouldn't be able to do much analysis with respect to the purchasers.
If we were to pseudonymize the data, however, we can enable some analysis without linking anything back to personal attributes. Without having to use any personal data, we can clearly see that products C and D tend to be purchased together, so we may want to try bundling these products or recommending one when the other is in the shopping cart, for example. This kind of analysis is very helpful in running our business, and we don't need to collect or use personal data in order to accomplish it. Remember, a value is considered pseudonymized only if it can't be linked back to any other data set and as a result be made known, so make sure you're not using customer IDs or anything like that.
Putting in place the updates, tools, processes, and procedures to secure the personal data you come in contact with as well as respond to any breaches that might occur are central parts of the GDPR, and to become compliant, you'll need to make sure that you can address these components.
- Define “personal data.”
- Name three data subject rights provided by GDPR.
- Recall the steps that need to be taken to comply with GDPR.
- Explain “privacy by design.”
- Identify the responsibilities of a data protection officer.
- Recognize the steps required to audit your data and processes.