A RISK MANAGERS

GUIDE TO THE GENERAL

DATA PROTECTION
REGULATION (GDPR)
 A Risk Managers Guide To The General Data Protection Regulation (GDPR)

Introduction
The General Data Protection Regulation (2016/679)or the GDPRwas adopted for
the purpose of strengthening the European Unions (EU) procedures and practices
related to data protection.

While the GDPR was announced in 2012 and adopted in 2016, organisations have until
25 May 2018 to become fully compliant.

The GDPR impacts all organisations that are established in the EU, or that either offer
goods or services to Europeans or monitor the behaviour of Europeans (which applies
to most internet-based organisations). All such organisations must make certain they
have appropriate technical and organisational measures to ensure that data is used
for its intended purpose and kept secure.

If an organisation does not comply with the GDPR, it could face a maximum fine
of 20,000,000 or 4% of its worldwide revenue (not profit), whichever is greater.
Organisations that collect or process personal data of Europeans are now jointly and
separately liable for the data they process (even if they are just processing the data
on behalf of another organisation). These staggering penalties are one of the reasons
why the GDPR has caused such a stir in boardrooms across the EU.

Risk managers in particular have a vested interest in ensuring their organisations are
prepared for the GDPRwhich is why we created this guide. In it youll find:

A history and background of the GDPR.

A number of noteworthy compliance indications.

Six proactive methods you can use to prepare for the GDPR.

How BitSight can help your organisation prepare for and enforce these new regulations.

www.bitsighttech.com 1
 A Risk Managers Guide To The General Data Protection Regulation (GDPR)

History & Background

Of The GDPR
The GDPR evolved from the 1995 Data Protection Directive. While the Data Protection
Directive laid the foundation for a great deal of the GDPR, it was put into place during
a time with significantly reduced processing power from today, explains Julian Parkin,
founder of Parkin Avacade. A 2015 study from The Office for National Statistics shows
that the internet was accessed every day or nearly every day by 78% of adults in Great
Britain that yearcompared to only 35% in 2006. While directly comparable records
between 1995 and 2017 are not available, this statistic gives an indication of just how
much times have changed.

The Data Protection Directive laid out the philosophy that individuals retain rights
of ownership over their personal data even after theyve lent it to an organisation.
(Companies in the U.S. do not need to follow such a principle; when American
companies obtain data, they have more flexibility over what they do with it.) Further,
individuals in the EU have the right to withdraw consent to the use of their data, and
organisations generally must comply.

www.bitsighttech.com 2
 A Risk Managers Guide To The General Data Protection Regulation (GDPR)

Breaking Down GDPR

Compliance Implications
There are 99 articles within the GDPR, ranging from general provisions to
responsibilities of the controller and processor to cooperation with the supervisory
authority, and more. The bullets below indicate a sample of the more noteworthy

Articles 12-23: If an individual requests access to their data or requests

that data be removed from a companys records (known as the right to be
forgotten), the controller must comply within one month.

Articles 24-43: Organisations must proactively demonstrate they understand the

data they have access to, how to use that data, and how to safeguard that data.
Therefore, organisations must maintain, document, and enforce data protection
policies and procedures.

Article 32: Organisations that collect personal data must have rigorous due
diligence processes to ensure the appropriate technical and organisational
controls are in place before sharing data with vendors.

Article 33: If a data breach takes place, the company collecting the personal
data must notify its national regulator of said breach within 72 hours of breach
discovery.

Articles 37-39: Certain organisations that process data may be required to

appoint a Data Privacy Officer.

Articles 44-50: Any organisation anywhere in the world that processes the data
of an EU citizennot only those operating in the EUmust comply with GDPR
requirements.

www.bitsighttech.com 3
 A Risk Managers Guide To The General Data Protection Regulation (GDPR)

Given the articles listed above (and the dozens of others in the GDPR), organisations need
to understand the data they have access to, how they use it, and track and monitor the
controls they have in place as part of their overall GDPR compliance requirements.

Has your organisation checked off some of the following tasks to begin preparing for
GDPR compliance?

Establish a programme of work that covers the construction of a coherent

inventory of your processes that relate to personal data.

Create a privacy impact assessment and data map.

If applicable, ensure the information and the consent language you provide to your
customers is transparent, clear, unambiguous, and written in plain language.

Outline a plan for compliance with the more complex rights of the data subject,
including rights of access, rights of correction, rights of rectification, rights of data
portability, and rights of erasure.

Have a process by which you risk-assess your own data.

Have an understanding of where and how you share personal information with
third parties, and ensure that you have the correct contracts in place with these
processors to comply with laws.

Assess your information security programme as it relates to personal data,

including third parties you share such data with.

Establish a mechanism to identify if, when, and where any breach takes place and
how you will handle it.

www.bitsighttech.com 4
 A Risk Managers Guide To The General Data Protection Regulation (GDPR)

6 Proactive Ways To Begin To

Prepare Your Organisation
For The GDPR
1. Find technology solutions and helpful resources
that will help you solve GDPR-related issues.

The marketplace is now saturated with tools being relabeled as GDPR solutions.
While many of those tools may serve an important purpose, they will only be useful if
you have a vision of how the tool can help your organisation to manage privacy and
data risk.

GDPR compliance is a complex undertaking that will

impact every department, including legal, compliance,
privacy, finance, and others. Therefore, organisations may
need to integrate multiple technology solutions, as well as
update internal processes and procedures, to comply.

Be forewarned, explains Parkin, the marketplace is now very stretched, so

identification of experienced consultants who know how to help your organization
implement the correct technologies and controls is challenging. Because of this, its
very likely many organizations will still be putting controls in place after the 25 May
deadline in 2018. Still others will not take the criticality of these controls seriously until
the first major fines hit a few unfortunate companies.

To avoid this, do everything in your power to find someone who understands the
GDPR, has a proven track record of implementing solutions, and can articulate a clear
vision to meet the implementation deadline.

www.bitsighttech.com 5
 A Risk Managers Guide To The General Data Protection Regulation (GDPR)

2. Create an in-depth plan for third-party risk.

The GDPR signals a fundamental shift in terms of an organisations obligation to

proactively demonstrate compliance: Now, organisations are essentially responsible
for what their vendors do with the organisations customer data. If your organisation
chooses to share customer data with any other organisation, you must know with
certainty that organisation can be trusted. The legal and financial ramifications can be
enormous if you do not.

If you have yet to audit your current vendors, now is the time to do so. You may need to
revisit your contractual obligations to put data processing agreements or model clauses
in place, and put in place a plan to regularly evaluate your third-party vendors.

3. Modulate your GDPR programme.

The GDPR is clearly complexso the best way to get after it is to break it down into
components, explains Ewen OBrien, EMEA Sales Director at BitSight Technologies.
For example, information security is one area youll need to focus on, and youll need
to create a clear statement of security standards and the risk associated with the
volume and sensitivity of the data youre handling. This statement must cover your
own organisation but also must be clear on what you demand of your third and fourth
parties.

4. Begin your GDPR compliance programme by addressing

the vast majority of the GDPR that is clearnot the small
minority of it that is not.

According to a June 2017 poll by Spiceworks, 37% of respondents listed their top
concern with the GDPR as a lack of clarity regarding the steps necessary for GDPR
compliance.

However, picking out the nuances regarding a topic that may not be clear in the
GDPR articleslike individuals abilities to exercise their data portability rightsmay
not be the best place to spend your time and energy. Instead, begin your compliance
programme by focusing on the pieces of work you can start today to ensure your
organisationand your vendorsare compliant before the deadline.

www.bitsighttech.com 6
 A Risk Managers Guide To The General Data Protection Regulation (GDPR)

5. Ensure you have appropriate security controls in

place for your data.

The only way to prevent a bank from being robbed is to close it off, boarding up the
doors and windows. Similarly, the only surefire way to prevent the loss of data is to not
use it or share it. But of course, thats not practical. There will always be unforeseen
circumstances that lead to breaches. The best thing you can do is put in place a
strong security and compliance programme and seek to mitigate the risk of data loss
as much as possible. One aspect of an effective security and compliance programme
is to use robust security metrics.

6. Use quality metrics to support your decisions and

demonstrate your progress.

One of the key things your organisation should endeavor to do early in the compliance
process is create and institute metrics around the uses of your data in the control
environment youve established. The more you can automate and systematise the
gathering of these metrics, the better. That way, you can return to the same metrics
to evaluate progress. Using a system like BitSight Security Ratings enables you
to understand objectively how your cybersecurity measuresand those of your
vendorsare performing.

www.bitsighttech.com 7
 A Risk Managers Guide To The General Data Protection Regulation (GDPR)

How BitSight Can Help With

GDPR Preparation & Ongoing
Compliance
BitSight Security Ratings are a critical component in evaluating your organisations
security measures, as well as the security measures of your vendors. Using externally
observed, objective data, Security Ratings provide quantitative evidence of the
existence or failure of security controls inside an organisation. Using BitSight, you can
observe a variety of incidents of compromise, vulnerabilities, unpatched systems, and
other indicators of poor security performance, explains Jacob Olcott, VP of Strategic
Partnerships at BitSight.

Consider these four specific examples of how BitSight can be an important part of
your GDPR compliance programme:

Security officers can use Security Ratings to gain visibility into their own organisational
performance and identify areas to improve. They can also evaluate the performance of
tens, hundreds, or thousands of vendors. This is visibility at scale.

Under the GDPR, organisations have 72 hours to alert regulators about a breach. Security
Ratings help you work with your vendors to reduce the likelihood that a breach
impacting your sensitive data will occur.

Under the GDPR, both organisations and their vendors have significant liability. Security
Ratings provide automated, objective measurements your organisation needs to
demonstrate an understanding of your vendors technical controls. The platform can
also be used to interact with your vendors, helping them to improve their security posture
during the lifetime of your business relationship.

To comply with the GDPR, organisations must create a data map that lists all
organisations with access to their customers personal information. BitSight Discover can
cut down time spent on this task by outlining many vendors.

www.bitsighttech.com 8
Compliance with the General Data Protection
Regulation is a complex challengebut
BitSight Security Ratings and Discover tools
can accelerate your programme and make
this challenge easier.

Begin Your Free Demo

www.bitsighttech.com