Boyan Yanchev, Chief Technology Officer, Lirex: Lack of Best-Practice Documents Turn Impact Assessment into Challenge

The interview is published in Business Connect magazine, Sept.-Oct. issue

-What kind of challenges do you see in applying General Data Protection Regulation (GDPR) for corporate and public sector in Bulgaria?

-The challenges with applying this new EU regulation mostly arise from the fact that, as every new thing (regulation, directive or law), it requires time and effort for organizations to understand exactly how, in very practical terms, it affects them. Considering the severity of the penalties (4% of the annual worldwide turnover or up to 20 million euro), the compliance is something that cannot be neglected. At the same time, though, there are no best-practice documents yet, no precedents to bring clarity, not much how-to-implement guides or any other such supporting materials. In other words, the approach to making an impact assessment is a challenge itself.

The GDPR impact assessment is further complicated by the fact that, roughly speaking, it has to include two parts – a legal one and a technical one. The technical part pertains to the organizational systems and processes for protection of collected personal data. There are similarities here between GDPR and ISO 27001 concerning data security, so there is a foundation on which to build up. However, there are new requirements to consider – the right to be forgotten for example. The second part – the legal part, pertains to a completely different aspect of the organization. It is primarily focused on the people’s consent regarding collection and distribution on their personal data.

Overall, these are the challenging aspects of the GDPR application. If we attempt to make a list, we’d include also the following:

  • Budgeting – the difficulty in making an accurate budget due to the introduction of some completely new requirements, such as the new citizens’ right to receive personal data in a structured, commonly used and machine-readable format, or the already mentioned right to be forgotten.
  • Reorganization of some entirely internal processes – Paper based registers and data storage – to ensure proper data protection of information that is stored on paper (visitors paper-based registers for example that are common practice in some organizations)
  • Resources distribution (Finances, People, Time) – besides the usual difficulties with allocating enough people and time, there is a new requirement for a Security Officer
  • Changes in the rights of citizens (data subjects) in terms of the purpose of data processing, categorization, recipients, data retention
  • Necessity of top level management involvement – something necessary for the introduction of any organizational change

-What is the effect of the change in practical terms for companies and clients? Is the regulation more for the benefit of the citizens?

-The main objective of the GDPR is to harmonize the EU privacy data regulations among the member states. It will definitely raise the privacy bar to a new level. Eventually, this would be much more beneficial for the citizens as their personal data will be protected more strictly regardless of the physical location of the organization. The citizens in each member state would have equal rights everywhere and a practical benefit for them would be in terms of the knowledge they have in observing that their rights are not violated by organizations, regardless of the state of incorporation.

For companies, one of the effects would be in applying the same set of internal rules, procedures and processes in all their business units regardless of their location.

Another important effect would be that storage and management of personal data on legacy systems and paper hardcopies will start to decrease and eventually probably disappear completely due to higher security management costs and bigger efforts to ensure security that they require.

-What are the stages that the company should go through to prepare and to which extent the business will be hampered with the new regulation?

-From a technical standpoint, the preparation phase for complying with the GDPR regulation is just the initial step of data protection lifecycle, that is actually a cyclical process including four phases – Prepare, Protect, Detect, Respond. These can also be divided in two – what should we do to apply the regulation and what should we do after that.

The Preparation phase must include:

  1. Perform GAP analysis – Identify on what extent the policies already implemented in the company cover the GDPR requirements
  2. Identify what personal data does the company have and where it resides

Based on the above analysis, an organization starts the Implementation phase, the Protect phase, the main objective being to secure personal data everywhere:

  1. Establish processes and prepare procedures to govern how the identified personal data is used, stored, accessed and deleted;
  2. Establish security controls to prevent and to detect vulnerabilities and data breaches

Organization should further work on the processes of Detection (breach monitoring, detection and prevention with tools such as regular Penetration tests), and Responding – to ensure Incident Response planning and reporting policies compliant with the GDPR requirements. After that, if, for some reason, there is a breach in security, the process starts all over again with analysis of the situation, implementing corrective measures and so on.

-How “The people’s right to be forgotten” will be applied in practice and harmonized with the public interest?

-The conditions for erasure related to The people’s right to be forgotten include the data no longer being relevant to original purposes for processing, or a data subjects withdrawing consent. This right requires controllers to compare the subjects’ rights to “the public interest in the availability of the data” when considering such requests.

The technical application of these right has some initial requirements that have to be met in order to apply this right. Some of them include:

  • Preparing and strictly following proper Data retention policy and matrixes;
  • Prepare processes and procedures to erase data when customers ask to exercise their ‘right to be forgotten’ and withdraw their consent to storing or using their personal data. When 3rd party is involved in the process, be sure to have a clear instruction on how to inform the 3rd party controllers which are processing the personal data about the data subject’s request.

Inevitably, database and tools improvements shall be made in terms of data protection where applicable. Last but not least, an awareness and training of personnel and Data Protection Officer shall be performed.