Omada E-Book

PREPARE FOR THE EU GDPR

Reduce your Risk, and get Ahead of the
Curve with Omada’s GDPR Approach

The launch of the EU General Date Privacy Regulation is a game-changer for businesses.
The new regulation introduces both hefty fines for non-compliance, mandatory privacy im-
pact assessments (PIAs), and common data breach notification requirements – prospects
that will shift the risk associated with data protection to increased board level attention.

The regulation has extended the definition of personal data, bringing new types of person-
al data under regulation. Any organization that collects, processes, and stores personal
data, will be affected and will need to take action to get compliant in time.

This e-book provides a high level guideline to how your organization can address the chal-
lenges posed by the GDPR, and get ahead of the curve by following Omada’s two-phased
approach. The approach provides best-practices for implementing important changes to
people, processes, and technologies in order for your organization to get GDPR compliant.
By taking advantage of the impact the GDPR will have on people, processes, and technol-
ogy – your organization will turn the data security challenges into competitive advantages.

www.omada.net
info@omada.net © 2017 Omada A/S
 OMADA E-BOOK:
PREPARE FOR EU GDPR
The application of the EU General Data Privacy Regulation (GDPR) in May 2018 will increase the risk of
running a business dramatically, unless appropriate action is taken to meet the stringent compliance
requirements in due time.

THE RISK IMPACT OF THE GDPR

The GDPR introduces the following:

1 Heavy fines reaching up to 4% of your global turnover in case of non-compliance

2 Mandatory breach notification within 72 hours in case of data leaks, to all involved data subjects - the
owners of the related data, meaning that the disclosure will go public and may result in severe reputational
damage for the organization.

YOUR RESPONSIBILITY AS A DATA CONTROLLER GOES BEYOND YOUR OWN ORGANIZATION

Most organizations control personal data, which includes a vast amount of data types, such as employee records,
customer data, recruitment data, or data from websites.

Personal data includes any information related to a natural person (“Data Subject”) that can be used to directly
or indirectly, identify the person. It can be anything from a name, a photo, an email address, bank details, posts
on social networking websites, medical information, or a computer IP address etc. Special categories of data,
referred to as sensitive personal data, covers e.g. genetic data, biometric data, criminal records, or data from
systematic profiling of individuals on a large scale.

The storage and control of such data classifies the organization as a Data Controller. Data Controllers that control
EU citizens’ privacy data are not only facing the challenge of implementing sufficient security controls and policies
internally, but will also be liable for ensuring that any contractor or outsourced service provider who has access to
process the data, will do so in compliance with the regulation.

In other words, as a Data Controller, you are responsible/liable for the actions of everyone, including external
parties who process the personal data under your control. Such organizations are called Data Processors. Data
Processors include hosting companies, IT contractors, marketing agencies, payroll agencies, SaaS vendors, and
many other types of businesses.
SaaS Vendors

Hosting IT Contractors
Companies Responsibility

Data
Controller

Marketing Payroll Agencies

Agencies

Other Third Parties

Fig.1: Your liability as a Data Controller covers not only your organizations’ data privacy compliance, but also the
actions of external data processors and third parties.

© 2017 Omada A/S 2

 OMADA E-BOOK:
PREPARE FOR EU GDPR
HOW TO REDUCE THE RISK
The EU GDPR acknowledges that privacy data leaks may occur in all organizations, even within fully compliant
organizations who have taken all reasonable measures to protect data.

There is little acceptance of organizations not having taken appropriate measures, and the fines for severe securi-
ty breaches can amount to up to € 20M or 4% of your global annual turnover. Fines can also be issued if an audit
reveals you are not in compliance, even though you have not been exposed to a data breach.

However, if you are able to document that you have taken the required measures to protect data, the fines will
be significantly reduced, or may even be eliminated completely. Hence, your ability to document and prove the
appropriate level of compliance to authorities, auditors, customers, and collaboration partners will provide you with
a competitive edge and minimize your risk.

OMADA’S APPROACH TO GDPR COMPLIANCE

Get in control
So where to start? First step is to “Get in Control” in order
for you to get to a situation where you “Stay in Control”. People
Consequently, Omadas approach comprises of two
phases:
• A “Get in Control” phase and
• A “Stay in Control” phase

How to ‘Get in Control’

Getting in control is all related to people, processes, and
technologies. It enables you to take a great leap forward
and demonstrate that you have started the journey to-
wards becoming EU GDPR Compliant by delivering on the Technology Processes
first important step.

The “Get in Control” phase includes the following eight

steps you should pursue to get ahead of the curve: Stay in control

Eight steps to ‘Get in Control’:

Validate that the access to privacy data is aligned with the GDPR requirements and that the actual
1. state of who has access to what is documented and clear

2. Ensure that all collected personal data is given to you under consent of the data subjects (persons)

3. Assign a Data Protection Officer

4. Conduct security awareness training within your own organization and for your data processors

5. Document your process for notification to authorities and individuals

Investigate if you are lacking technologies to cover the fundamental security requirements from a
6.
tech perspective

7. Review and update your Data Processor agreements

8. Establish a plan for the next phase: “Stay in Control”

© 2017 Omada A/S 3

 OMADA E-BOOK:
PREPARE FOR EU GDPR
EIGHT STEPS IN DETAIL TO GET IN CONTROL
Validate that access to privacy data is aligned with policies and that the
1. access state can be documented

This step includes discovering, identifying and classifying in-scope systems, files and data repositories containing
GDPR data. It also includes producing an overview of who has access to what, and ensuring that only the right
users have access to the data they require to do their job.

The activities related to data discovery and classification are

• Locate and list all internal as well as external repositories and data stores containing GDPR data
• Classify the repositories or places where GDPR data is stored, processed, and managed across
the enterprise
• Identify in-scope GDPR data
• List and classify business processes that deals with GDPR data
• Assign data owners, system owners, process owners etc.
• Remove non-compliant access

If it is determined that your organization processes a special category of data called ‘sensitive personal data’, a
detailed privacy impact assessment (“PIA”) must be undertaken and documented.

Ensure that all collected personal data is given to you under consent of the data
2. subject (the person)

EU GDPR requires that explicit consent is obtained from people when collecting their data. Consent under the
GDPR requires clear affirmative action by the data subjects. Silence, pre-ticked boxes, or inactivity do not consti-
tute consent. When collecting consent you must ensure that it is freely given, specific, informed, and provides an
unambiguous indication of the individual’s wishes. Furthermore, consent must be verifiable.

This step involves validating that your organization has documented consent of all personal data you hold and
decide what data to keep. The records must include how and when consent was given.

You must also implement processes for a person to withdraw their consent at any time and a process to support
the persons’ “right to be forgotten” - making sure you securely delete data for which your organization does not
have proper consent, or in case the person has withdrawn his or her consent.

3. Assign a Data Protection Officer (DPO)

This step includes appointing a DPO (Data Protection Officer) if your organization processes personal data (More
than 250 individual persons) or performs high risk processing of sensitive personal data.

DPOs are responsible for advising on and monitoring GDPR compliance, and for being the point of contact for
authorities.

Conduct security awareness training within your own organization and for your
4.
data processors

The GDPR requires “the appropriate data protection training to personnel having permanent or regular access to
personal data.” The training should ultimately cover your organization’s privacy policy. The training of the policy

© 2017 Omada A/S 4

 OMADA E-BOOK:
PREPARE FOR EU GDPR
should be practical and focus on the three dimensions:

• Motivation: Why should people care?

• Definition: What is personal data?
• Responsibilities: What should people know about the way the organization handles privacy? What should
people do in their jobs to protect data?

The training must be repeated annually and records of who has conducted the training and when, must be
maintained.

5. Document process for notification to authorities and individuals

This step includes putting a clear and effective processes in place for handling data breaches.

As an example, your security breach management process must notify any data breach to the supervisory author-
ity within 72 hours of discovery, unless you can show that the breach is unlikely to pose any risk to individuals.
High-risk data breaches must also be notified to the individuals themselves, unless the data has been encrypted.
You will also be required to maintain a log of all data breaches.

Our recommendation is to develop and maintain a data privacy incident / breach plan including the following
elements:
• Implement notification workflows of the breach to internal stakeholders, supervisory authorities, and poten-
tially the individuals themselves
• Implement breach containment workflows including; suspending accounts or revoking the entitlements that
caused the data leakage
• Implement forensics workflows for further damage limitation and investigation of the cause of the breach

Investigate if you are lacking technologies to protect the systems

6.
processing the personal data

We recommend you to methodically evaluate and document if sufficient IT security technologies are in place to
support the mandatory processes outlined by GDPR and to ensure the data is safe from willful misuse such as
external and internal hackers.

7. Review and update Data Processor Agreements to handle liability

GDPR contains new requirements for contracts (Data Processor Agreements) with data processors, as well as
contracts between data controllers.

Each party should be categorized (as data processors or -controllers) and contracts should be reviewed for com-
pliance with GDPR.

The contracts shall include the transfer of legal liability to your data processors, to ensure your contractors or col-
lectors are liable in case of their inadequate protection of data that may cause you to be fined by authorities.

8. Establish a plan for the next phase: “Stay in Control”

Define a plan for the next phase “Stay in Control”. The plan contains an overview of which remaining deliverables
are to be performed for achieving continuous compliance with EU GDPR

© 2017 Omada A/S 5

 OMADA E-BOOK:
PREPARE FOR EU GDPR
Phase 2 - Stay in Control:
After finishing the first phase ‘Get in Control’, the “Stay in Control” phase brings you to a “Governance Level” of contin-
uous compliance. When you get in control, you are able to dynamically manage and react timely and compliant when
changes occur in relation to your customers, data, people, ownerships, and collaboration partners. In order to stay in
control, you must ensure that adequate processes, people, and technologies are in place across your organization as
well as towards your business partners and data processors.

Processes to implement/automate include for example:

• Establish identity lifecycle management processes - including processes for managing user access to privacy data
when onboarding and off-boarding new employees and contractors
• Establish access management processes – documented access request-, access approval- and access fullfilment-
processes
• Establish periodic review of user access rights to privacy data in order to ensure access is validated continuously
• Ensure continuous business alignment of access to personal data through efficient role and policy management
• Establish workflows on taking new systems or data stores in to use to ensure timely GDPR classification of the
systems
• Monitor user behavior and activity on processes, systems, and files containing GDPR data
• Periodic access monitoring, access auditing, and training review
• Automated notification to authorities and affected individuals
• Automatic blocking of compromised accounts in the event of accounts being compromised

LEARN MORE
Omada is a leading provider of compliance solutions worldwide. As part of our offering, Omada provides a unique IAM
solution highly relevant for EU GDPR compliance.

Identity and access management (IAM) and access governance is a core discipline to achieve compliance with the data
security and access management aspects of the GDPR. Omada’s solution provides built-in best-practices to support a
range of processes that are important for EU GDPR compliance - to get in control and stay in control.

For additional information on how to “Get in Control” and how to “Stay in Control” and how Omada can assist you with
getting the results you need for each of these phases, please contact us at info@omada.net.
 

Disclaimer:
The purpose of this document is to provide an understanding of how organizations may address the technological challenges of the EU
GDPR. The information in this document has been prepared with greatest care. Omada can, however, not resume any guarantee for the
accuracy of this information in regard to the requirements introduced by the EU GDPR. The information provided in this document is not
meant to be an exhaustive list of examples on how to achieve compliance with the EU GDPR. The intent is to analyze the EU GDPR from
the identity and access management (IAM) perspective and demonstrate where IAM can help in achieving compliance with the regulation.

D
Omada is a market-leading provider of solutions and services for identity management and access Download
governance. Omada enables organizations to achieve sustainable compliance, reduce risk exposure, Gartner’s Critical
and maximize efficiency. Omada’s solutions efficiently manage and control users’ access rights to appli- Capabilities 2016 for
cations and data - reducing IT costs and resource intensive administration processes. IGA:
omada.net/IGAreport
Established in 2000, Omada has operations in North America and Europe, delivering solutions directly
and via a network of skilled partners and system integrators. Omada is recognized as a trusted advisor
and has provided advanced identity management solutions for organizations with some of the largest
and most complex IT infrastructures in the world.