General Data Protection Regulation (or GDPR) is an EU regulation created in 2016, and since May 25, 2018 the provisions of the GDPR have been enacted.
It contains 99 articles covering basic data privacy for all European Union citizens. This regulation requires businesses to protect the personal data and privacy of EU citizens.
Currently, many organizations are leveraging privacy shield agreements between them.These have privacy components in them and outline respective responsibilities. However they are agreements versus laws. Additionally, an organization can self-certify without any regulatory oversight. GDPR is a law enacted by the European Union parliament. It is the most comprehensive privacy regulation to date. And it has the backing of all EU member states.
GDPR is the result of four years of work by the European Union parliament. And it has specific requirements regarding the transfer of data and how that data is processed.
The first one is control.
Each citizen must opt in and provide consent to how personal data is used and processed. Data subjects can revoke their consent at any time.
The second objective is trust.
This regulation wants to encourage long-term consumer confidence. It’s mainly about safety.
The third objective is simplicity.
Fragmented rules and legislation led to disjointed application by many organizations.
Organizations need clear visibility, understanding, and control over the data that they process. With the simplicity, the hope is to achieve a standard approach across organizations and industries. There have been several attempts to secure data, but GDPR is the most far-reaching and comprehensive regulation to date.
Objective of GDPR is to enable the safe transfer of data and how to process it.
In terms of organizations that are in scope, every organization doing business with the European Union is in scope, no matter their size or their industry.
In terms of data, any personal data that is being collected, analyzed, stored, et cetera, is included in this regulation.
As for the systems included, any system, whether it’s automated or manual, will require data mapping and is included under this tenant.
In terms of exclusions, personal data that is needed by law enforcement, or for national security would not be covered under this regulation.
What makes someone unique, or makes them an individual?
Personal data is anything that can identify someone as a natural person.
Some examples include your name, or perhaps your location. Other examples may be an IP address or web browser cookies because these can also help indicate who one is or their location. Additionally, data that may not alone be personal data, could potentially become personal data when it’s used with another data set.
Compliance is really about having mechanisms in place to protect data.
Note that there is no definitive definition for the word “reasonable” in this regulation. So organizations must be diligent about what is required. GDPR is designed to protect consumers and businesses. So the governing body may be stringent about this regulation to show the importance of its provisions.
What happens if you’re not ready by 25 May 2018?
There are levels of fines that can be assessed on any organization that is found to be noncompliant.
On the lower limit, a company can be fined two percent of its annual revenue.
Note that that is not net profit but all global revenues or ten million euros, whichever is higher.
On the other end of that spectrum, companies can be fined up to four percent of their annual revenue or 20 million euros. Again whichever is higher.
In 2017, TalkTalk was fined by the Information Commissioner’s Office for failing to protect customer data.
Specifically called out were their security failings. The breach was proven to have been preventable with the proper security mechanisms in place. Under the regulations at the time,the Information Commissioner’s Office fined TalkTalk 400 thousand pounds. Under GDPR, this fine could have been as much as 59 million pounds, which shows how impactful any fine, under GDPR, can be.
There are two primary groups of organizations covered under GDPR in terms of processing data, data controllers and data processors.
Data controllers have responsibilityfor control over personal data. They are, in effect, the data owners.
They have ultimate accountability for the safety of that data. Some of the tasks that a data controller is responsible for is to insure they have compliance. They do this by processing personal data fairly.Those organizations must obtain data fairly and keep it only for its identified purpose. The data controllers must keep it safe and they must manage any processors they may use.
Data processors are engaged by controllers to obtain, analyze, and store data on the controller’s behalf. You can think of them as third party vendors, such as a managed service, or a software product. Data processors must act exactly as they are instructed by controllers.
They must protect the data as well. Processors must also obtain written permission to use any subcontractors in their data processing requirements.
Processors must also contribute to any compliance audits that may happen for the data.
When we look at them side by side,you can see that the data controller is the owner of the data, and the processor must follow the controller’s instructions. The data controller is responsible to EU citizens, whereas the data processor is responsible to only the controller.
The data controller must have technical measures and processes in place, but the data processor must commit to those security measures to protect the data.
Article 24 is important to understand, because it outlines the specific tasks a controller is responsible for in that role. There are four primary responsibilities outlined in Article 24.
The first is to have appropriate measures in place.
These are both technical measures and processes. Documenting those processes and measures can show an organization’s diligence. Be sure to put in audit mechanisms to be able to show those measures as evidence.
Next is to understand the data being processed.
A data mapping exercise will facilitate this.Understand what the organization has and why they have it. Additionally, understand the probability and impact of losing that data. This is to enable us to determine the appropriate measures based on the criticality of the data.
Third is to protect the data.
This task is based on the nature of the data or its criticality. An organization needs to have a policy and it needs to be communicated and readily available.
Finally, the fourth responsibility is to have a code of conduct.
This should also be a written policy. Additionally, it must adhere to Article 40 of the GDPR or an approved certification. Article 40 has 11 codes outlined in its tenet. A few key clauses in Article 40 are around processing, legitimate interest in the data and consideration of a data subject’s rights.
These four tenets are the core responsibilities of a data controller.
Article 28 is important to understand because it outlines the specific tasks a data processor is responsible for in that role. There are four primary responsibilities outlined in article 28.
The first is to implement security measures.
How this is implemented depends on the nature of the data and how it is being handled. These can be technical measures or they can be process based.
Next, is the use of subprocessors.
This happens when a processor outsources some part or all of the data processing to a third party.A subprocessor is bound by the same data protection obligations set out in the processorscontract with the controller. The explicit consent of the controller is required in order to be lawful. Further, an additional contract is put in place for subprocessors with the appropriate clauses that apply.
The third tenant is that the processor must ensure there is a contract in place with the controller.
Some components to include in the contract should be whose data is being processed, categories of data subjects, which data is included, what is it, and how is it being used? The contract should additionally list out the responsibilities of both the controller and the processor.
Finally, the processor must ensure they only process in scope data.
They should have records of their processing activity and logs to review. These logs can be used as evidence in case of an audit. It’s important to note that the processor can be considered accountable, just like the data controller if they violate any of these responsibilities.
These four tenants are the core responsibilities of a data processor.
An organization’s ability to conform to the GDPR lies heavily with the role of the Data Protection Officer or DPO. Understanding what a DPO is is critical to identifying the right person for the role.
Who needs a Data Protection Officer?
The regulation states that any controller or processor who requires regular and systematic monitoring of data subjects on a large scale, needs a DPO. A DPO’s primary role is not always a singular role in that it’s not that person’s only job.
Most often, it depends on the size of the organization. Of important note is that the Data Protection Officer must report to the highest management level.
When appointing a Data Protection Officer, we have to look at their particular knowledge of data protection, but more importantly, their ability to fulfill duties. The DPO may be employed or contracted, but the DPO cannot be a temporary position.
How does this apply to GDPR? Lawful basis is a reason for processing data that’s justified in law.
There are six bases for processing data under GDPR.
The first is consent. Consent is voluntary and can be revoked at any time by the data subject.
Next is contractual necessity, whereby an organization is performing processing to fulfill a contractual obligation to another organization.
Third is legal obligations that occur under European Union law. Note that this is specific to EU member states only, not outside of those countries.
The next basis is to protect vital interest. In other words – your data is private unless you are doing harm to yourself or to others.
Legitimate interest is next. This will be a compelling reason for businesses that work with one another and have to transfer data between each other.
Finally, there is public interest. Certain types of data gathering activities outweigh the freedom of individual data subjects for the greater good.
These are six bases for processing data. Knowing them ensures an organization is behaving in a lawful fashion.
European Union citizens have certain rights regarding their personal data. Having access to their data is covered in Article 15 of the GDPR regulations. Controllers must allows for data subjects to access their data on request. This is called a subject access request.
There cannot be a charge for these access requests. One exception is if a data subject makes too many requests or there are an excessive number of them, it allows controllers to charge a reasonable fee.
Article 16 of the GDPR allows EU subjects the right to rectify inaccurate data.This Article is likely to be used by many data subjects. Data subjects have the right to rectify data that is inaccurate or to have any incomplete data completed. This is done by providing a supplementary statement outlining the requested changes. The controller must also inform the data subject about any data that has been disclosed by third party. Controllers have one month to respond to this request.
Article 17 of GDPR discusses the scenarios when a data subject can request to be erased or forgotten. This is likely to be a highly used request. Article seven of GDPR states it shall be as easy to withdraw consent as it is to give it. Deletion is allowed when processing no longer has a lawful basis. Data can sit in storage after its used, and some data subjects may want it deleted rather than leave it under someone else’s custody.
Article 21 covers the situations when a data subject can object to data processing of their personal data. Objection applies based on legitimate or public interest.One situation included in objection is for direct marketing purposes. A data subject can object to this at any time.
Article 20 of GDPR discusses the rights of data subjects to transfer their data. Data subjects can receive their data and have the right to transmit that data to another controller without hindrance upon request. Data should be transferred anywhere it is technically feasible, without prejudice.
One consideration of the data subject’s rights is the timing controllers must consider when responding to a request. This consideration applies to all of the data subject’s rights. The controller has 30 days to respond to data requests. The response made by the data controller should be made in writing or by electronic means.
Article 33 of GDPR outlines the circumstances when and the timing for notification in case of a data breach.
The regulation outlines that if a data’s rights of data privacy are at risk, an organization is required to notify those citizens about the situation. If an organization, whether it be the controller or the processor, suspects a breach, they should first notify and engage their own internal teams. After engaging internal teams, an organization may need to communicate with external third parties depending on the incident.
If a business plans on making an insurance claim, or doesn’t know how to identify root cause, they should be prepared to engage the appropriate external parties to assist them.
GDPR outlines a 72 hour notification period. This period begins upon becoming aware of a potential incident impacting data subject’s data privacy.
Having appropriate processes and runbooks to outline execution procedures, are core tenets to an organization’s ability to react to a data breach. A process is simply a series of actions or steps taken in a specific order. These processes can be automated or manual. They can be technical or not. The primary objective should be to standardize the process in a way that can be simply executed.
Once a process is standardized, an organization can create a runbook with specific tasks and protocols. Having a runbook also protects an organization in case a key participant is absent, by allowing an alternate person to execute those tasks. The more an organization includes in the runbook, the better prepared they will be.
Very, very important is a procedure for recovery. If a team needs to restore a system because it is lost, are those procedures documented in a way that they can execute? Not only is system configuration important, but including security actions help too.
Who is the system owner? Who has access to the system? Is the data flowing to or from the system or both? And how quickly does the system need to be recovered to minimize impact to the organization? These are all important questions that when included in the runbook, can help an organization decide on next steps.
One component of GDPR’s notification requirements is the ability to identify root cause and to propose mitigation.
Incident response can accomplish this task for an organization. Incident response is a standardized protocol for identifying and mitigating a data breach. Many organizations will have an incident response team. The information security team most often controls the protocol and coordinates these efforts among the team. There are four primary objectives of incident response.
The first is to minimize customer impact in case their data is lost.
Next is to reduce any financial loss to the business. This can include data loss or the cost of mitigating the breach.
Ensuring compliance and avoiding regulatory penalties is quite important as well, especially given the stout fines possible and outlined in GDPR.
Finally, making a strategic adjustment to one’s security posture is important.
An organization can do this by ensuring future breaches of similar nature are minimized or avoided. There are many ways an organization can be prepared before an incident.
The most important is employee awareness. Ensuring employees know what to do and who to contact will give organizations the best readiness posture.