Data Privacy and protection are gaining attention wordwide. In line of the same trend, the European Union, has introduces a new framework to safeguard data and privacy for its citizens.
The same is termed as General Data Protection Regulation (GDPR). It supersedes the UK Data Protection Act 1998 and will be applicable form 25th May, 2018. Hence the companies attached to EU need to prepare as soon as possible, taking into account some obligations may be expensive and the implementation will be time-consuming.
The new regulation introduces a set of rules, which require organizations to implement controls to protect personal data. The new law brings a 21st century approach to data protection. It expands the rights of individuals to control how their personal information is collected and processed, and places a range of new obligations on organizations to be more accountable for data protection.
GDPR compliance demands strong compliance with the data protection principles. This involves taking a risk-based approach to data protection, ensuring appropriate policies, procedures and Technology are in place to deal with the transparency, accountability and individuals’ rights provisions, as well as building a workplace culture of data privacy and security.
With the appropriate compliance framework in place, not only organizations be able to avoid significant fines and reputational damage, they will also be able to show customers that you are trustworthy and responsible, and derive added value from the data you hold.
What is personal data?
GDPR is designed to enable individuals to better control their personal data.
“Personal data” is defined in the GDPR as any information relating to a person who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person. In other words, any data or processes that can identify the subject comprise that individual’s personal data.
A piece of personal data that allows one to identify a specific person. That’s the shortest and most practical definition. Lets understand the context with use of few email addresses.
firstname.lastname@example.org – is not a piece of personal data, as it isn’t assigned to a specific person at a company. It doesn’t imply who the owner of the address is. It points to a company, not a person.
email@example.com – is a piece of personal data, as it is assigned to a specific person at a company. It does imply who the owner of the address is, or at least it gives you enough information to identify a specific person at a company.
firstname.lastname@example.org – is a piece of personal data, as it is assigned to a specific person.
Whether we work within a B2B or a B2C domain, we administer or process some kind of personal data. It’s most probably the data of your clients, our prospects, our users, our email list subscribers, or our employees.
GDPR is not about regulating email sending. It’s about regulating the ways in which you administer and process personal data of EU citizens in general. Email address is just an example here. In various contexts data like telephone numbers, addresses, identification numbers etc. may be treated as personal data as well.
Requirements of GDPR 2018
The GDPR itself contains 11 chapters and 91 articles. The following are some of the chapters and articles that have the greatest potential impact on security operations:
- Articles 17 & 18– Articles 17 and 18 of the GDPR give data subjects more control over personal data that is processed automatically. The result is that data subjects may transfer their personal data between service providers more easily (also called the “right to portability”), and they may direct a controller to erase their personal data under certain circumstances (also called the “right to erasure”).
- Articles 23 & 30– Articles 23 and 30 require companies to implement reasonable data protection measures to protect consumers’ personal data and privacy against loss or exposure.
- Articles 31 & 32– Data breach notifications play a large role in the GDPR text. Article 31 specifies requirements for single data breaches: controllers must notify SAs of a personal data breach within 72 hours of learning of the breach and must provide specific details of the breach such as the nature of it and the approximate number of data subjects affected. Article 32 requires data controllers to notify data subjects as quickly as possible of breaches when the breaches place their rights and freedoms at high risk.
- Articles 33 & 33a– Articles 33 and 33a require companies to perform Data Protection Impact Assessments to identify risks to consumer data and Data Protection Compliance Reviews to ensure those risks are addressed.
- Article 35– Article 35 requires that certain companies appoint data protection officers. Specifically, any company that processes data revealing a subject’s genetic data, health, racial or ethnic origin, religious beliefs, etc. must designate a data protection officer; these officers serve to advise companies about compliance with the regulation and act as a point of contact with Supervising Authorities (SAs). Some companies may be subjected to this aspect of the GDPR simply because they collect personal information about their employees as part of human resources processes.
- Articles 36 & 37– Articles 36 and 37 outline the data protection officer position and its responsibilities in ensuring GDPR compliance as well as reporting to Supervisory Authorities and data subjects.
- Article 45– Article 45 extends data protection requirements to international companies that collect or process EU citizens’ personal data, subjecting them to the same requirements and penalties as EU-based companies.
- Article 79– Article 79 outlines the penalties for GDPR non-compliance, which can be up to 4% of the violating company’s global annual revenue depending on the nature of the violation.
GDPR comprises a list of specifications on how businesses should process and handle personal data. In effect, this regulation is to ensure that private data is processed with transparency under the new law, for a clearly-stated purpose, with end-user’s consent. Once fulfilled, the data should be deleted, provided there are no legal-binding regulations in the country or business.
The GDPR allows users for more flexibility over what they have shared. Users have the right to access, modify, rectify, delete altogether their data, among other things. The regulation will also set the foundations for a uniform set of data protection policies throughout the European Union. In other words, where there used to be different sets of rules per country, now is. Dated as they were, this radical change in data protection rules was much needed.
Inline with the first step for compliance, mapping the data flow to enable us to assess our privacy risks. This includes understanding and documenting the following:
- What kind of personal data is collected (e.g., name, email, address)?
- How is it collected (e.g., form, online, call center)?
- Where is it stored?
- How is it processed?
- Is the data encrypted?
- Who is accountable for personal data?
- What is the location of the systems/filing systems containing the data?
- Who has access to the information?
- Is the information disclosed/shared with anyone (e.g., suppliers, third parties)?
- Does the system interface with or transfer information to other systems?
- How long do we keep it?
The GDPR impacts many areas of an organization: legal and compliance, technology, and data
- Legal & Compliance: The GPDR introduces new requirements and challenges for legal and compliance functions. Many organizations will require a Data Protection Officer (DPO) who will have a key role in ensuring compliance. If the GDPR is not complied with, organizations will face the heaviest fines yet –up to 4% of global turnover. A renewed emphasis on organizational accountability will require proactive, robust privacy governance, requiring organizations to review how they write privacy policies, to make these easier to understand.
- Technology: New GDPR requirements will mean changes to the ways in which technologies are designed and managed. Documented privacy risk assessments will be required to deploy major new systems and technologies. Security breaches will have to be notified to regulators within 72 hours, meaning implementation of new or enhanced incident response procedures. The concept of ‘Privacy By Design has now become enshrined in law, with the Privacy Impact Assessment expected to become commonplace across organizations over the next few years. And organizations will be expected to look more into data masking, pseudo-anonymization and encryption.
- Data: Individuals and teams tasked with information management will be challenged to provide clearer oversight on data storage, journeys, and lineage. Having a better grasp of what data is collected and where it is stored will make it easier to comply with new data subject rights –rights to have data deleted and to have it ported to other organizations.
Controller vs. processor
There are two types of responsibilities regarding the protection of personal data: data “controllers” and
data “processors.” Specifically, any business that determines the purposes and means of processing personal data is considered a “controller.” Any business that processes personal data on behalf of the controller is considered a “processor.” For example, a bank (controller) collects the data of its clients when they open an account, but it is another organization (processor) that stores, digitizes, and catalogs all the information produced in paper by the bank.
In fact, some organizations have no control over the data they store from their customers. The question is: within the EU GDPR, what are the responsibilities of these organizations if they store personal data? Are they covered by the new European regulations?
According to Article 4 of EU GDPR, different roles are identified as indicated below:
- Controller – “means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data”
- Processor – “means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”
Both organizations are responsible for handling the personal data of these customers.
EU GDPR vs ISO 27001 and 27018
The ISO 27001 standard is a framework for information protection. If the implementation of ISO 27001 identifies personal data as an information security asset, and those that stores/processes personal data in the cloud follow ISO 27018 recommendations, most of the EU GDPR requirements will be covered.
The ISO 27000 series of standards provide the means to ensure this protection. There are many points where the ISO 27001 and ISO 27018 standards can help achieve compliance with this regulation. Here are just a few of the most relevant ones:
- Risk assessment – Because of the high fines defined in EU GDPR and major financial impact on organizations, it will be natural that the risk found during risk assessment regarding personal data is too high not to be dealt with. On the other side, one of the new requirements of the EU GDPR is the implementation of Data Protection Impact Assessments, where companies will have to first analyze the risks to their privacy, the same as is required by ISO 27001. Of course, while implementing ISO 27001, personal data must be classified as high criticality, but according to the control A.8.2.1 (Classification of information), “Information should be classified in terms of legal requirements, value, criticality and sensitivity to unauthorized disclosure or modification.”
- Compliance – By implementing ISO 27001, because of control A.18.1.1 (Identification of applicable legislation and contractual requirements), it is mandatory to have a list of relevant legislative, statutory, regulatory, and contractual requirements. If the organization needs to be compliant with EU GDPR (see section above), this regulation will have to be part of this list. In any case, even if the organization is not covered by the EU GDPR, control A.18.1.4 (Privacy and protection of personally identifiable information) of ISO 27001 guides organizations in the implementation of a data policy and protection of personally identifiable Information. For cloud services providers, ISO 27018 control A.11.1 (Geographical location of PII) recommends that contractual agreements for international transfer of data must be available to cloud service customers.
- Breach notification – Companies will have to notify data authorities within 72 hours after a breach of personal data has been discovered. The implementation of ISO 27001 control A.16.1 (Management of information security incidents and improvements) will ensure “a consistent and effective approach to the management of information security incidents, including communication on security events.” For cloud service providers, ISO 27018 has control A.9.1 (Notification of a data breach involving PII), with specific recommendations for preparation and handling of data breach incidents. According to EU GDPR, data subjects (“a living individual to whom personal data relates”) will also have to be notified, but only if the data poses a “high risk to data subjects’ rights and freedom.” The implementation of incident management, which results in detection and reporting of personal data incidents, will bring an improvement to the organization wishing to conform to GDPR.
- Asset management – The ISO 27001 control A.8 (Asset management) leads to inclusion of personal data as information security assets, and allows organizations to understand what personal data is involved and where to store it, how long, its origin, and who has access, which are all requirements of EU GDPR.
- Privacy by Design – The adoption of Privacy by Design, an EU GDPR requirement, becomes mandatory in the development of products and systems. ISO 27001 control A.14 (System acquisitions, development and maintenance) ensures that “information security is an integral part of information systems across the entire lifecycle.” For cloud service providers, ISO 27018 control A.4.2 recommends that secure erasure of temporary files should be considered as a requirement for information systems development.
- Supplier Relationships – The ISO 27001 control A.15.1 (Information security in supplier relationships) aims for the “protection of the organization’s assets that are accessible by suppliers.” For cloud service providers, ISO 27018 recommends explicit definition of responsibilities of cloud service provider, sub-contractors, and cloud service customers.
The implementation of ISO 27001 covers most of the requirements of the EU GDPR; however, some Controls should be adapted to include personal data within its Information Security Management System.
In addition to ISO 27001, some measures will have to be included in order for an organization, either controller or processor, to ensure compliance with EU GDPR, such as Procedures for ensuring the exercise of the rights of data subjects, Mechanisms for the transfer of data outside the EU, Minimum content of the impact assessment on data protection, and Procedures to be followed in case of violation of personal data. All these controls can be integrated into the Information Security Management System, allowing the guarantee of legal compliance and continuous improvement, even more so when the ISMS and EU GDPR are aligned.
The organizations covered by the EU GDPR have until May 2018 to implement a set of measures that may imply a drastic change in their way of operating. Not knowing where to start can make this whole process unnecessarily complex. Therefore, the implementation of an ISMS compliant with ISO 27001 is a sure step for an organization to achieve compliance with EU GDPR.
- Gap analysis: Experienced data protection consultants can assess the exact standing of your current legal situation, security practices and operating procedures in relation to the Data Protection Act (DPA) or the GDPR.
- Data flow audit: Data mapping involves plotting all of your data flows, drawing up an extensive inventory of the data to understand where the data flows from, within and to. This type of analysis is a key requirement of the GDPR.
- DPO as a service: Outsourcing the DPO role can help your organization address the compliance demands of the GDPR while staying focused on its core business activities.
- Implementing a personal information management system (PIMS) :Establishing a PIMS as part of your overall business management system will make sure that data protection management is placed within a robust framework, which will be looked upon favorably by the regulator when it comes to DPA compliance.
- Implementing an ISMS compliant with ISO 27001
- Cyber-Health Check: Combination of on-site and remote vulnerability assessments to assess your cyber-risk exposure.
GDPR compliance may be tough, but data security and privacy are worth for the extra effort. Any company that complies GDPR, spreads a message that they do care about customer data privacy.
Be proactive on Data Protection, Privacy , Confidentiality and Integrity. Enjoy the benefits of GDPR.