GDPR – General Data Protection Regulation

Some notes regarding GDPR requirements and some things to consider.

10 second practical advice

A Deeper explanation

What is it?

• EU General Data Protection Regulation (GDPR) is the most important change in
  data privacy regulation in 20 years
• Comes fully into effect on 25th May 2018
• Core Principles GDPR
  • Opt-in only
    • All contacts must provide consent to be emailed
    • Sender must be able to prove consent
  • No Soft opt-in
    • Implied consent no longer enough
    • Disclaimers not enough, users must actively opt-in
  • Right to be forgotten
    • Everyone has the right to be forgotten i.e. deleting all contact data from all platforms

How does it affect my organisation?

• Data controllers (clients) will be legally bound to validate data processors (my companies) compliance
• Processor must implement technical and organisational measures to protect personal data
  • Only technical controls mentioned in GDPR are encryption and pseudonymisation (de-identifying data with a mechanism to re-identify if necessary)

• The controller can force the processor to adhere to their rules/standards. Processor must follow the instructions of the controller:

GDPR Guidelines

• Embrace privacy by design

• Analyse the legal basis on which you use personal data
• Prepare for data security breaches
• Establish a framework for accountability
• Be careful with cross-border transfers
• Understand your responsibilities as a data processor

Core concepts for your organisation as a processor

• Use policies and automatic encryption to massively reduce risk accidental breach risk
• Classification of data, and take measures to accessibility accordingly eg:
  • Public data
  • Confidential data
  • Personal data (highest sensitivity)
• Potential areas for personal data:
  • User data
  • Client data
• All data must remain in the EU
• Best to have the ability to search, index and correlate encrypted personal data
• Data encryption at rest: Encryption is defined as as appropriate technology from protecting personal data (Article 21, section 1 [A])
• Review/adjust legal contracts
• Name a DPO in your organisation

• Incident response policy required – that can take a lot of work as you really need Risk Assesments and other policies first
• Auditing activity relating personal data is critical (audit trail should be covered in security policies)
  • Must be able to track who has access to what, why and for how long
  • Keep detailed records of the processing conducted on personal data (article 30)
  • Good record keeping can limit punishments
• Pseudonymization (Key term in GDPR): separation of data from direct identifiers so that linkage to an identity is not possible without additional information that is held separately. Eg for users, only use a UserID, and have the plain text names in an encrypted db table
• Importance of encryption/ pseudonymization:
  • Article 32: the controller and processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including the pseudonymization and encryption of personal data.
  • Article 33: Clients may not need to notify data subjects about a breach if the personal data has been rendered “unintelligible to any person who is not authorised for access it, such as encryption”
    • Encryption is key

Next/first Steps

GDPR Compliance starts with getting the board onboard

• Define what “personal data” is (need professional legal advice)
  • What information does your organisation hold that falls under GDPR rules?
  • Do you need to delete customer data? In that case, we should demonstrate and audit that customer data has been deleted?
• Have your basic security policies in place
  • Access rights
  • Audit logs
  • Encryption
  • Backup
• Data classification
  • Classify all types of data you have in your organisation
• Data encryption / policy
  • Can you encrypt?:
    • Databases
    • Media files
    • Logs
    • Backups
  • If you can show data is encrypted – fines much lower. Don’t need to notify affected data subjects of the breach. Still need to notify regulator
• Audit trail
  • Audit Trails are key to the process
    • Log access (who, what, why)
    • Log activity (view, edit, update, delete?) (article 30)
    • Proof of deletion
• Incident response (policy)
• Forensic response plan
• Assign a DPO
• Do you need privacy data management in your organisation?
  • Consent
  • Show individuals what data we hold
  • Delete (right to be forgotten)

Additional information

• Answer these and you have start of the DP policy
  • How does data flow into your company?
  • Where necessary, how does data flow out of your company?
  • How do end users make use of that data?

• GDPR also covers Hard copy data, not just digital
• Align info sec with a framework such as ISO27001
• Search for data, remove what is not required, anonymise and restrict access to what is left

Again Encryption is largely your security against fines

Data breaches

• Hacks will always happen, but GDPR is all about being able to demonstrate that you have tried your best to secure data.
• It’s possible that organisation will just not look for breaches as when they find them, the 72 hour clock starts ticking
• Breach: definition is very broad – Not just a hacker, losing a USB or laptop on train is considered a breach
  • Breach types – deliberate, mistake, malicious, accidental
  • What were the compliance failures that led to the breach

• Notify in case of breach of personal data: you must notify the appropriate regulatory body within 72 hours
  • What do you need to do? Who do you need to tell?- need a plan in place.

• If dealing with > 5000 Customers – you need a named DPO (Data protection Officer)
• Do not keep data any longer than necessary

Potential Fines

• Fine levels are highly increased:
  • 2% of Turnover or €10,000,000 whichever is greater for certain offences like data security, no notification of breach to EU authorities, no impact assessment etc

• 4% of Turnover or €20,000,000 whichever is greater for certain offences like: no consent, transfers to certain countries, processing sensitive data etc

• Policies are aimed to motivate companies to improve privacy protection:
  • Guilty until proven innocent
  • Fines for companies that have no policies in place, not for failing policies

Marketing

Consent to contact

• Personal data: all data that can be related to a specific, individual person

Contacting people

• Consent: need consent to contact. Need an audit trail that proves you have consent to contact

Cloud services

Summary

Links to online resources

• The New EU Data Protection Regulation
  • https://youtu.be/TBh5hPynRzQ
• GDPR: Killing cloud quickly?
  • https://iapp.org/news/a/gdpr-killing-cloud-quickly/
• The GDPR’s impact on the cloud services provider
  • http://privacylawblog.fieldfisher.com/2016/the-gdprs-impact-on-the-cloud-services-provider/
• The GDPR’s impact on the cloud service provider as a processor
  • http://www.fieldfisher.com/media/3993765/the-gdprs-impact-on-the-cloud-service-provider-as-a-processor-mark-webber-privacy-data-protection.pdf
• The new EU General Data Protection Regulation in Under 60 Minutes!
  • https://youtu.be/NxgZ57BTkFQ
• General Data Protection Regulation Masterclass
  • https://youtu.be/1PkcBf9-iMY
• Bytes Webinar – GDPR Compliance The 12 Steps the ICO Recommend
  • https://youtu.be/uPQkMo0jZ6k
• Webinar: GDPR – how it applies to cloud, and what to do about it
  • https://youtu.be/1XwUwUnCeuA
• Charting the Course to GDPR: Setting Sail
  • https://youtu.be/fgDfyd__zIg
• Data flow mapping for EU GDPR compliance
  • https://youtu.be/EZFgrmzmPYE
• EU GDPR Webinar: The IT Manager’s guide to GDPR – Getting your department up to speed and ready
  • https://youtu.be/9hh5EDUWPGo
• Preparing for GDPR
  • https://www.clearswift.com/sites/default/files/documents/technical-guides/clearswift_gdpr_faq_v3.pdf
• Preparing for the EU General Data Protection Regulation (GDPR)
  • https://www.clearswift.com/sites/default/files/Clearswift_GDPR_WP.pdf
• EU General Data Protection Regulation (GDPR) Need to Knows
  • https://youtu.be/67i_Uw8UeUE
• AWS Whitepaper
  • https://d0.awsstatic.com/whitepapers/compliance/AWS_EU_Data_Protection_Whitepaper_EN.pdf