GDPR – General Data Protection Regulation

Some notes regarding GDPR requirements and some things to consider.

10 second practical advice

image35

A Deeper explanation

What is it?

  • EU General Data Protection Regulation (GDPR) is the most important change in
    data privacy regulation in 20 years
  • Comes fully into effect on 25th May 2018
  • Core Principles GDPR
    • Opt-in only
      • All contacts must provide consent to be emailed
      • Sender must be able to prove consent
    • No Soft opt-in
      • Implied consent no longer enough
      • Disclaimers not enough, users must actively opt-in
    • Right to be forgotten
      • Everyone has the right to be forgotten i.e. deleting all contact data from all platforms

How does it affect my organisation?

  • Data controllers (clients) will be legally bound to validate data processors (my companies) compliance
  • Processor must implement technical and organisational measures to protect personal data
    • Only technical controls mentioned in GDPR are encryption and pseudonymisation (de-identifying data with a mechanism to re-identify if necessary)

image26

  • The controller can force the processor to adhere to their rules/standards. Processor must follow the instructions of the controller:

GDPR Guidelines

  • Embrace privacy by design

image19

  • Analyse the legal basis on which you use personal data
  • Prepare for data security breaches
  • Establish a framework for accountability
  • Be careful with cross-border transfers
  • Understand your responsibilities as a data processor

Core concepts for your organisation as a processor

  • Use policies and automatic encryption to massively reduce risk accidental breach risk
  • Classification of data, and take measures to accessibility accordingly eg:
    • Public data
    • Confidential data
    • Personal data (highest sensitivity)
  • Potential areas for personal data:
    • User data
    • Client data
  • All data must remain in the EU
  • Best to have the ability to search, index and correlate encrypted personal data
  • Data encryption at rest: Encryption is defined as as appropriate technology from protecting personal data (Article 21, section 1 [A])
  • Review/adjust legal contracts
  • Name a DPO in your organisation

image20

  • Incident response policy required – that can take a lot of work as you really need Risk Assesments and other policies first
  • Auditing activity relating personal data is critical (audit trail should be covered in security policies)
    • Must be able to track who has access to what, why and for how long
    • Keep detailed records of the processing conducted on personal data (article 30)
    • Good record keeping can limit punishments
  • Pseudonymization (Key term in GDPR): separation of data from direct identifiers so that linkage to an identity is not possible without additional information that is held separately. Eg for users, only use a UserID, and have the plain text names in an encrypted db table
  • Importance of encryption/ pseudonymization:
    • Article 32: the controller and processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including the pseudonymization and encryption of personal data.
    • Article 33: Clients may not need to notify data subjects about a breach if the personal data has been rendered “unintelligible to any person who is not authorised for access it, such as encryption”
      • Encryption is key

image6

Next/first Steps

GDPR Compliance starts with getting the board onboard

image14

  • Define what “personal data” is (need professional legal advice)
    • What information does your organisation hold that falls under GDPR rules?
    • Do you need to delete customer data? In that case, we should demonstrate and audit that customer data has been deleted?
  • Have your basic security policies in place
    • Access rights
    • Audit logs
    • Encryption
    • Backup
  • Data classification
    • Classify all types of data you have in your organisation
  • Data encryption / policy
    • Can you encrypt?:
      • Databases
      • Media files
      • Logs
      • Backups
    • If you can show data is encrypted – fines much lower. Don’t need to notify affected data subjects of the breach. Still need to notify regulator
  • Audit trail
    • Audit Trails are key to the process
      • Log access (who, what, why)
      • Log activity (view, edit, update, delete?) (article 30)
      • Proof of deletion
  • Incident response (policy)
  • Forensic response plan
  • Assign a DPO
  • Do you need privacy data management in your organisation?
    • Consent
    • Show individuals what data we hold
    • Delete (right to be forgotten)

image25

Additional information

  • Answer these and you have start of the DP policy
    • How does data flow into your company?
    • Where necessary, how does data flow out of your company?
    • How do end users make use of that data?

image4

  • GDPR also covers Hard copy data, not just digital
  • Align info sec with a framework such as ISO27001
  • Search for data, remove what is not required, anonymise and restrict access to what is left

image9

Again Encryption is largely your security against fines

image10

Data breaches

  • Hacks will always happen, but GDPR is all about being able to demonstrate that you have tried your best to secure data.
  • It’s possible that organisation will just not look for breaches as when they find them, the 72 hour clock starts ticking
  • Breach: definition is very broad – Not just a hacker, losing a USB or laptop on train is considered a breach
    • Breach types – deliberate, mistake, malicious, accidental
    • What were the compliance failures that led to the breach

image18

  • Notify in case of breach of personal data: you must notify the appropriate regulatory body within 72 hours
    • What do you need to do? Who do you need to tell?- need a plan in place.

image27

  • If dealing with > 5000 Customers – you need a named DPO (Data protection Officer)
  • Do not keep data any longer than necessary

Potential Fines

  • Fine levels are highly increased:
    • 2% of Turnover or €10,000,000 whichever is greater for certain offences like data security, no notification of breach to EU authorities, no impact assessment etc

image3

  • 4% of Turnover or €20,000,000 whichever is greater for certain offences like: no consent, transfers to certain countries, processing sensitive data etc

image2

  • Policies are aimed to motivate companies to improve privacy protection:
    • Guilty until proven innocent
    • Fines for companies that have no policies in place, not for failing policies

Marketing

image33

Consent to contact

  • Personal data: all data that can be related to a specific, individual person

image1

Contacting people

image31

  • Consent: need consent to contact. Need an audit trail that proves you have consent to contact

Cloud services

image7

Summary

image3

Links to online resources

 

 

 

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this:
search previous next tag category expand menu location phone mail time cart zoom edit close