Some notes regarding GDPR requirements and some things to consider.
10 second practical advice
A Deeper explanation
What is it?
- EU General Data Protection Regulation (GDPR) is the most important change in
data privacy regulation in 20 years - Comes fully into effect on 25th May 2018
- Core Principles GDPR
- Opt-in only
- All contacts must provide consent to be emailed
- Sender must be able to prove consent
- No Soft opt-in
- Implied consent no longer enough
- Disclaimers not enough, users must actively opt-in
- Right to be forgotten
- Everyone has the right to be forgotten i.e. deleting all contact data from all platforms
- Opt-in only
How does it affect my organisation?
- Data controllers (clients) will be legally bound to validate data processors (my companies) compliance
- Processor must implement technical and organisational measures to protect personal data
- Only technical controls mentioned in GDPR are encryption and pseudonymisation (de-identifying data with a mechanism to re-identify if necessary)
- The controller can force the processor to adhere to their rules/standards. Processor must follow the instructions of the controller:
GDPR Guidelines
- Embrace privacy by design
- Analyse the legal basis on which you use personal data
- Prepare for data security breaches
- Establish a framework for accountability
- Be careful with cross-border transfers
- Understand your responsibilities as a data processor
Core concepts for your organisation as a processor
- Use policies and automatic encryption to massively reduce risk accidental breach risk
- Classification of data, and take measures to accessibility accordingly eg:
- Public data
- Confidential data
- Personal data (highest sensitivity)
- Potential areas for personal data:
- User data
- Client data
- All data must remain in the EU
- Best to have the ability to search, index and correlate encrypted personal data
- Data encryption at rest: Encryption is defined as as appropriate technology from protecting personal data (Article 21, section 1 [A])
- Review/adjust legal contracts
- Name a DPO in your organisation
- Incident response policy required – that can take a lot of work as you really need Risk Assesments and other policies first
- Auditing activity relating personal data is critical (audit trail should be covered in security policies)
- Must be able to track who has access to what, why and for how long
- Keep detailed records of the processing conducted on personal data (article 30)
- Good record keeping can limit punishments
- Pseudonymization (Key term in GDPR): separation of data from direct identifiers so that linkage to an identity is not possible without additional information that is held separately. Eg for users, only use a UserID, and have the plain text names in an encrypted db table
- Importance of encryption/ pseudonymization:
- Article 32: the controller and processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including the pseudonymization and encryption of personal data.
- Article 33: Clients may not need to notify data subjects about a breach if the personal data has been rendered “unintelligible to any person who is not authorised for access it, such as encryption”
- Encryption is key
Next/first Steps
GDPR Compliance starts with getting the board onboard
- Define what “personal data” is (need professional legal advice)
- What information does your organisation hold that falls under GDPR rules?
- Do you need to delete customer data? In that case, we should demonstrate and audit that customer data has been deleted?
- Have your basic security policies in place
- Access rights
- Audit logs
- Encryption
- Backup
- Data classification
- Classify all types of data you have in your organisation
- Data encryption / policy
- Can you encrypt?:
- Databases
- Media files
- Logs
- Backups
- If you can show data is encrypted – fines much lower. Don’t need to notify affected data subjects of the breach. Still need to notify regulator
- Can you encrypt?:
- Audit trail
- Audit Trails are key to the process
- Log access (who, what, why)
- Log activity (view, edit, update, delete?) (article 30)
- Proof of deletion
- Audit Trails are key to the process
- Incident response (policy)
- Forensic response plan
- Assign a DPO
- Do you need privacy data management in your organisation?
- Consent
- Show individuals what data we hold
- Delete (right to be forgotten)
Additional information
- Answer these and you have start of the DP policy
- How does data flow into your company?
- Where necessary, how does data flow out of your company?
- How do end users make use of that data?
- GDPR also covers Hard copy data, not just digital
- Align info sec with a framework such as ISO27001
- Search for data, remove what is not required, anonymise and restrict access to what is left
Again Encryption is largely your security against fines
Data breaches
- Hacks will always happen, but GDPR is all about being able to demonstrate that you have tried your best to secure data.
- It’s possible that organisation will just not look for breaches as when they find them, the 72 hour clock starts ticking
- Breach: definition is very broad – Not just a hacker, losing a USB or laptop on train is considered a breach
- Breach types – deliberate, mistake, malicious, accidental
- What were the compliance failures that led to the breach
- Notify in case of breach of personal data: you must notify the appropriate regulatory body within 72 hours
- What do you need to do? Who do you need to tell?- need a plan in place.
- If dealing with > 5000 Customers – you need a named DPO (Data protection Officer)
- Do not keep data any longer than necessary
Potential Fines
- Fine levels are highly increased:
- 2% of Turnover or €10,000,000 whichever is greater for certain offences like data security, no notification of breach to EU authorities, no impact assessment etc
- 4% of Turnover or €20,000,000 whichever is greater for certain offences like: no consent, transfers to certain countries, processing sensitive data etc
- Policies are aimed to motivate companies to improve privacy protection:
- Guilty until proven innocent
- Fines for companies that have no policies in place, not for failing policies
Marketing
Consent to contact
- Personal data: all data that can be related to a specific, individual person
Contacting people
- Consent: need consent to contact. Need an audit trail that proves you have consent to contact
Cloud services
Summary
Links to online resources
- The New EU Data Protection Regulation
- GDPR: Killing cloud quickly?
- The GDPR’s impact on the cloud services provider
- The GDPR’s impact on the cloud service provider as a processor
- The new EU General Data Protection Regulation in Under 60 Minutes!
- General Data Protection Regulation Masterclass
- Bytes Webinar – GDPR Compliance The 12 Steps the ICO Recommend
- Webinar: GDPR – how it applies to cloud, and what to do about it
- Charting the Course to GDPR: Setting Sail
- Data flow mapping for EU GDPR compliance
- EU GDPR Webinar: The IT Manager’s guide to GDPR – Getting your department up to speed and ready
- Preparing for GDPR
- Preparing for the EU General Data Protection Regulation (GDPR)
- EU General Data Protection Regulation (GDPR) Need to Knows
- AWS Whitepaper