GDPR – EU General Data Protection Regulation

Some notes regarding GDPR requirements and some other things to consider.

For a compliance checklist and summation article you can read our GDPR Compliance checklist Blog post here.

10 second practical advice for GDPR Compliance

  1. Embrace privacy by design.
  2. Analyse the legal basis on which you use personal data.
  3. Prepare for data security breaches.
  4. Establish a framework for accountability.
  5. Be careful with cross-border data transfers.
  6. Understand your obligations as a data processor.

A Deeper explanation

What is the GDPR?

  • EU General Data Protection Regulation (GDPR) is the most important change in data privacy regulation in 20 years.
  • It came fully into effect on 25th May 2018.
  • The core Principles of GDPR are
    • Opt-in only
      • All contacts must provide consent to be emailed.
      • Senders must be able to prove consent.
    • No Soft opt-in
      • Implied consent no longer sufficient.
      • Disclaimers not enough, users must actively opt-in.
    • Right to be forgotten
      • Everyone has the right to be forgotten i.e. deleting all contact data from all platforms.

How does it affect my organisation?

  • Data controllers (clients) will be legally bound to validate data processors (my company’s) compliance.
  • Processor must implement technical and organisational measures to protect personal data.
    • Only technical controls mentioned in GDPR are encryption and pseudonymisation (de-identifying data with a mechanism to re-identify if necessary).
  • The controller can force the processor to adhere to their rules/standards. Processor must follow the instructions of the controller.

Core concepts for your organisation as a processor

  • Use policies and automate encryption to massively reduce the risk of accidental data breach.
  • Implement a classification of data scheme even at the most basic level e.g.
    • Public data
    • Confidential data
    • Personal data (highest sensitivity)
  • Potential areas for personal data.
    • User data
    • Client data
  • All PII data must remain in the EU.
  • Best to have the ability to search, index and correlate encrypted personal data.
  • Data encryption at rest: Encryption is defined as an appropriate technology for protecting personal data (Article 21, section 1 [A]).
  • Review/adjust legal contracts.
  • Name a DPO (Data Protection Officer) in your organisation.
  • You must appoint a DPO if you are a public authority, carry out large scale systematic monitoring or process special categories of data relating to criminal conviction / offences.
  • Regardless of whether you have to appoint a DPO or not, you must ensure that your organisation has sufficient staff and skills to discharge your obligations under GDPR.
  • An Incident response policy is required – this can take a lot of work as you ideally need Risk Assessments and other policies first.
  • Auditing of activity relating to personal data is critical (audit trail should be covered in your security policies).
    • You must be able to track who has access to what, why and for how long.
    • Keep detailed records of the processing conducted on personal data (Article 30).
    • Good record keeping can limit punishments.
  • Pseudonymisation (Key term in GDPR). The separation of data from direct identifiers so that linkage to an identity is not possible without additional information that is held separately. E.g. for users, only use a UserID, and have the plain text names in an encrypted database table.
  • Importance of encryption/pseudonymisation.
    • Article 32: the controller and processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including the pseudonymisation and encryption of personal data.
    • Article 33: Clients may not need to notify data subjects about a breach if the personal data has been rendered “unintelligible to any person who is not authorised for access to it, such as through encryption”.

Encryption is key and your silver bullet.

Data Security Focus

3 Articles relating specifically to data security.

  • Article 30 – Security of processing.
    • Prevent any unauthorised access to personal data.
    • Prevent any unauthorised disclosure, reading, copying, modification, erasure or removal of personal data.
  • Article 31 – Notification of a personal data breach to the supervisory authority.
  • Article 32 – Communication of a personal data breach to the data subject.

Next/first Steps

  • GDPR Compliance starts with getting the board onboard.
  • Define what “personal data” is (you may need professional legal advice).
    • What information does your organisation hold that falls under GDPR rules?
    • Do you need to delete customer data? In that case, you should be able to demonstrate and audit that this has been done.
  • Have you got your basic security policies in place?
    • Access rights
    • Audit logs
    • Encryption
    • Backup
  • Data classification
    • Classify all types of data you have in your organisation.
  • Data encryption / policy
    • Can you encrypt?:
      • Databases
      • Media files
      • Logs
      • Backups
    • If you can show data is encrypted – fines would be substantially lower. You would not need to notify affected data subjects of the breach. You would still need to notify regulator.
  • Audit trails
    • Audit Trails are key to the process.
      • Log access (who, what, why)
      • Log activity (view, edit, update, delete?) (Article 30)
      • Proof of deletion
  • Incident response (policy).
  • Forensic response plan.
  • Assign a DPO – Data Protection Officer.
  • Do you need privacy data management in your organisation?
    • Consent
    • Show individuals what data you hold
    • Delete (right to be forgotten)
  • Track data subjects right to access, modify, delete or transfer data.
    • Highest fines are for violating data subject rights such as failing to respond and failure to provide adequate information.
    • Data subjects also have the right to recover monetary damages.

Additional information

  • Answer these and you have start of the DP policy.
    • How does data flow into your company?
    • Where necessary, how does data flow out of your company?
    • How do end users make use of that data?
  • GDPR also covers Hard copy data, not just digital.
  • Align information security with a framework such as ISO 27001.
  • Search for data, remove what is not required, anonymise and restrict access to what is left.

Key points you need to know

  • Organisations must
    • Implement appropriate security measures to protect personal data.
    • Have a clear data protection policy.
    • Have a named Data Protection Officer.
      • Not required for SMEs.
  • Fines for unprotected data breaches will range from up to €10 million or 5% of annual turnover.
  • If you suffer a breach and can show that the personal data stolen cannot be accessed by unauthorised people (e.g. it was encrypted) the likelihood of being fined should be very greatly reduced and you will not need to notify affected data subjects of the breach.

Once more, Encryption is largely your security against fines.

Data breaches

  • Hacks will always happen, but GDPR is about being able to demonstrate that you have tried your best to secure data.
  • It’s possible that organisations will just not look for breaches as when they find them, the 72 hour clock starts ticking.
  • Breach: the definition is very broad – not just a malicious hack but losing a USB or laptop on train is also considered a breach.
    • Breach types – deliberate, mistake, malicious, accidental.
    • What were the compliance failures that led to the breach?
  • A personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This means that a breach is more than just losing personal data.
  • For example, you will need to notify the relevant supervisory authority about a loss of customer details where the breach leaves individuals open to identity theft. On the other hand, the loss of or inappropriate alteration of a staff telephone list, for example, would not normally meet this threshold.
  • You also need to notify individuals. Where a breach is likely to result in a high risk to the rights and freedoms of individuals, you must notify those concerned directly.
  • A notifiable breach has to be reported to the relevant Supervisory Authority within 72 hours of the organisation becoming aware of it, and you can provide further information as it becomes available.
    • What do you need to do? Who do you need to tell? You need a plan in place.
  • If a breach is sufficiently serious to warrant notification to the public, the organisation responsible must do so without delay.
  • If dealing with >5000 Customers – you need a named DPO (Data Protection Officer).
  • Do not keep data any longer than necessary.

Potential Fines

  • Fine levels have highly increased:
    • 2% of Turnover or €10,000,000 whichever is greater for certain offences like data security, no notification of breach to EU authorities, no impact assessment etc.
  • Article 83: General conditions for imposing administrative fines.
  • €10,000,000 or, in case of an undertaking, 4% of total worldwide annual turnover in the preceding financial year (whichever is greater).
  • Articles:
    • 8: Child’s consent
    • 11: Processing not requiring identification
    • 25: Data protection be design and by default
    • 26: Joint controllers
    • 27: Representation of controllers not established in EU
    • 26 – 29 & 30: Processing
    • 31: Cooperation with the supervisory authority
    • 32: Data security
    • 33: Notification of breaches to supervisory authority
    • 34: Communication of breaches to data subjects
    • 35: Data protections and impact assessment
    • 36: Prior consultation
    • 37 – 39: DPOs
    • 41(4): Monitoring approved codes of conduct
    • 42: Certification
    • 43: Certification bodies
  • 4% of Turnover or €20,000,000 whichever is greater for certain offences like: no consent, transfers to certain countries, processing sensitive data etc.
  • Articles:
    • 5: Principles relating to the processing of personal data
    • 6: Lawfulness of processing
    • 7: Condition for consent
    • 9: Processing special categories of personal data (i.e. sensitive personal data)
    • 12 – 22: Data subject rights to information, access, rectification, erasure, restriction of processing, data portability, object, profiling
    • 44 – 49: Transfers to third countries
    • 58(1): Requirement to provide access to supervisory authority
    • 58(2): Orders/limitations on processing or the suspension of data flows
  • Policies are aimed to motivate companies to improve privacy protection.
    • Guilty until proven innocent.
    • Fines for companies that have no policies in place, not for failing policies.

Marketing

Outbound

  • Existing data.
  • What consent exists?
  • When was it given?
  • Can you legally communicate with them?

Inbound

  • New data.
  • Ensure consent is sought properly and always.
  • Include events and offline acquisition.
  • Keep an audit trail.

Consent to contact

  • Personal data: All data that can be related to a specific, individual person.
  • Consent: Need consent to contact. Need an audit trail that proves you have consent to contact.

Contacting people – Core Principles

  • Opt-in only
    • All contacts must provide consent to be emailed.
    • Sender must be able to prove consent.
  • No soft opt-in
    • Implied consent no longer enough.
    • Disclaimers are not sufficient, user must actively opt-in.
  • Right to be forgotten
    • Everyone has the right to be forgotten i.e. deleting all contact data from all platforms.

Cloud services

  • Infrastructure cloud providers are treated as processors.
  • Equipment manufacturers, vendors and lessors are not.
  • Individuals and organisations use infrastructure services for computing, storage and networking purposes instead of buying their own equipment.
  • Under GDPR, if controller-customers process any personal data in-cloud, the providers of the services (i.e., IaaS/PaaS and pure storage SaaS) are considered “processors”.
  • This approach may deter cloud use and flexibility benefits.

Summary

Business recommendations

  • Use a management framework and align with IT (ISO27001 is a good place to start).
  • Make sure that you can demonstrate your compliance as the burden of proof is considerably higher.
  • Map business processes / know where data is.
  • Communicate clearly with individuals and generate value to get their data.
  • Develop and use approved codes of conduct.
  • Change departmental structures to provide oversight and governance to ensure DPIA.
  • Conduct 3rd party due diligence and audits.
  • Have good legal counsel, and get good advice!

IT Recommendations

  • Align your information security management framework with the privacy requirements (ISO 27001).
  • Budget, support and resources will be required to ensure that you do not get compromised.
  • Have a forensic and incident response contract.
  • Get basic security right: Asset information, configuration management, patching, anti-virus, encryption, removal of legacy solutions etc.
  • Search for data, remove what is not required, anonymise what you can and restrict access to what is left.
  • Ensure IT strategy aligns with business requirements.
  • 3rd party technical audit and data controls.

Links to online resources

%d bloggers like this:
search previous next tag category expand menu location phone mail time cart zoom edit close