Poetslife

5/31/2018

GDPR Security Holes and More White Paper

Despite the many rules and regulations, there are still security holes int he GDPR regime. For example, how does it handle the multitudes in any company's BYOD (Bring Your Own Device) platform? I analyse that security hole and others in my white paper below.

European Union General Data Protection Regulation (GDPR) Security Holes and More White Paper

GDPR Security Holes

Here is what a former Senior Solutions Architect at Perficient has to say about GDPR Security Holes. “Every place that I have worked at since the early 2000’s has had a BYOD (Bring Your Own Device) policy with set reimbursement based on role. Very occasionally we would purchase tablets on the company dime and they were usually replacing laptops. What has happened is that these tablets have negatively impacted security, because consumer-based cloud solutions were used when it was convenient for the users. 
This reality of a mobile, disconnected workforce has outweighed security concerns of their use. And we have gotten lazier: Neither mobile devices nor laptops were encrypted and there was no effective way to prevent leakage of data either due to lost devices or departing employees.”
How do we address this security hole? Perhaps use Airwatch to protect the data?

Cleaning Up Redundant, Obsolete or Trivial Databaseshttps://www.ibm.com/blogs/think/nl-en/2017/03/20/upside-gdpr-potential-remedy-dark-data/

Think of all the data in production systems that nobody uses anymore. And what about dark or unstructured data, fragmented in crumbs throughout emails, presentations, phone notes, spreadsheets, and so much more? Keeping data you don’t need for business or regulatory purposes can be unhealthy in terms of IT cost and it can also put your company at greater risk in a data breach – and on top of that, you may be basing your business decisions on data that is incorrect or no longer relevant. Getting your organization ready for GDPR might sound difficult, but it’s actually the perfect opportunity to take on this issue as well. 
Very likely, some of data we store is what we would call ROT: redundant, obsolete or trivial. It has no business value, but may still cost money to store and maintain. However, when it comes to its unstructured data, we are usually looking at a totally different picture. Personal information may have been shared in emails between the company and physicians. Sensitive customer and client information may have been extracted from production systems for analytical purposes.
And spreadsheets containing confidential customer and client information from our organization may have been saved locally. Most organizations don’t have insight into their unstructured data stores — which is why it’s often referred to as dark data.
Under GDPR, we must assess what personal information we have, where we keep it and what we are using it for. We can create business value from our data by leveraging new insights based on reliable information. We can improve our decision-making processes to serve customers better and more efficiently — and gain their trust by securing their data at the same time.
So, we can add value for our customers and clients while complying with GDPR regulations if we adapt this strategic approach.

IBM Security, Outthink security threats with intelligence, integration, and expertise, Written Sep 26, 2016, Christina Thompson, IBM Portfolio
I've been reading a ton lately on GDPR and find it a fascinating topic, considering the amount of impact it will have on businesses, not just in the EU but all over the world (because if you market to, and process information of, EU data subjects then you will be impacted).Note: I don't believe — at this time — that you can actually receive "certification" for GDPR compliance. But in my findings, there are many things you can be doing to prepare for the privacy regulations, such as the ones below.
Here are 2 GDPR webinars:
Webinar: The Journey to GDPR: Your Guide to Data Protection Technology, Tools and Key takeaways are:
·         How does the new technology landscape factor into the GDPR?
·         How do you get started with your compliance program?
·         What kinds of tools and assistance are available?

Webinar: Don’t Let the GDPR Blow You Away:  5 Tips to Help you Set Sail
Key takeaways are:
·         Get started on the path to ‘know your data’, which is a key prerequisite to moving forward.
·         Learn how to navigate knowing your data and then protecting personal data can help you with your GDPR obligations.
·         Get pointed in the right direction with 5 top tips to help you smoothly sail as you get ready for the GDPR.

Two helpful GDPR articles include:

GDPR Training and Certification


EUR-Lex — Access to European Union Law

THE NEW EU DATA PROTECTION REGIME FROM AN HR PERSPECTIVE

By Stefan Nerinckx, Tim Van Canneyt and Gaëtan Goossens, Fieldfisher

INTRODUCTION

Just before Christmas and after years of negotiations, the EU institutions agreed on the text of the EU's successor privacy legislation: the General Data Protection Regulation (GDPR).
The GDPR will replace the 'patchwork quilt' of 28 different EU Member States' laws with a single, unifying data protection law, which should lead to significantly greater data protection harmonization throughout the EU.
In addition to harmonizing the EU data protection legal framework, its main objectives are threefold:
·         First, the GDPR increases the rights for individuals.
·         Secondly, it strengthens the obligations for companies.
·         Thirdly, the GDPR dramatically increases sanctions in case of non-compliance. Data protection regulators will have the powers to impose fines up €20,000,000 or 4% of the total worldwide annual turnover. Add to that the possibility for the regulators to impose a ban on processing or the suspension of data transfers, the risk of class actions, criminal sanctions and reputational damage, and it becomes clear that not complying with the GDPR will not be an option.
For these reasons, it is fair to say that the GDPR is the most important change in data privacy law in the last twenty years. 
Moreover, it will affect all businesses, all over the world - as every organization has employees and contacts, even if they don't have individual customers.
In this article, we will provide a recap of the most significant changes that the GDPR will bring from an HR perspective. Employers process lots of HR related personal data on a daily basis. How will they be affected by the GDPR and what steps should they take to become compliant with this new set of rules?

WHERE DO PRIVACY AND HR MEET ON THE WORK FLOOR?

Maintaining the balance between the protection of the privacy of the workers and the prerogatives of the employer can be tricky in several circumstances such as in the case of body searches on workers, camera surveillance, geolocation, interrogation of workers, hotlines, the use of internet, email and social networks, etc…. There are many laws that apply to this matter.
It starts with article 8 of the European Convention on Human Rights, which lays down rules concerning the protection of private and family life, the home and correspondence. Case law based on this article stipulates employees have the right to privacy, even in the workplace.
On a national level, article 22 of the Belgian Constitution deals with privacy, whereas article 29 relates to confidentiality of the mail. Article 314 bis of the Penal Code addresses the tapping of telecommunications. Interception of e-mail is covered by this legislation too.
Also the Employment Contracts Act, which lays down, particularly in articles 16 and 17, the rights and obligations of the employer and the employee as well as Collective Labor Agreement (CLA) 81 on the protection of the privacy of employees with respect to the monitoring of electronic online communication data in the workplace in the private sector are of importance. This list is not exhaustive.
Furthermore, employers also process private information about their employees. In this area some major changes are to be expected very soon. Below you will find an overview.
Processing of HR-related data: harmonization but look out for additional local rules in the HR context
The main objective of the GDPR is to harmonize data protection laws throughout the EU. Where a group of companies is established in several EU Member States, the rules applicable to the processing of HR-related personal data will now be the same. This is an important improvement for big multinationals, which are quite often struggling to comply with the 28 local flavors of EU data protection law.
There is, however, an important caveat to be made with regard to personal data in the employment context. The GDPR expressly authorizes individual Member States to implement more specific rules in respect of the processing of HR-related personal data.
This carve-out means that specific rules regarding the processing of personal data for the purpose of recruitment, the performance of the employment contract, diversity, health and safety, etc. may still be adopted on a national level.
For HR professionals, it will therefore remain important to continue to follow national law developments in the field of privacy in the workplace, in addition to the more generic GDPR.

A BROADER SCOPE AND A GLOBAL IMPACT

The GDPR will not only apply to employers processing the personal data of their employees, but also to HR service providers that process such data on behalf of the employer ("data processors"). This is an important change compared to the current legal framework, where HR service providers (e.g. social secretariats, providers of HRIS solutions) only have a contractual obligation vis-à-vis the employer but are not directly accountable for complying with the data protection regulations.
The GDPR will also affect non-EU affiliates of a multinational if all HR data is stored in a central system, accessible to affiliates worldwide. While the mechanism for cross-border transfers of personal data has not been materially changed compared to the existing rules, it will become more important for companies to have a good understanding of the different HR data flows within and outside of the group in view of implementing the required mechanisms to legitimize these cross-border data transfers, especially since the European Court of Justice ruled that the EU-US Safe Harbor can no longer be relied on.
For intra-group cross-border transfers, Binding Corporate Rules (BCR) will become a more important and attractive means of achieving compliance under the GDPR. BCRs are now expressly mentioned in the GDPR as a lawful means of transferring personal data to group companies outside the EU, and the process for getting them approved has been further streamlined.

MORE DIFFICULT TO RELY ON CONSENT

This is a highly relevant topic in the context of HR-related data processing. Today, a lot of companies process personal data of employees on the basis of their consent. Over recent years, this approach has been increasingly criticized.
People questioned the validity of consent given by an employee, on the basis that the latter did not really have a choice due to the hierarchal relationship and the imbalance resulting therefrom. The GDPR wants to reinforce the value of consent given by a data subject. It therefore requires that consent be given unambiguously.
This means the consent must be given freely, specifically and on an informed basis. For the consent to be given freely, the refusal to give the consent should not be detrimental to the data subject. Moreover, when the consent is given through a declaration that also regulates other matters, the consent to the processing of data has to be clearly distinguishable from other matters to be valid.
This means that employers will need to carefully re-assess the legal ground on the basis of which they process HR-related data. Where they rely on consent, they will need to check whether they meet all the requirements imposed by the GDPR and bear in mind that free consent implies that it may be revoked at any time.
In most cases, companies will need to move to one of the other legal grounds to (continue to) process HR-related personal data. This could be the contractual necessity (e.g. for the processing of employee payment data), a legal obligation (e.g. for the processing of employee data in relation to social security) or the legitimate interest of the employer (e.g. in the context of employee monitoring).
However, the latter legal grounds all have their restrictions and must be narrowly construed. It may well be that a company will have to stop processing the data or limit the range of data processed, where it cannot rely on any of the legal grounds for processing laid down in the GDPR.

RESPECT THE INCREASED RIGHTS OF YOUR EMPLOYEES

The GDPR significantly enhances the rights of data subjects.
Firstly, with regard to the right to information, employers will need to provide more detailed information as to the how and why of the processing of HR-related personal data. This long list of information to be provided aims at giving more transparency to the processing of data and by doing so enhancing security.
Secondly, employees have a right of access to their data and a right to have inaccurate data rectified. These existing rights have been modified in order to bring more clarity but they are not extended that much.
Finally, under the new so-called right to be forgotten, employees will be entitled to require the employer to erase personal data about them in certain circumstances. This may be the case where the data are no longer necessary for the purpose for which they were originally collected, or where the employee has withdrawn his/her consent.

ACCOUNTABILITY – COMPANIES MUST BE ABLE TO DEMONSTRATE COMPLIANCE

The GDPR introduces a number of new obligations for companies, which should trigger a shift from paper-based compliance to actual and demonstrated compliance in the field. As a result, the obligations to notify processing activities to the data protection authorities will be abolished.
Instead, the GDPR expects companies to implement a number of measures such as: appointment of a (mandatory) data protection officer, carrying out (mandatory) privacy impact assessments and (mandatory) consultation with the data protection authorities before new data processing activities are commenced, as well as keeping records of all their processing activities. These new obligations will have a significant impact on how companies approach projects that involve the processing of personal data.

IMPLEMENT A DATA BREACH NOTIFICATION PROGRAM

On top of the accountability package, the GDPR introduces a general obligation to notify data breaches. While most US-based companies are already familiar with the concept, this will be an important change for many EU businesses and one that they do not particularly look forward to.
Where a company suffers a data breach, as a rule it must notify the data protection regulator within 72 hours. If the notification is not done within 72 hours, there has to be a justification for this delay.

If the data breach relates to HR-related data, the employer must notify the affected employees without undue delay if the breach is likely to result in a high risk to his/her rights and freedoms. To avoid notification fatigue, the GDPR contains a few exceptions to this rule, e.g. if the data was encrypted.

CONCLUSION

It is difficult to overstate the importance of the GDPR and it is clear that it will significantly affect all businesses. Employers will need to very carefully assess their current HR-related processing activities and identify the gaps with the GDPR. On the basis of this gap analysis, they will need to update their existing procedures and implement the required mechanisms to comply with the new obligations. Failure to do so may result in significant fines or other enforcement measures that could materially impede their business.
While the GDPR will only become effective in about two years from now, it is critical to start preparing the transition to new regime as soon as possible. Indeed, the sheer scale and breadth of the changes will require a significant investment of time and resources to ensure a company's data processing policies and IT landscapes are compliant with the new rules.
Belgian State Secretary for Privacy Bart Tommelein has stated that, prior to the entry into force of the GDPR, Belgium will make changes to the current Privacy Act. This means that a number of the obligations under the GDPR will become effective under Belgian law before its official entry into force. Other EU countries may take a similar approach.
To make it simple Varonis provide some really simple infographics to understand GDPR.
The GDPR significantly enhances the rights of data subjects.
Firs, for the right to information, employers will need to provide more detailed information as to the how and why of the processing of HR-related personal data. This long list of information to be provided aims at giving more transparency to the processing of data and by doing so enhancing security.
Second, employees have a right of access to their data and a right to have inaccurate data rectified. These existing rights have been modified in order to bring more clarity but they are not extended that much.
Finally, under the new so-called right to be forgotten, employees will be entitled to require the employer to erase personal data about them in certain circumstances. This may be the case where the data are no longer necessary for the purpose for which they were originally collected, or where the employee has withdrawn his/her consent.
The GDPR introduces a number of new obligations for companies, which should trigger a shift from paper-based compliance to actual and demonstrated compliance in the field. As a result, the obligations to notify processing activities to the data protection authorities will be abolished.
Instead, the GDPR expects companies to implement a number of measures such as: appointment of a (mandatory) data protection officer, carrying out (mandatory) privacy impact assessments and (mandatory) consultation with the data protection authorities before new data processing activities are commenced, as well as keeping records of all their processing activities.
These new obligations will have a significant impact on how companies approach projects that involve the processing of personal data.
On top of the accountability package, the GDPR introduces a general obligation to notify data breaches. While most US-based companies are already familiar with the concept, this will be an important change for many EU businesses and one that they do not particularly look forward to.
Where a company suffers a data breach, as a rule it must notify the data protection regulator within 72 hours. If the notification is not done within 72 hours, there has to be a justification for this delay.
If the data breach relates to HR-related data, the employer must notify the affected employees without undue delay if the breach is likely to result in a high risk to his/her rights and freedoms. To avoid notification fatigue, the GDPR contains a few exceptions to this rule, e.g. if the data was encrypted.
For HR professionals, it will therefore remain important to continue to follow national law developments in the field of privacy in the workplace, in addition to the more generic GDPR.
The GDPR will not only apply to employers processing the personal data of their employees, but also to HR service providers that process such data on behalf of the employer (data processors).
This is an important change compared to the current legal framework, where HR service providers only have a contractual obligation vis-à-vis the employer but are not directly accountable for complying with the data protection regulations.
But how companies are taking GDPR so far?
According to Help Net Security, 97 percent of companies don’t have a GDPR plan. Explanation of this survey can found on the provided link.
Also go through the best practices to address GDPR requirement from Help Net Security According to them the main practices are:
·         Hire a data protection officer (DPO)
·         Deploy an access governance solution
·         Control access managemen
·         Protect the Network
·         Facilitate secure mobile access
·         Ensure email security

And these are definitely adding value for any organization for their data security strategy. As there are lots of data protection challenges and issues for the organization and one must need to take it very seriously to avoid any legal consequences and high penalties.
Another interesting aspects are the data protection issues and it is always a wise choice to look after over the data protection issues from the beginning and plan accordingly. What are the Top Data Protection issues for HR Professionals? According to SQUIRE SANDERS, an international law firm here are the top ones.

Data Breach Response
EU Data Protection Rules impose specific requirements for storing, processing and transferring personal data about EU employees – employer’s liability exposure is increased by failure to prepare for data breach incidents.
  
Bring Your Own Device (BYOD)
EU Data Protection Rules impose obligations on data controllers (employers) to ensure the security of personal data they hold about their employees.
User devices can easily pass malware and viruses onto company platforms and impact security levels. Combining personal data of employees with company data may complicate compliance with EU data protection rules.
  
HRIS Platforms
Employers must abide by EU data protection rules when rolling out a global HR information system involving the processing of EU employee data outside of Europe.

Employee Monitoring and Cross-Border Investigations
EU rules limit the ability of EU legal entities to process personal data within Europe, and to transfer it to foreign affiliates and third parties, including non-EU governmental authorities.

Data Subject Access Requests
EU data protection rules give employees the right to access personal data about them that is held by their employer, and also to correct inaccurate information or request its deletion.

Proposed EU Data Protection Regulation
A new and highly controversial Regulation on data protection is currently being debated by the EU institutions and, if adopted, will become directly enforceable law in all EU Member States.
There are many more and companies definitely need to take them seriously. It’s important that employers understand their responsibilities and potential liabilities under data protection law.

Employers that ignore their legal obligations risk reputational damage and potential prosecution in the courts. However, our research shows that, where employees feel they are under excessive monitoring or surveillance, they have more negative attitudes to their employer and are more likely to suffer from stress.

Employers should therefore develop policies in this area that take a compliant, but balanced, approach and ensure that employees are aware of, and understand their rights and obligations under data protection law.

For more info please follow EU Data Protection. 

GDPR and the UK (Brexit Question)

https://www.shrm.org/resourcesandtools/legal-and-compliance/employment-law/pages/eu-data-protection-regime.aspx
Europe's new data protection legal framework is set out in the General Data Protection Regulation (GDPR), which will come into force in all EU Member States on May 25, 2018, including the U.K. Key points follow.

Key Points

1. A new EU data protection regime came into force on all EU Member States on 25 May 2018.
2. The GDPR will apply to the U.K. and is likely to apply after the U.K. leaves the EU. The U.K. will still be a Member State of the EU on 25 May 2018. The GDPR comes into effect for all Member States, and so will come into force in the U.K. The U.K. will retain the GDPR following Brexit. 
3. The GDPR is evolutionary rather than revolutionary. The GDPR does not mark a radical departure from the current data protection regime (i.e., in the U.K. under the Data Protection Act 1998 (DPA)). There are, however, certain key changes that will focus attention in the pensions industry.
4. There are four key developments that will affect the pensions industry the most. The GDPR contains four key developments that trustees, employers and the pensions industry will need to grapple with. These are:
More detailed privacy notices, while still being concise and easily understood.
·         Overlapping controller and processor obligations, especially around security.
·         Mandatory breach notification to regulators and members.
·         More severe sanctions for noncompliance.
·         What's Happening on Data Protection?
Regardless of the progress of Brexit negotiations, it is very likely that the U.K. will still be a Member State of the EU on May 25, 2018. The GDPR will therefore apply to data controllers and processors in the U.K. on and from this date and the Great Repeal Bill will translate the GDPR into national law.
The Information Commissioner has also made it clear she expects that the U.K. will want to keep in step with European data protection standards after we leave the EU in order to facilitate cross-border transfers but also as many U.K. controllers and processors will process personal data of European citizens and are therefore caught by the GDPR in any event as it has extraterritorial effect.
Pension scheme trustees will, therefore, need to comply with the GDPR from May 25, 2018.
With just over one year to go until the GDPR goes into force, it is now time to map your data flows and start reviewing current policies, procedures, systems and practices and ensuring you understand your data protection obligations.
The new law is not as radical a departure from the old law as might have been feared. Broadly speaking, data processes that are lawful under the U.K.'s DPA are likely to remain lawful under the GDPR. This should provide some comfort to trustees to the extent they are compliant with the current legal requirements. This is, however, subject to four important changes that are particularly relevant to pension schemes.
What Are the Key Changes for Pensions Under the GDPR?
1. More detailed privacy notices. The requirements relating to privacy notices under GDPR are more detailed and specific than under the DPA and place more emphasis on making them understandable and accessible. Privacy notices will need to contain additional information, such as details of the legal basis for the processing of the personal data that is held.
Existing privacy notices will therefore need to be reviewed and updated accordingly.
2. Overlapping controller and processor obligations, especially around security. Under the GDPR, data processors (i.e., those who process personal data on behalf of a data controller, such as a scheme administrator) will, for the first time, be subject to direct legal obligations. This significant exposure to additional legal liability will make compliance a higher priority among actuaries, employee benefit consultants and other advisers.
In addition, the GDPR will require agreements between trustees and these parties to cover various data protection issues. Data controllers (such as trustees) are not relieved of their obligations under the GDPR even if they have delegated to a third-party data processor.
3. Mandatory breach notification to regulators and members. Under the GDPR, breaches of the data protection requirements must be reported to the national supervisory bodies (i.e. the Information Commissioner's Office in the U.K.) within 72 hours. If breaches are likely to result in a high risk to the rights and freedoms of data subjects (i.e., pension scheme members, employees etc.), the breach has to be communicated directly to the affected persons without undue delay.
4. More severe sanctions for noncompliance. The GDPR imposes significantly greater fines for non-compliance, up to the greater value of €20 million and 4 percent of global annual turnover for the majority of data processing that is relevant for the pensions industry.
Author: Jason Coates is an attorney with Gowling WLG in London. ©2017 Gowling WLG. All rights reserved. Reposted with permission of Lexology.


General Data Protection Regulation GDPR Explained

 Now that the regulations have gone into effect on May 25, 2018, companies are beginning to pay attention. To help them understand the General Data Protection Regulation (GDPR).here is my white paper on this subject. The basic rules, principles, and impacts of both are presented below.

European Union General Data Protection Regulation (GDPR) White Paper


Table of Contents

European Union General Data Protection Regulations

On December 15, 2015, the European Union (EU) agreed to a draft of the General Data Protection Rules (GDPR) with potential fines of up to four percent of global revenues or 20 million EUR (whichever is higher), if an enterprise breaks those rules.
These rules, which are expected to go into effect in May 2018, apply to any companies that have or manage the data of customers in the EU regardless of whether the company itself is based outside the EU (with implications for cloud-based models).
So under these new rules, if a US company collects data from EU citizens, it would be under the same legal obligations as though the company had headquarters in say France, UK, or Germany — even though they don’t have any servers or offices there.
Any American company that does business in the EU needs to be in full compliance with GDPR by May 25th, 2018.  Even if your company has no presence in the EU, so long as you market to EU residents, even if it is through the web, you need to comply with the GDPR.
The foundational accountability requirement means that you must know all personal data you store and use. This is a major challenge as many organizations habitually store data redundantly.
Sustained compliance means that our product and service development and production processes may need to be updated to consider personal data storing and usage implications from architecture and design to deployment. These new requirements mean that we are now responsible to actually demonstrate how all personal data is effectively secured.
Rules for disclosure of breach and data protection officers will require implementation or update of operational processes, job descriptions, PR processes, etc.

This single Europe-wide regulation removes the complexities that businesses currently face complying with multiple local regulations across the EU. Currently, each of the 28 EU states interprets the existing rules in their own way, making compliance across the region complex and expensive.
The GDPR unifies EU data protection legislation, simplifying processes and legal obligations for any country dealing with more than one EU state. However, the scope of GDPR substantially increases the obligations on firms dealing with EU citizens' personal data.
Organizations outside the EU are subject to the jurisdiction of the EU regulators just by collecting data concerning an EU citizen. Such organizations will only have to deal with one single supervisory authority. Among other requirements, the GDPR includes a directive on data transfers for policing and judicial purposes.
The GDPR will apply to the U.K. and is likely to apply after the U.K. leaves the EU. The U.K. will still be a Member State of the EU on 25 May 2018. The GDPR comes into effect for all Member States, and so will come into force in the U.K. The U.K. will retain the GDPR following Brexit. 

Wide powers of enforcement are given to the EU Data Protection Regulators (DPRs). The DPRs will have the power to impose penalties in the form of fines against any business failing to comply with the new regulations. These penalties are significantly stronger than those provided under the current Data Protection Act (DPA).
The GDPR describes three levels of non-compliance, and each level has a band of fines associated with it. For the most serious instances of non-compliance, an organisation can expect a fine of up to 4% of annual global turnover or €20 million, whichever is greater.
GDPR is a set of articles, 99 in total, written by the European Union, which will harmonize the European data privacy laws and data protection laws across Europe. Again, the compliance date is May 25th, 2018. 
For the latest changes and updates to the GDPR, see: http://www.eugdpr.org/key-changes.html

US Versus EU Concepts of Privacy

In the US we think in terms of users, consumers and subscribers. In the EU, individuals and persons are at the center of any notion of privacy. Individuals are guaranteed protection of personal data through the Charter of Fundamental Rights, adopted in 2000, but only acquiring the full force of law in 2009 through the Treaty of Lisbon. Article 8, for example, states:
Protection of personal data:
1. Everyone has the right to the protection of personal data concerning him or her.
2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.
3. Compliance with these rules shall be subject to control by an independent authority.
This strong, explicit data protection basis in EU law does not have clear equivalency in the United States, and that gap has been at the center of the data protection and privacy related friction between these two economic blocs for years.

Overview of the GDPR Rules

Among the GDPR rules are requirements to:
·         Implement technical and organizational measures to ensure appropriate data security through means including, among others, “pseudonymisation and encryption of personal data”
·         Have in place a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of data processing
·         Communicate “without undue delay” personal data breaches to the subjects of such breaches when the breach is likely to result in a high risk to the rights and freedoms of these individuals

GDPR and the Cloud

GDPR compliance will not be possible if organizations do not control and secure data in cloud apps. Closely managing a business’ interactions with the cloud is a good starting point. To achieve this, we must:
·         Discover and monitor every cloud application in use by our employees.
·         Know which personal data sets are being processed by employees in the cloud – for instance, customer information such as name, credit card details, address, or other forms of personally identifiable information (PII).
·         Secure data by implementing policies to ensure that employees are not using unmanaged cloud services to store and process PII. Policies should be sufficiently granular in order to prevent unwanted behavior while simultaneously ensuring compliant use of the cloud can continue.
·         Coach users in best practice so they adopt the services sanctioned by IT.
·         Evaluate various cloud access security brokers to determine the enterprise-readiness of all cloud apps and cloud services so the business can guarantee that all data is protected both at rest and in transit.

Personal Data Definition

Personal data is defined in the GDPR as any information relating to a person who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, and online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
So in many cases online identifiers including IP address, cookies and other data artefacts will now be regarded as personal data if they can be (or are capable of being) without undue effort linked back to the data subject.
There is no distinction between personal data about individuals in their private, public or work roles — the person is the person.
It applies to data transfers across borders within the EU as well as setting minimum standards for data processing for policing purposes within each member state. (Due to UK and Ireland’s special status regarding justice and home affairs legislation, the directive’s provisions only apply in these countries to a limited extent.)
The regulations will apply to any organisation, regardless of location, that acts as a controller or processor of personally identifiable information of EU residents. The term controller refers to any individual or organisation that advocates how and for what business reason the personal data will be used.
Processing of data includes such tasks as collection, storage, recording, editing, or any use for operational purposes. The definition of personal data has been broadened to include additional characteristics that may be used to identify a living individual. Those characteristics include such data constructs as genetic, mental, economic, cultural or social identity.

GDPR Regulation Objectives

There are five primary objectives in the GDPR regulations. They are listed below along with their descriptions.
Objective
Description
Establish data privacy as a fundamental right
The GDPR considers data protection as a fundamental human right of an individual, which includes a “right to the protection” of their personal data. Anyone based in the EU, or anyone handling or targeting the personal data of an EU-based individual must have processes, technology, and automation to effectively protect personal data.
Clarify the responsibilities for EU data protection
The GDPR applies to a controller or a processor who is based or established in the EU, or to a company not based in the EU but who offers goods or services from outside the EU borders to a data subject in the EU or who monitors the behavior of data subjects in the EU.
Define a baseline for data protection
To avoid fragmentation and ambiguity, GDPR has set a baseline for data protection by requiring anyone processing the personal data of an individual that is in the European Union to follow the requirements laid down in the GDPR.
Elaborate on the data protection principles
The GDPR considers encryption as only one of the components of a broad security strategy, and mandates that organizations need to consider assessment, preventive, and detective controls based upon the sensitivity of the personal data they have.
Increase enforcement powers
The EU aims to ensure compliance with the GDPR by enforcing huge fines of up to 4% of the global annual revenue upon non-compliance.

Defined GDPR Roles

There are seven primary roles in the GDPR regulations. They are listed below along with their descriptions.
Role
Description
Data Subject
A person who can be identified directly or indirectly by means of an identifier. For example, an identifier can be a national identifier, a credit card number, a username, or a web cookie.
Personal Data
Any personal information, including sensitive personal information, relating to a Data Subject. For example, address, date of birth, name, location and nationality.
Controller
A natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data. For example, a controller can be an organization or Chief Information Officer (CIO).
Data Protection Officer
An individual working for a Controller or a Processor with extensive knowledge of the data privacy laws and standards. The Data Protection Officer (DPO) shall advice the controller or the processor of their obligations according to the GDPR and shall monitor its implementation. The DPO acts as a liaison between the controller/processor and the supervisory authority. A DPO for example can be a Chief Security Officer (CSO) or a Security Administrator.
A single DPO may represent a group of undertakings or multiple public authorities or bodies. The GDPR requires a DPO to be “designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices” and the ability to fulfill the tasks designated under Article 39. These tasks involve regulatory compliance, training staff on proper data handling, and coordinating with the supervisory authority, with an ability to understand and balance data processing risks.
Processor
A natural or legal person, agency or any other body which processes Personal Data on behalf of the Controller. For example, a developer, a tester, or an analyst. A Processor can also be a cloud service provider or an outsourcing company.
Recipient
A natural or legal person, agency or any other body to whom the personal data is disclosed. For example, an individual, a tax consultant, an insurance agent, or an agency
Enterprise
Any natural or legal person engaged in an economic activity. This essentially includes all organizations whether in the public or private sector, whether in the EU or outside of the EU.
Third Party
Any natural or legal person, agency or any other body other than the Data Subject, the Controller, the Processor and the persons who, under the direct authority of the Controller or the Processor, are authorized to process the data. For example, partners or subcontractors.
Supervisory Authority
An independent public authority established by a Member State (known as the National Data Protection Authority under the current EU Data Protection Directive), or auditing agency.

Primary GDPR Requirements

Highlights of the GDPR requirements include:
·         Companies will have to appoint a DPO (Data Privacy Officer) who is responsible for advising on and monitoring GDPR compliance, and is a point of contact for the authorities.
·         There are new regulations and requirements for collecting and recording personal data and processing activities.
·         Data authorities and consumers must be notified within 72 hours after the discovery of the breach.
·         A tiered penalty framework with fines of up to 4% of global annual turnover (or €20,000,000, whichever is higher) for more serious violations, and up to 2% (or €10,000,000) for other violations, such as failing to notify a data authority about a breach.
·         Local data authorities will have additional resources to investigate and audit data controllers, and processors and their sub-contractors.
·         A new European Data Protection Board will act as a super data authority to handle disputes between authorities.

Certification Requirements for the DPO

According to the European Data Protection Supervisor’s paper on Professional Standards for Data Protection Officers, the most relevant certification for a DPO is the one provided by the International Association of Privacy Professionals.
Eric Lachaud, in his article Should the DPO Be Certified?, for Oxford University’s International Data Privacy Law journal, reaches the conclusion that the most appropriate certification for the DPO is a combination of the IAPP’s Certified Information Privacy Professional credential for EU professionals (CIPP/E) and Certified Information Privacy Manager (CIPM). The IAPP also offers the Certified Information Privacy Technologist (CIPT) credential, as well as a version of the CIPP for the United States, and one for Canada and the U.S. federal government.
The CIPP/E, CIPP/US, CIPM, and CIPT credentials are certified under ISO standard 17024:2012.

Primary GDPR Sanctions

We are working now to comply with the May, 2018 deadline for the following provisions of the GDPR:
·         Right to be forgotten
·         “Clear and affirmative consent” to the processing of private data by the person concerned
·         Right to transfer your data to another service provider
·         Right to know when your data has been hacked
·         Ensuring that privacy policies are explained in clear and understandable language
·         Stronger enforcement and fines up to 4% of firms’ total worldwide annual turnover, as a deterrent to breaking the rules.
The data protection package also includes a directive on data transfers for policing and judicial purposes. It will apply to data transfers across borders within the EU as well as, for the first time, setting minimum standards for data processing for policing purposes within each member state.
The regulation applies if the data controller or processor (organization) or the data subject (person) is based in the EU. The regulation also applies to organizations based outside the EU if they process personal data of EU residents. The regulation does not apply to the processing of personal data for national security activities or law enforcement.

Data Portability

The GDPR requires that a person be able to transfer their personal data from one electronic processing system to and into another, without being prevented from doing so by the data controller.
Aimed at helping drive competition between service providers this part of the regulation seeks to drive automated transfers of data (using a common format yet to be defined) between services which primarily process customers automatically.  So, for example, these could include utilities, banks, telecoms and ISP’s. And the data must be provided by the controller in a structured and commonly used electronic format. The right to data portability is provided by Article 18.

Information Provided at Data Collection

The information that must be made available to a Data Subject when data is collected includes:
·         Identity and the contact details of the controller and DPO
·         Purposes of the processing for which the personal data are intended
·         Legal basis of the processing
·         Where applicable the legitimate interests pursued by the controller or by a third party
·         Where applicable, the recipients or categories of recipients of the personal data
·         Where applicable, that the controller intends to transfer personal data internationally
·         The period for which the personal data will be stored, or if this is not possible, the criteria used to determine this period
·         Existence of the right to access, rectify or erase the personal data
·         Right to data portability
·         Right to withdraw consent at any time
·         Right to lodge a complaint to a supervisory authority

Where the data has not been obtained directly from the data subject, perhaps using a 3rd party list, the list varies and includes:
·         From what source the personal data originate.
·         The existence of any profiling and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
There are some exceptions, such as the effort would be disproportionate (although this is unlikely be a good justification in day-to-day circumstances) and where the information has already been provided to the data subject.

Profiling

The regulation defines profiling as any automated processing of personal data to determine certain criteria about a person. “In particular to analyze or predict aspects concerning that natural person' s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.”
Individuals have the right not to be subject to the results of automated decision making, including profiling, which produces legal effects on him or her or otherwise significantly affects them. So, individuals can opt out of profiling.
Automated decision making will be legal where:

·         Individuals have explicitly consented to it
·         If profiling is necessary under a contract between an organization and an individual
·         If profiling is authorized by EU or Member State Law.

Legitimate Interests and Direct Marketing

The regulation specifically recognizes that the processing of data for “direct marketing purposes” can be considered as a legitimate interest. Legitimate interest is one of the grounds, like consent, that an organization can use in order to process data and satisfy the principle that data has been fairly and lawfully processed.
The act says that processing is lawful if “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”

EU Definition of GDPR Personal Data

According to the European Commission "personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a photo, an email address, bank details, and posts on social networking websites, medical information, or a computer’s IP address." 

Obtaining Consent

Companies must obtain valid consent explicit for data collected and purposes data used (Article 7, defined in Article 4). Consent for gathering data on children (defined as 12 and below) must be given by child’s parent or custodian, and verifiable (Article 8). Data controllers must be able to prove consent (opt-in) and consent may be withdrawn.
According to the Regulation consent means “any freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed.”
Although the consent itself need not be explicit, the purpose for which the consent is gained does need to be “collected for specified, explicit and legitimate purposes.” It needs to be obvious to the data subject what their data is going to be used for at the point of data collection.
Consent should be demonstrable in that organizations need to be able to show clearly how consent was gained and when. Consent must be freely given — a controller cannot insist on data that’s not required for the performance of a contract as a pre-requisite for that contract. Withdrawing consent should always be possible — and should be as easy as giving it.

GDPR Reporting a Data Breach

The reporting of a data breach is not subject to any de minimis standard and such breaches must be reported to the Supervisory Authority when they become aware of the data breach (Article 31). Individuals have to be notified if adverse impact is determined (Article 32).

GDPR Exceptions

GDPR does provide exceptions based on whether the appropriate security controls are deployed within the organizations.  For example a breached organization that has rendered the data unintelligible through encryption to any person who is not authorized to access the data, is not mandated to notify the affected record owners. 
The chances of being fined are also reduced if the organization is able to demonstrate a “Secure Breach” has taken place.
To address the GDPR compliance requirements, organizations need to employ one or more different encryption methods within both their on-premises and cloud infrastructure environments, including the following:
·         Servers, including via file, application, database, and full disk virtual machine encryption
·         Storage, including through network-attached storage and storage area network encryption
·         Media, through disk encryption
·         Networks, for example through high-speed network encryption
Strong key management is required to protect the encrypted data and to ensure the deletion of files and comply with a user’s right to be forgotten. Controllers must inform subjects of the period of time (or reasons why) data will be retained on collection.
If the data subject subsequently wishes to have their data removed and the data is no longer required for the reasons for which it was collected then it must be erased.
Note that there is a downstream responsibility for controllers to take reasonable steps to notify processors and other downstream data recipients of such requests.
Organizations will also need a way to verify the legitimacy of user identities and transactions, and to prove compliance. Security controls must be in place and be demonstrable and auditable.

Key GDPR Data Security Requirements

The key GDPR data security requirements can be broadly classified into three categories:

·         Assessment
·         Prevention
·         Monitoring/Detection
The GDPR also requires compliance with the data protection principles to enhance the quality and rigor of protection of the data. This section summarizes key data security requirements discussed in the GDPR

Assess Security Risks

The GDPR mandates that Controllers perform Data Protection Impact Assessments when certain types of processing of Personal Data are likely to present a “high risk” to the data subject. The assessment must include a systematic and extensive evaluation of organization’s processes, profiles, and how these tools safeguard the Personal Data (Article 35).

Prevent Attacks

At various places in the regulation, the GDPR reiterates the importance of preventing security breaches. The GDPR recommends several techniques to prevent an attack from succeeding (Article 32).

Encryption

The GDPR provides that in the event of a data breach, the Controller need not to notify data subjects if data is encrypted and rendered unintelligible to any person accessing it, thereby removing notification costs to the organizations (Article 34).

Encrypting Both Structure and Unstructured Data

GDPR requires organizations to safeguard personal data, which may include anything from data about political viewpoints to health history, and says that "this applies to all systems used to process the data, including cloud apps."
The difficulty in complying with this regulations is that many, if not most, personal data for which the organization is legally responsible are data not found in structured formats like databases, but things like email [messages] and random documents created using Office 365 and Box, and in cloud apps not sanctioned by IT.
Another complication is the proliferation of Bring Your Own Device (BYOD) across our organization that makes it difficult to know how to comply with GDPR if we don't know what data we have on these devices and where it resides.

Anonymization and Pseudonymization

Data anonymization is the technique of completely scrambling or obfuscating the data, and pseudonymization refers to reducing the linkability of a data set with the original identity of a data subject. The GDPR states that anonymization and pseudonymization techniques can reduce the risk of accidental or intentional data disclosure by making the information un-identifiable to an individual or entity (Recital 28).

Privileged User Access Control

The GDPR implies controlling privileged users who have access to the Personal Data to prevent attacks from insiders and compromised user accounts (Article 29).

Fine-grained Access Control

In addition to privileged user control, the GDPR recommends adopting a fine-grained access control methodology to ensure that the Personal Data is accessed selectively and only for a defined purpose. This kind of fine-grained access control can help organizations minimize unauthorized access to Personal Data (Article 25).

Data Minimization

The GDPR recommends minimizing the collection and retention of Personal Data as much as possible to reduce the compliance boundary. While collecting, processing, or sharing Personal Data, Controllers and Processors must be frugal and limit the amount of information to the necessities of a specific activity (Data 5).

Monitor to Detect Breaches

While preventive security measures help organizations minimize the risk of attack, they cannot eliminate the possibility that a data breach may occur. The GDPR recommends monitoring and alerting to detect such breaches through the following mechanisms.

Audit Data

The GDPR not only mandates recording or auditing of the activities on the Personal Data but also recommends that these records must be maintained centrally under the responsibility of the Controller. In other words, processors and third-parties must not be able to tamper or destroy the audit records. In addition to book-keeping, auditing also helps in forensic analysis in case of a data breach (Article 30).

Monitor and Timely Alert

Constant monitoring of the activities on Personal Data is critical for detecting anomalies. In addition to close monitoring, GDPR also mandates timely notifications in case of a breach (Article 33).

Quality of Protection

For both large and small organizations, implementing and administering data security without proper planning can obstruct day-to-day IT operations and result in a significant administrative overhead.
While lack of proper planning and increased costs may have in the past given some enterprises a reason to not implement security, with regulations such as the GDPR, security is a requirement, not an option. To address some of these challenges, GDPR stipulates the following to help ease the administrative overhead of the security controls and increase the quality of protection:

Data Security by Design and by Default

The GDPR mandates making data protection a core part of the system. Considering security during the initial design phase of a technology life cycle increases the security worthiness of the system and ensures that technical security controls will perform as expected (Article 25).

Centralization

The GDPR recommends centralized administration when dealing with security of multiple applications and systems as they help take immediate actions in case of a breach. Centralized controls also enforce uniformity across multiple targets, reduce the chances of errors on individual targets, and leverage the best practices across the enterprise (Recital 36).

Retention and the Right to be Forgotten

As has already been noted controllers must inform subjects of the period of time (or reasons why) data will be retained on collection.
Should the data subject subsequently wish to have their data removed and the data is no longer required for the reasons for which it was collected then it must be erased.
Note that there is a “downstream” responsibility for controllers to take “reasonable steps” to notify processors and other downstream data recipients of such requests.
Comprehensive Security
Threats and attacks can come from multiple sources and organizations must be prepared from all directions. The GDPR mandates protection of Personal Data in all stages of the data lifecycle such as data at-rest and in-transit (Article 32). 

Appendix A:  GDPR Resources

Resources used to create this European Union General Data Protection Regulation White Paper follow.
GDPR Legislation
GPDR Analysis

Prior Rules and Regulations: Safe Harbor 2.0

Appendix C:  Top Ten EU GDPR Action Points


Action Point
Description
Extra-Territorial Scope
Consider the extent to which the GDPR applies to you.
If you are a controller or a processor, and have an establishment in the EU, or are not established in the EU but offer goods or services to or monitor the behavior of EU-based individuals, you will need to comply with the GDPR and may need to appoint a representative.
One Stop Shop
If you are a controller or processor, consider where your main establishment is and who will be your lead supervisory authority.
If you are a controller, also consider whether processing decisions are taken in another EU establishment, which has the power to implement those decisions. If so, that decision-making establishment may be considered the main establishment.
Data Processors
If you are a controller, review and revise your data processing contracts to ensure they address the more prescriptive obligations of data processors.
If you are a processor, consider whether the processing contract clearly sets out the scope of your liability. You will be liable for any harm caused by a breach of the GDPR, to the extent that you have not complied with your contractual and statutory obligations
Accountability
Keep a record of your data processing activities as you will need to provide it to your supervisory authority, on request, to demonstrate how you comply with the GDPR. Consider whether you are carrying out ‘high risk’ processing.
If so, you will need to conduct a Privacy Impact Assessment. Consider your data privacy obligations when designing and developing new products and services.
Privacy Notices
Review and revise your privacy notices to meet the increased information rights of individuals. Consider the specific statutory ground(s) you rely on to legitimize your processing, and your data retention periods.
You will need to supply this information to data subjects in your privacy notices, and supervisory authorities on request.
Consent
Review how you are seeking, obtaining and recording consent and consider whether more explicit consent is needed to meet the requirements of the GDPR.
Consider whether you can rely on an alternative basis to legitimize your processing.
Individuals’ Rights
Review and revise your procedures to meet the new and enhanced rights of data subjects, and ensure your staffs understand how to respond to access requests.
Breach Notification
Review and revise your data breach management policy to ensure all breaches are reported to your supervisory authority.
Review and revise your security measures to ensure they are robust enough to meet the requirements of the GDPR.
International Data Transfers
Review your international data transfers and ensure appropriate transfer mechanisms are in place.
Sanctions
Consider your data processing activities and your existing compliance with data protection law.
Consider what changes need to be made to comply with the new statutory obligations under the GDPR, to avoid the risk of a fine (of up to €20m or 4% of your annual worldwide turnover), or a claim for (pecuniary or non-pecuniary) damages from data subjects if the GDPR is infringed.

 Appendix D:  EU GDPR Summary

Rights of Individuals
There has been a desire to strengthen data subject rights within the GDPR. To this end, there are a number of new (e.g. the Right to Erasure (Right to be Forgotten) or enhanced (Right to Information) data subject rights that will be included in the GDPR.
Information to be Provided on Collection 
Businesses need to make sure individuals understand who the controller is that is collecting their personal data and the purposes for which they are processing it. Organizations’ privacy policies will need to be updated in line with the requirements of the GDPR.
The new principle of accountability in the GDPR means there will be much more of an onus on controller businesses to demonstrate compliance with the data protection principles within the GDPR. 
Right to Erasure (Right to be Forgotten)
A Right to Erasure (Right to be Forgotten') has now been set out clearly in the GDPR that will allow individuals a qualified right to request that their data be erased, provided certain grounds apply (for example, the data is no longer necessary in relation to the purposes for which it was collected). Where relevant, businesses will have an obligation to erase the relevant personal data it holds concerning that individual without undue delay.
Data Protection Officer
In certain circumstances, businesses are required to appoint a DPO to enable those businesses to comply with its accountability obligations under the GDPR. This is a designated role with tasks set out in the GDPR, including responsibility for monitoring compliance with the GDPR.
Obligations on Data Processors
Under the Data Protection Act 1998 the statutory obligations are on data controllers only. However under the GDPR, data processors will also have obligations, for example, the processor will have a responsibility for implementing appropriate technical and organizational measures for the security of personal data during its processing activities.
Data Protection Impact Assessment  
Businesses will need to carry out a data protection impact assessment where the processing of personal data is likely to result in a high risk to the rights and freedoms of individuals.
The GDPR includes a requirement for controllers to report a personal data breach to its data protection supervisory authority (the ICO in the UK) without undue delay and where feasible, no later than 72 hours after being aware of the breach, unless the breach is unlikely to result in a risk to individuals’ rights and freedoms.
Where the personal data breach is likely to result in a high risk to individuals’ rights and freedoms, the controller will also need to communicate the breach to the individual without undue delay. 
What is the Impact if Businesses Get it Wrong?
The protection supervisory authority may impose in an administrative decision an up to 4% of total worldwide annual turnover of the preceding financial year, whichever is higher, for specified infringements. Individuals will also have the right to bring a claim for damage suffered as a result of an infringement of the GDPR. With the new rules entering into force on the 24th May 2018, businesses have two years to prepare for the changes.
The cost of non-compliance could be devastating and even fatal to many companies as you can be fined up to 4% of global annual revenue or €20 million, whichever is highest. The amount of the fine will be influenced by the nature, gravity and duration of the infringement.
For example, non-compliance for even a medium-sized bank like Charles Schwab Bank ($5.5 billion revenue) that provides online banking services to customers in Europe could potentially cost them up to $220 million, while non-compliance by a retail firm like Abercrombie & Fitch ($3.5 billion revenue) that provides upscale clothing for young consumers could potentially cost them up to $140 million. 

Appendix C:  Privacy by Design

The seven Privacy by Design (PbD) principles can help guide data security decisions and underpin GDPR compliance. GDPR do not cover every possible security scenario, and that’s where PbD can be useful.
1. Proactive not Reactive and Preventative not Remedial
The idea behind this first principle is that you should think about data privacy at the beginning of the data security planning process — not after a data breach. Consider this principle as a kind of an overall guideline for the rest of PbD.  Always be thinking privacy (ABTP).
2. Privacy as the Default Setting
Under GDPR, you’re supposed to give consumers the maximum privacy protection as a baseline: for example, explicit opt-in, safeguards to protect consumer data, restricted sharing, minimized data collection, and retention policies in place. PbD lowers the data security risk profile: the less data you have, the less damaging a breach will be.
3. Privacy Embedded into Design
Talk to a typical software developer, and he’s most worried about completing core functionality for the product. Data security techniques such as encryption and authentication are usually put on the backburner in the rush to get features online. And testing for the most common hackable vulnerabilities in software — typically injection attacks — is also often neglected.  These principles tell designers that they should think about privacy as a core feature of the product.
4. Full Functionality – Positive-Sum, Not Zero-Sum
The idea here is that PbD will not compromise business goals. Basically, you CAN have privacy, revenue, and growth. You’re not sacrificing one for the other. Think of this one as helping to establish a PbD culture in your organization.
5. End-to-End Security — Full Lifecycle Protection
Privacy protections follow the data, wherever it goes. The same PbD principles apply when the data is first created, shared with others, and then finally archived. Appropriate encryption and authentication should protect the data till the very end when it finally gets deleted.
6. Visibility and Transparency — Keep it Open
This is the principle that helps build trust with consumers. Information about your privacy practices should be out in the open and written in non-legalese. There should be a clear redress mechanism for consumers, and lines of responsibility in the organization need to be established.
7. Respect for User Privacy – Keep it User-Centric
This final principle just makes it very clear that consumers own the data. The data held by the organization must be accurate, and the consumer must be given the power to make corrections. The consumer is also the only one who can grant and revoke consent on the use of the data. 

Appendix D: EUR-Lex — Access to European Union Law 

Below are links to European Union law and publications.


Appendix E: Data Protection Officer Training Resources

There are a number of DPO training classes leading to certification. One that looks comprehensive and leads to certification is offered by the International Association of Privacy Professionals (IAPP).

How to Become DPO READY

The General Data Protection Regulation requires that many organisations appoint a DPO. Training and certification, such as that in the figure below, are available.
DPO ready 4-DAY Bundle Plus £2,995 | €3,545 | $3,695 Includes:
CIPP/E In-Person Training
CIPM In-Person Training
CIPP/E Online Training
CIPM Online Training
CIPP/E Certification Exam
CIPM Certification Exam
Complimentary IAPP Membership

One representative training course may be found at: https://iapp.org/train/data-protection-training/

GDPR Training and Certification 

IT Governance UK
Learn from the experts how to meet the requirements of the EU General Data Protection Regulation (GDPR). Gain practical understanding of the tools and methods for implementing and managing an effective compliance framework, and how to fulfil the role of data protection officer (DPO).

MultiMinds


If you want to learn more or are convinced you need help to prepare for the GDPR, just give us a call and we’ll be happy to come over or setup a meeting. And instead of a threat for your business, we can pivot this to an opportunity that will prove advantageous in the long run.

MediaPro

Our GDPR Readiness Toolkit includes valuable resources that will kick start your journey toward GDPR compliance, focusing in-part on how the GDPR will impact privacy awareness. Download this toolkit for access to:
·         White Paper: Expert Insights: Preparing for the GDPR
·         On-Demand Webinar: GDPR: The Shifting Tides of Global Privacy featuring privacy professionals from Mylan, Chevron, and MediaPro
·         The GDPR Cheat Sheet, a concise summary of how the GDPR will impact privacy professionals and privacy awareness training needs
MediaPro has 20+ years of experience creating engaging employee training content for the most risk-conscious organizations in the world. We’re proud to have the most up-to-date awareness content in the industry, backed by proven adult learning principles and our award-winning Adaptive Awareness Framework.

Summary of the GDPR Services We Must Provide


Among the GDPR-compliant service features we must provide are the following:
·         Checkbox consent mechanisms for explicit consent
·         Progressive permissions
·         Easy data record access mechanisms
·         Data correction and integrity mechanisms
·         Data portability
·         Data erasure and deletion
·         Scoped access for users and integrations
·         Data pseudonymization
·         Age gating

Summary of the GDPR Requirements

The GDPR significantly adds to the protections for EU data subjects afforded by the existing EU Data Protection Directive that it will replace, while authorizing record-level fines for non-compliance up to a maximum of 20,000,000 EUR or 4 percent annual global revenue of the preceding financial year, whichever is higher, for certain violations, and up to half those amounts for other violations.
Under Article 32, both controllers and processors are required to “implement appropriate technical and organizational measures” considering “the state of the art and the costs of implementation” and “the nature, scope, context, and purposes of the processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.”
The GDPR makes personal data controllers liable for the actions of their processors and responsible for compliance with the regulation’s personal data processing principles. Consequently, just as data controllers will be looking to make changes to become compliant before the regulation’s effective date, so too will they need their data processors to demonstrate compliance.

We must encrypt personal data in transit and at rest with transport layer security (TLS) and SSL certificates of at least 2048-bits and other measures to protect data in transit.

We must keep each client application instance and associated subject data isolated in its own logically discrete production environment; having unique session tokens, configurable session timeout values and password policies applied to prevent unauthorized access; encrypting data at rest in development, production and backup environments with full disk encryption; and storing passwords after being one-way hashed).

We must have the ability to ensure the ongoing confidentiality, integrity, availability and resilience of our processing systems and services (through a variety of safeguards, including data hosting replicated to several servers, data backup on hot servers and the capability to receive real-time notification of data subject record changes).

We must have the ability to restore the availability of and access to the personal data in a timely manner for a physical or technical incident.

We must have a tested Business Continuity and Disaster Recovery Plan.

We must have a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing (accomplished through its internal and external audits).

This is a link to a webpage example of a company providing a corporate statement of their intention to comply with the GDPR.