Block chain and GDPR analysis link here.
Now that the regulations have gone into effect on May 25, 2018, companies are beginning to pay attention. To help them understand the General Data Protection Regulation (GDPR).here is my white paper on this subject. The basic rules, principles, and impacts of both are presented below.
Now that the regulations have gone into effect on May 25, 2018, companies are beginning to pay attention. To help them understand the General Data Protection Regulation (GDPR).here is my white paper on this subject. The basic rules, principles, and impacts of both are presented below.
European Union General Data Protection Regulation (GDPR) White Paper
Table
of Contents
European Union General Data Protection Regulations
On December 15, 2015, the European Union
(EU) agreed to a draft of the General Data Protection Rules (GDPR) with
potential fines of up to four percent of global revenues or 20 million EUR
(whichever is higher), if an enterprise breaks those rules.
These rules, which are expected to go
into effect in May 2018, apply to any companies that have or manage the data of
customers in the EU regardless of whether the company itself is based outside
the EU (with implications for cloud-based models).
So under these new rules, if a US
company collects data from EU citizens, it would be under the same legal obligations as though
the company had headquarters in say France, UK, or Germany — even though they
don’t have any servers or offices there.
Any American company that does business
in the EU needs to be in full compliance with GDPR by May 25th, 2018.
Even if your company has no presence in the EU, so long as you market to EU
residents, even if it is through the web, you need to comply with the GDPR.
The foundational accountability
requirement means that you must know all personal data you store and use. This
is a major challenge as many organizations habitually store data redundantly.
Sustained compliance means that our
product and service development and production processes may need to be updated
to consider personal data storing and usage implications from architecture and
design to deployment. These new requirements mean that we are now responsible
to actually demonstrate how all personal data is effectively secured.
Rules for disclosure of breach and data
protection officers will require implementation or update of operational
processes, job descriptions, PR processes, etc.
This single Europe-wide regulation removes the complexities that businesses currently face complying with multiple local regulations across the EU. Currently, each of the 28 EU states interprets the existing rules in their own way, making compliance across the region complex and expensive.
The GDPR unifies EU data protection
legislation, simplifying processes and legal obligations for any country
dealing with more than one EU state. However, the scope of GDPR substantially
increases the obligations on firms dealing with EU citizens' personal data.
Organizations outside the EU are subject
to the jurisdiction of the EU regulators just by collecting data concerning an
EU citizen. Such organizations will only have to deal with one single
supervisory authority. Among other requirements, the GDPR includes a directive
on data transfers for policing and judicial purposes.
The GDPR will apply to the U.K. and is
likely to apply after the U.K. leaves the EU. The U.K. will still be a
Member State of the EU on 25 May 2018. The GDPR comes into effect for all
Member States, and so will come into force in the U.K. The U.K. will retain the
GDPR following Brexit.
Wide powers of enforcement are given to
the EU Data Protection Regulators (DPRs). The DPRs will have the power to
impose penalties in the form of fines against any business failing to comply
with the new regulations. These penalties are significantly stronger than those
provided under the current Data Protection Act (DPA).
The GDPR describes three levels of
non-compliance, and each level has a band of fines associated with it. For the
most serious instances of non-compliance, an organisation can expect a fine of
up to 4% of annual global turnover or €20 million, whichever is greater.
GDPR is a set of articles, 99 in total,
written by the European Union, which will harmonize the European data privacy
laws and data protection laws across Europe. Again, the compliance date is May
25th, 2018.
For the latest changes and updates to the
GDPR, see: http://www.eugdpr.org/key-changes.html
US Versus EU Concepts of Privacy
In the US we think in terms of users,
consumers and subscribers. In the EU, individuals and persons are at the center
of any notion of privacy. Individuals are guaranteed protection of personal
data through the Charter of Fundamental Rights, adopted in 2000, but only
acquiring the full force of law in 2009 through the Treaty of Lisbon. Article
8, for example, states:
Protection of personal data:
1. Everyone has the right to the
protection of personal data concerning him or her.
2. Such data must be processed fairly for
specified purposes and on the basis of the consent of the person concerned or
some other legitimate basis laid down by law. Everyone has the right of access
to data which has been collected concerning him or her, and the right to have
it rectified.
3. Compliance with these rules shall be
subject to control by an independent authority.
This strong, explicit data protection
basis in EU law does not have clear equivalency in the United States, and that
gap has been at the center of the data protection and privacy related friction
between these two economic blocs for years.
Overview of the GDPR Rules
·
Implement technical and
organizational measures to ensure appropriate data security through means
including, among others, “pseudonymisation and encryption of personal data”
·
Have in place a process for
regularly testing, assessing and evaluating the effectiveness of technical and
organizational measures for ensuring the security of data processing
·
Communicate “without undue
delay” personal data breaches to the subjects of such breaches when the breach
is likely to result in a high risk to the rights and freedoms of these
individuals
GDPR and the Cloud
GDPR compliance will not be possible if
organizations do not control and secure data in cloud apps. Closely managing a
business’ interactions with the cloud is a good starting point. To achieve
this, we must:
·
Discover and
monitor every cloud application in use by our employees.
·
Know which personal data
sets are being processed by employees in the cloud – for instance, customer
information such as name, credit card details, address, or other forms of
personally identifiable information (PII).
·
Secure data by
implementing policies to ensure that employees are not using unmanaged cloud
services to store and process PII. Policies should be sufficiently granular in
order to prevent unwanted behavior while simultaneously ensuring compliant use
of the cloud can continue.
·
Coach users in best practice so
they adopt the services sanctioned by IT.
·
Evaluate various cloud access
security brokers to determine the enterprise-readiness of all cloud apps and
cloud services so the business can guarantee that all data is protected
both at rest and in transit.
Personal Data Definition
Personal data is defined in the GDPR as
any information relating to a person who can be identified, directly or
indirectly, by reference to an identifier such as a name, an identification
number, location data, and online identifier or to one or more factors specific
to the physical, physiological, genetic, mental, economic, cultural or social
identity of that person.
So in many cases online identifiers including
IP address, cookies and other data artefacts will now be regarded as personal
data if they can be (or are capable of being) without undue effort linked back
to the data subject.
There is no distinction between personal
data about individuals in their private, public or work roles — the person is
the person.
It applies to data transfers across
borders within the EU as well as setting minimum standards for data processing
for policing purposes within each member state. (Due to UK and Ireland’s
special status regarding justice and home affairs legislation, the directive’s
provisions only apply in these countries to a limited extent.)
The regulations will apply to any
organisation, regardless of location, that acts as a controller or processor of
personally identifiable information of EU residents. The term controller refers
to any individual or organisation that advocates how and for what business
reason the personal data will be used.
Processing of data includes such tasks as
collection, storage, recording, editing, or any use for operational purposes.
The definition of personal data has been broadened to include additional
characteristics that may be used to identify a living individual. Those
characteristics include such data constructs as genetic, mental, economic,
cultural or social identity.
GDPR Regulation Objectives
There are five primary objectives in the
GDPR regulations. They are listed below along with their descriptions.
Objective
|
Description
|
Establish data privacy as a fundamental right
|
The GDPR considers data protection as a fundamental
human right of an individual, which includes a “right to the protection” of
their personal data. Anyone based in the EU, or anyone handling or targeting
the personal data of an EU-based individual must have processes, technology,
and automation to effectively protect personal data.
|
Clarify the responsibilities for EU data protection
|
The GDPR applies to a controller or a processor who
is based or established in the EU, or to a company not based in the EU but who
offers goods or services from outside the EU borders to a data subject in the
EU or who monitors the behavior of data subjects in the EU.
|
Define a baseline for data protection
|
To avoid fragmentation and ambiguity, GDPR has set a
baseline for data protection by requiring anyone processing the personal data
of an individual that is in the European Union to follow the requirements
laid down in the GDPR.
|
Elaborate on the data protection principles
|
The GDPR considers encryption as only one of the
components of a broad security strategy, and mandates that organizations need
to consider assessment, preventive, and detective controls based upon the
sensitivity of the personal data they have.
|
Increase enforcement powers
|
The EU aims to ensure compliance with the GDPR by
enforcing huge fines of up to 4% of the global annual revenue upon
non-compliance.
|
Defined GDPR Roles
There are seven primary roles in the GDPR
regulations. They are listed below along with their descriptions.
Role
|
Description
|
Data Subject
|
A person who can be identified directly or indirectly
by means of an identifier. For example, an identifier can be a national
identifier, a credit card number, a username, or a web cookie.
|
Personal Data
|
Any personal information, including sensitive
personal information, relating to a Data Subject. For example, address, date
of birth, name, location and nationality.
|
Controller
|
A natural or legal person, public authority, agency
or any other body which alone or jointly with others determines the purposes
and means of the processing of personal data. For example, a controller can
be an organization or Chief Information Officer (CIO).
|
Data Protection Officer
|
An individual working for a Controller or a Processor
with extensive knowledge of the data privacy laws and standards. The Data
Protection Officer (DPO) shall advice the controller or the processor of
their obligations according to the GDPR and shall monitor its implementation.
The DPO acts as a liaison between the controller/processor and the
supervisory authority. A DPO for example can be a Chief Security Officer
(CSO) or a Security Administrator.
A single DPO may represent a group of undertakings or
multiple public authorities or bodies. The GDPR requires a DPO to be
“designated on the basis of professional qualities and, in particular, expert
knowledge of data protection law and practices” and the ability to fulfill
the tasks designated under Article 39. These tasks involve regulatory
compliance, training staff on proper data handling, and coordinating with the
supervisory authority, with an ability to understand and balance data
processing risks.
|
Processor
|
A natural or legal person, agency or any other body
which processes Personal Data on behalf of the Controller. For example, a
developer, a tester, or an analyst. A Processor can also be a cloud service
provider or an outsourcing company.
|
Recipient
|
A natural or legal person, agency or any other body
to whom the personal data is disclosed. For example, an individual, a tax
consultant, an insurance agent, or an agency
|
Enterprise
|
Any natural or legal person engaged in an economic
activity. This essentially includes all organizations whether in the public
or private sector, whether in the EU or outside of the EU.
|
Third Party
|
Any natural or legal person, agency or any other body
other than the Data Subject, the Controller, the Processor and the persons
who, under the direct authority of the Controller or the Processor, are
authorized to process the data. For example, partners or subcontractors.
|
Supervisory Authority
|
An independent public authority established by a
Member State (known as the National Data Protection Authority under the
current EU Data Protection Directive), or auditing agency.
|
Primary GDPR Requirements
·
Companies will have to appoint
a DPO (Data Privacy Officer) who is responsible for advising on and monitoring
GDPR compliance, and is a point of contact for the authorities.
·
There are new regulations and
requirements for collecting and recording personal data and processing
activities.
·
Data authorities and consumers
must be notified within 72 hours after the discovery of the breach.
·
A tiered penalty framework with
fines of up to 4% of global annual turnover (or €20,000,000, whichever is
higher) for more serious violations, and up to 2% (or €10,000,000) for other
violations, such as failing to notify a data authority about a breach.
·
Local data authorities will
have additional resources to investigate and audit data controllers, and
processors and their sub-contractors.
·
A new European Data Protection
Board will act as a super data authority to handle disputes between
authorities.
Certification Requirements for the DPO
According to the European Data Protection
Supervisor’s paper
on Professional Standards for Data Protection Officers, the most relevant
certification for a DPO is the one provided by the International Association of Privacy
Professionals.
Eric Lachaud, in his article Should the DPO
Be Certified?, for Oxford University’s International Data Privacy Law
journal, reaches the conclusion that the most appropriate certification for the
DPO is a combination of the IAPP’s Certified Information Privacy Professional
credential for EU professionals (CIPP/E) and Certified Information Privacy
Manager (CIPM). The IAPP also offers the Certified Information Privacy Technologist
(CIPT) credential, as well as a version of the CIPP for the United States, and
one for Canada and the U.S. federal government.
The CIPP/E, CIPP/US, CIPM, and CIPT
credentials are certified under ISO standard 17024:2012.
Primary GDPR Sanctions
We are working now to comply with the
May, 2018 deadline for the following provisions of the GDPR:
·
“Clear and affirmative consent”
to the processing of private data by the person concerned
·
Right to transfer your data to
another service provider
·
Right to know when your data
has been hacked
·
Ensuring that privacy policies
are explained in clear and understandable language
·
Stronger enforcement and fines
up to 4% of firms’ total worldwide annual turnover, as a deterrent to breaking
the rules.
The data protection package also includes
a directive on data transfers for policing and judicial purposes. It will apply
to data transfers across borders within the EU as well as, for the first time,
setting minimum standards for data processing for policing purposes within each
member state.
The regulation applies if the data
controller or processor (organization) or the data subject (person) is based in
the EU. The regulation also applies to organizations based outside the EU if
they process personal data of EU residents. The regulation does not apply to
the processing of personal data for national security activities or law
enforcement.
Data Portability
The GDPR requires that a person be able
to transfer their personal data from one electronic processing system to and
into another, without being prevented from doing so by the data controller.
Aimed at helping drive competition
between service providers this part of the regulation seeks to drive automated
transfers of data (using a common format yet to be defined) between services
which primarily process customers automatically. So, for example, these could include
utilities, banks, telecoms and ISP’s. And the data must be provided by the
controller in a structured and commonly used electronic format. The right to
data portability is provided by Article 18.
Information Provided at Data Collection
The information that must be made available to a Data
Subject when data is collected includes:
·
Identity and the contact
details of the controller and DPO
·
Purposes of the processing for
which the personal data are intended
·
Legal basis of the processing
·
Where applicable the legitimate
interests pursued by the controller or by a third party
·
Where applicable, the
recipients or categories of recipients of the personal data
·
Where applicable, that the
controller intends to transfer personal data internationally
·
The period for which the
personal data will be stored, or if this is not possible, the criteria used to
determine this period
·
Existence of the right to
access, rectify or erase the personal data
·
Right to data portability
·
Right to withdraw consent at
any time
·
Right to lodge a complaint to a
supervisory authority
Where the data has not been obtained
directly from the data subject, perhaps using a 3rd party list, the list varies
and includes:
·
From what source the personal
data originate.
·
The existence of any profiling
and meaningful information about the logic involved, as well as the
significance and the envisaged consequences of such processing for the data
subject.
There are some exceptions, such as the
effort would be disproportionate (although this is unlikely be a good
justification in day-to-day circumstances) and where the information has
already been provided to the data subject.
Profiling
The regulation defines profiling as any
automated processing of personal data to determine certain criteria about a
person. “In particular to analyze or predict aspects concerning that natural
person' s performance at work, economic situation, health, personal
preferences, interests, reliability, behavior, location or movements.”
Individuals have the right not to be
subject to the results of automated decision making, including profiling, which
produces legal effects on him or her or otherwise significantly affects them.
So, individuals can opt out of profiling.
Automated decision making will be legal where:
·
Individuals have explicitly
consented to it
·
If profiling is necessary under
a contract between an organization and an individual
·
If profiling is authorized by
EU or Member State Law.
Legitimate Interests and Direct Marketing
The regulation specifically recognizes
that the processing of data for “direct marketing purposes” can be considered
as a legitimate interest. Legitimate interest is one of the grounds, like
consent, that an organization can use in order to process data and satisfy the
principle that data has been fairly and lawfully processed.
The act says that processing is lawful if
“processing is necessary for the purposes of the legitimate interests pursued
by the controller or by a third party, except where such interests are
overridden by the interests or fundamental rights and freedoms of the data
subject which require protection of personal data, in particular where the data
subject is a child.”
EU Definition of GDPR Personal Data
According to the European Commission
"personal data is any information relating to an individual, whether it
relates to his or her private, professional or public life. It can be anything
from a name, a photo, an email address, bank details, and posts on social
networking websites, medical information, or a computer’s IP
address."
Obtaining Consent
Companies must obtain valid consent
explicit for data collected and purposes data used (Article 7, defined in
Article 4). Consent for gathering data on children (defined as 12 and
below) must be given by child’s parent or custodian, and verifiable (Article 8).
Data controllers must be able to prove consent (opt-in) and consent may be
withdrawn.
According to the Regulation consent means
“any freely given, specific, informed and unambiguous indication of his or her
wishes by which the data subject, either by a statement or by a clear
affirmative action, signifies agreement to personal data relating to them being
processed.”
Although the consent itself need not be
explicit, the purpose for which the consent is gained does need to be
“collected for specified, explicit and legitimate purposes.” It needs to be
obvious to the data subject what their data is going to be used for at the
point of data collection.
Consent should be demonstrable in that
organizations need to be able to show clearly how consent was gained and when.
Consent must be freely given — a controller cannot insist on data that’s not
required for the performance of a contract as a pre-requisite for that
contract. Withdrawing consent should always be possible — and should be as easy
as giving it.
GDPR Reporting a Data Breach
The reporting of a data breach is not
subject to any de minimis standard and such breaches must be reported to the Supervisory
Authority when they become aware of the data breach (Article 31). Individuals
have to be notified if adverse impact is determined (Article 32).
GDPR Exceptions
GDPR does provide exceptions based on
whether the appropriate security controls are deployed within the
organizations. For example a breached organization that has rendered the
data unintelligible through encryption to any person who is not authorized to
access the data, is not mandated to notify the affected record owners.
The chances of being fined are also
reduced if the organization is able to demonstrate a “Secure Breach” has taken place.
To address the GDPR compliance
requirements, organizations need to employ one or more different encryption methods within both their
on-premises and cloud infrastructure environments, including the following:
·
Servers, including via file,
application, database, and full disk virtual machine encryption
·
Storage, including through
network-attached storage and storage area network encryption
·
Media, through disk encryption
·
Networks, for example through
high-speed network encryption
Strong key management is required to
protect the encrypted data and to ensure the deletion of files and comply with
a user’s right to be forgotten. Controllers must inform subjects of the
period of time (or reasons why) data will be retained on collection.
If the data subject subsequently wishes
to have their data removed and the data is no longer required for the reasons
for which it was collected then it must be erased.
Note that there is a downstream responsibility
for controllers to take reasonable steps to notify processors and other
downstream data recipients of such requests.
Organizations will also need a way to
verify the legitimacy of user identities and
transactions, and to prove compliance. Security controls must be in place and
be demonstrable and auditable.
Key GDPR Data Security Requirements
The key GDPR data
security requirements can be broadly classified into three categories:
·
Assessment
·
Prevention
·
Monitoring/Detection
The GDPR also requires compliance with
the data protection principles to enhance the quality and rigor of protection
of the data. This section summarizes key data security requirements discussed
in the GDPR
Assess Security Risks
The GDPR mandates that Controllers
perform Data Protection Impact Assessments when certain types of processing of
Personal Data are likely to present a “high risk” to the data subject. The
assessment must include a systematic and extensive evaluation of organization’s
processes, profiles, and how these tools safeguard the Personal Data (Article
35).
Prevent Attacks
At various places in the regulation, the
GDPR reiterates the importance of preventing security breaches. The GDPR
recommends several techniques to prevent an attack from succeeding (Article
32).
Encryption
The GDPR provides that in the event of a
data breach, the Controller need not to notify data subjects if data is
encrypted and rendered unintelligible to any person accessing it, thereby
removing notification costs to the organizations (Article 34).
Encrypting Both Structure and Unstructured Data
GDPR requires organizations to safeguard
personal data, which may include anything from data about political viewpoints
to health history, and says that "this applies to all systems used to
process the data, including cloud apps."
The difficulty in complying with this
regulations is that many, if not most, personal data for which the organization
is legally responsible are data not found in structured formats like databases,
but things like email [messages] and random documents created using Office 365
and Box, and in cloud apps not sanctioned by IT.
Another complication is the proliferation
of Bring Your Own Device (BYOD) across our organization that makes it difficult
to know how to comply with GDPR if we don't know what data we have on these
devices and where it resides.
Anonymization and Pseudonymization
Data anonymization is the technique of
completely scrambling or obfuscating the data, and pseudonymization refers to
reducing the linkability of a data set with the original identity of a data
subject. The GDPR states that anonymization and pseudonymization techniques can
reduce the risk of accidental or intentional data disclosure by making the
information un-identifiable to an individual or entity (Recital 28).
Privileged User Access Control
The GDPR implies controlling privileged
users who have access to the Personal Data to prevent attacks from insiders and
compromised user accounts (Article 29).
Fine-grained Access Control
In addition to privileged user control,
the GDPR recommends adopting a fine-grained access control methodology to
ensure that the Personal Data is accessed selectively and only for a defined
purpose. This kind of fine-grained access control can help organizations
minimize unauthorized access to Personal Data (Article 25).
Data Minimization
The GDPR recommends minimizing the
collection and retention of Personal Data as much as possible to reduce the
compliance boundary. While collecting, processing, or sharing Personal Data,
Controllers and Processors must be frugal and limit the amount of information
to the necessities of a specific activity (Data 5).
Monitor to Detect Breaches
While preventive security measures help
organizations minimize the risk of attack, they cannot eliminate the
possibility that a data breach may occur. The GDPR recommends monitoring and
alerting to detect such breaches through the following mechanisms.
Audit Data
The GDPR not only mandates recording or
auditing of the activities on the Personal Data but also recommends that these records must be
maintained centrally under the responsibility of the Controller. In other
words, processors and third-parties must not be able to tamper or destroy the
audit records. In addition to book-keeping, auditing also helps in forensic
analysis in case of a data breach (Article 30).
Monitor and Timely Alert
Constant monitoring of the activities on
Personal Data is critical for detecting anomalies. In addition to close
monitoring, GDPR also mandates timely notifications in case of a breach
(Article 33).
Quality of Protection
For both large and small organizations,
implementing and administering data security without proper planning can
obstruct day-to-day IT operations and result in a significant administrative
overhead.
While lack of proper planning and
increased costs may have in the past given some enterprises a reason to not
implement security, with regulations such as the GDPR, security is a
requirement, not an option. To address some of these challenges, GDPR
stipulates the following to help ease the administrative overhead of the
security controls and increase the quality of protection:
Data Security by Design and by Default
The GDPR mandates making data protection
a core part of the system. Considering security during the initial design phase
of a technology life cycle increases the security worthiness of the system and
ensures that technical security controls will perform as expected (Article 25).
Centralization
The GDPR recommends centralized
administration when dealing with security of multiple applications and systems
as they help take immediate actions in case of a breach. Centralized controls
also enforce uniformity across multiple targets, reduce the chances of errors
on individual targets, and leverage the best practices across the enterprise
(Recital 36).
Retention and the Right to be Forgotten
As has already been noted controllers
must inform subjects of the period of time (or reasons why) data will be
retained on collection.
Should the data subject subsequently wish
to have their data removed and the data is no longer required for the reasons
for which it was collected then it must be erased.
Note that there is a “downstream”
responsibility for controllers to take “reasonable steps” to notify processors
and other downstream data recipients of such requests.
Comprehensive Security
Threats and attacks can come from
multiple sources and organizations must be prepared from all directions. The
GDPR mandates protection of Personal Data in all stages of the data lifecycle
such as data at-rest and in-transit (Article 32).
Appendix A: GDPR Resources
Resources used to create this European
Union General Data Protection Regulation White Paper follow.
GDPR Legislation
GPDR Analysis
https://information.hunton.com/23/1139/landing-pages/eu-gdpr-guide---registration-page-thank-you.asp
Prior Rules and Regulations: Safe Harbor 2.0
Appendix C: Top Ten EU GDPR Action Points
Action Point
|
Description
|
Extra-Territorial Scope
|
Consider the extent to which the GDPR applies to you.
If you are a controller or a processor, and have an
establishment in the EU, or are not established in the EU but offer goods or
services to or monitor the behavior of EU-based individuals, you will need to
comply with the GDPR and may need to appoint a representative.
|
One Stop Shop
|
If you are a controller or processor, consider where
your main establishment is and who will be your lead supervisory authority.
If you are a controller, also consider whether
processing decisions are taken in another EU establishment, which has the
power to implement those decisions. If so, that decision-making establishment
may be considered the main establishment.
|
Data Processors
|
If you are a controller, review and revise your data
processing contracts to ensure they address the more prescriptive obligations
of data processors.
If you are a processor, consider whether the
processing contract clearly sets out the scope of your liability. You will be
liable for any harm caused by a breach of the GDPR, to the extent that you
have not complied with your contractual and statutory obligations
|
Accountability
|
Keep a record of your data processing activities as
you will need to provide it to your supervisory authority, on request, to
demonstrate how you comply with the GDPR. Consider whether you are carrying
out ‘high risk’ processing.
If so, you will need to conduct a Privacy Impact
Assessment. Consider your data privacy obligations when designing and
developing new products and services.
|
Privacy Notices
|
Review and revise your privacy notices to meet the
increased information rights of individuals. Consider the specific statutory
ground(s) you rely on to legitimize your processing, and your data retention
periods.
You will need to supply this information to data
subjects in your privacy notices, and supervisory authorities on request.
|
Consent
|
Review how you are seeking, obtaining and recording
consent and consider whether more explicit consent is needed to meet the requirements
of the GDPR.
Consider whether you can rely on an alternative basis
to legitimize your processing.
|
Individuals’ Rights
|
Review and revise your procedures to meet the new and
enhanced rights of data subjects, and ensure your staffs understand how to
respond to access requests.
|
Breach Notification
|
Review and revise your data breach management policy
to ensure all breaches are reported to your supervisory authority.
Review and revise your security measures to ensure
they are robust enough to meet the requirements of the GDPR.
|
International Data Transfers
|
Review your international data transfers and ensure
appropriate transfer mechanisms are in place.
|
Sanctions
|
Consider your data processing activities and your
existing compliance with data protection law.
Consider what changes need to be made to comply with
the new statutory obligations under the GDPR, to avoid the risk of a fine (of
up to €20m or 4% of your annual worldwide turnover), or a claim for
(pecuniary or non-pecuniary) damages from data subjects if the GDPR is
infringed.
|
Appendix D: EU
GDPR Summary
Rights of Individuals
There has been a desire to strengthen
data subject rights within the GDPR. To this end, there are a number of new
(e.g. the Right to Erasure (Right to be Forgotten) or enhanced (Right to
Information) data subject rights that will be included in the GDPR.
Information to be Provided on Collection
Businesses need to make sure individuals
understand who the controller is that is collecting their personal data and the
purposes for which they are processing it. Organizations’ privacy policies will
need to be updated in line with the requirements of the GDPR.
The new principle of accountability in
the GDPR means there will be much more of an onus on controller businesses to
demonstrate compliance with the data protection principles within the GDPR.
Right to Erasure (Right to be Forgotten)
A Right to Erasure (Right to be Forgotten')
has now been set out clearly in the GDPR that will allow individuals a
qualified right to request that their data be erased, provided certain grounds
apply (for example, the data is no longer necessary in relation to the purposes
for which it was collected). Where relevant, businesses will have an obligation
to erase the relevant personal data it holds concerning that individual without
undue delay.
Data Protection Officer
In certain circumstances, businesses are
required to appoint a DPO to enable those businesses to comply with its
accountability obligations under the GDPR. This is a designated role with tasks
set out in the GDPR, including responsibility for monitoring compliance with
the GDPR.
Obligations on Data Processors
Under the Data Protection Act 1998 the statutory obligations are on
data controllers only. However under the GDPR, data processors will also have
obligations, for example, the processor will have a responsibility for
implementing appropriate technical and organizational measures for the security
of personal data during its processing activities.
Data Protection Impact Assessment
Businesses will need to carry out a data
protection impact assessment where the processing of personal data is likely to
result in a high risk to the rights and freedoms of individuals.
The GDPR includes a requirement for
controllers to report a personal data breach to its data protection supervisory
authority (the ICO in the UK) without undue delay and where feasible, no later
than 72 hours after being aware of the breach, unless the breach is unlikely to
result in a risk to individuals’ rights and freedoms.
Where the personal data breach is likely to
result in a high risk to individuals’ rights and freedoms, the controller will
also need to communicate the breach to the individual without undue delay.
What is the Impact if Businesses Get it Wrong?
The protection supervisory authority may
impose in an administrative decision an up to 4% of total worldwide annual
turnover of the preceding financial year, whichever is higher, for specified
infringements. Individuals will also have the right to bring a claim for damage
suffered as a result of an infringement of the GDPR. With the new rules
entering into force on the 24th May 2018, businesses have two years to prepare
for the changes.
The cost of non-compliance could be devastating
and even fatal to many companies as you can be fined up to 4% of global annual
revenue or €20 million, whichever is highest. The amount of the fine will be
influenced by the nature, gravity and duration of the infringement.
For example, non-compliance for even a
medium-sized bank like Charles Schwab Bank ($5.5 billion revenue) that provides
online banking services to customers in Europe could potentially cost them up
to $220 million, while non-compliance by a retail firm like Abercrombie &
Fitch ($3.5 billion revenue) that provides upscale clothing for young consumers
could potentially cost them up to $140 million.
Appendix C: Privacy by Design
Here is the link to the original: https://www.ipc.on.ca/wp-content/uploads/Resources/7foundationalprinciples.pdf
The seven Privacy by Design (PbD)
principles can help guide data security decisions and underpin GDPR compliance.
GDPR do not cover every possible security scenario, and that’s where PbD can be
useful.
1. Proactive not Reactive and Preventative not
Remedial
The idea behind this first principle is
that you should think about data privacy at the beginning of the data security
planning process — not after
a data breach. Consider this principle as a kind of an overall guideline for
the rest of PbD. Always be thinking privacy (ABTP).
2. Privacy as the Default Setting
Under GDPR, you’re supposed to give
consumers the maximum privacy protection as a baseline: for example, explicit
opt-in, safeguards to protect consumer data, restricted sharing, minimized data
collection, and retention policies in place. PbD lowers the data security risk
profile: the less data you have, the less damaging a breach will be.
3. Privacy Embedded into Design
Talk to a typical software developer, and
he’s most worried about completing core functionality for the product. Data
security techniques such as encryption and authentication are usually put on
the backburner in the rush to get features online. And testing for the most
common hackable vulnerabilities in
software — typically injection attacks — is also often neglected. These
principles tell designers that they should think about privacy as a core
feature of the product.
4. Full Functionality – Positive-Sum, Not Zero-Sum
The idea here is that PbD will not
compromise business goals. Basically, you CAN have privacy, revenue, and
growth. You’re not sacrificing one for the other. Think of this one as helping
to establish a PbD culture in your organization.
5. End-to-End Security — Full Lifecycle Protection
Privacy protections follow the data,
wherever it goes. The same PbD principles apply when the data is first created,
shared with others, and then finally archived. Appropriate encryption and
authentication should protect the data till the very end when it finally gets
deleted.
6. Visibility and Transparency — Keep it Open
This is the principle that helps build
trust with consumers. Information about your privacy practices should be out in
the open and written in non-legalese. There should be a clear redress mechanism
for consumers, and lines of responsibility in the organization need to be
established.
7. Respect for User Privacy – Keep it User-Centric
This final principle just makes it very
clear that consumers own the data. The data held by the organization must be
accurate, and the consumer must be given the power to make corrections. The
consumer is also the only one who can grant and revoke consent on the use of
the data.
Appendix D: EUR-Lex — Access to European Union Law
Below are links to European Union law and publications.
Appendix E: Data Protection Officer Training Resources
There are a number of DPO training classes leading to
certification. One that looks comprehensive and leads to certification is
offered by the International Association of Privacy Professionals (IAPP).
How to Become DPO READY
The General Data Protection Regulation
requires that many organisations appoint a DPO. Training and certification,
such as that in the figure below, are available.
DPO ready 4-DAY Bundle Plus £2,995 |
€3,545 | $3,695 Includes:
CIPP/E In-Person Training
CIPM In-Person Training
CIPP/E Online Training
CIPM Online Training
CIPP/E Certification Exam
CIPM Certification Exam
Complimentary IAPP Membership
One representative training course may be found at: https://iapp.org/train/data-protection-training/
GDPR Training and Certification
IT
Governance UK
Learn from the experts how to meet the requirements of the
EU General Data Protection Regulation (GDPR). Gain practical understanding of
the tools and methods for implementing and managing an effective compliance
framework, and how to fulfil the role of data protection officer (DPO).
MultiMinds
If you want to learn more
or are convinced you need help to prepare for the GDPR, just give us a call and
we’ll be happy to come over or setup a meeting. And instead of a threat for
your business, we can pivot this to an opportunity that will prove advantageous
in the long run.
MediaPro
Our GDPR Readiness Toolkit includes valuable
resources that will kick start your journey toward GDPR compliance, focusing
in-part on how the GDPR will impact privacy awareness. Download this toolkit for access to:
·
White Paper: Expert Insights: Preparing for the GDPR
·
On-Demand Webinar: GDPR: The
Shifting Tides of Global Privacy featuring privacy professionals
from Mylan, Chevron, and MediaPro
·
The GDPR Cheat Sheet,
a concise summary of how the GDPR will impact privacy professionals and privacy
awareness training needs
MediaPro
has 20+ years of experience
creating engaging employee training content for the most risk-conscious
organizations in the world. We’re proud to have the most up-to-date awareness content in the industry, backed by
proven adult learning principles and our award-winning Adaptive Awareness
Framework.
Summary of the GDPR Services We Must Provide
Among the GDPR-compliant service features
we must provide are the following:
·
Checkbox consent mechanisms for explicit consent
·
Progressive permissions
·
Easy data record access mechanisms
·
Data correction and integrity mechanisms
·
Data portability
·
Data erasure and deletion
·
Scoped access for users and integrations
·
Data pseudonymization
·
Age gating
Summary of the GDPR Requirements
The GDPR significantly adds to the
protections for EU data subjects afforded by the existing EU Data Protection
Directive that it will replace, while authorizing record-level fines for
non-compliance up to a maximum of 20,000,000 EUR or 4 percent annual global
revenue of the preceding financial year, whichever is higher, for certain
violations, and up to half those amounts for other violations.
Under Article 32, both controllers and
processors are required to “implement appropriate technical and organizational
measures” considering “the state of the art and the costs of implementation”
and “the nature, scope, context, and purposes of the processing as well as the
risk of varying likelihood and severity for the rights and freedoms of natural
persons.”
The GDPR makes personal data controllers liable for the
actions of their processors and responsible for compliance with the
regulation’s personal data processing principles. Consequently, just as data
controllers will be looking to make changes to become compliant before the
regulation’s effective date, so too will they need their data processors to
demonstrate compliance.
We must encrypt personal data in transit and at rest with
transport layer security (TLS) and SSL certificates of at least 2048-bits and
other measures to protect data in transit.
We must keep each client application instance and associated
subject data isolated in its own logically discrete production environment;
having unique session tokens, configurable session timeout values and password
policies applied to prevent unauthorized access; encrypting data at rest in
development, production and backup environments with full disk encryption; and
storing passwords after being one-way hashed).
We must have the ability to ensure the ongoing
confidentiality, integrity, availability and resilience of our processing
systems and services (through a variety of safeguards, including data hosting
replicated to several servers, data backup on hot servers and the capability to
receive real-time notification of data subject record changes).
We must have the ability to restore the availability of and
access to the personal data in a timely manner for a physical or technical
incident.
We must have a tested Business Continuity and Disaster
Recovery Plan.
We must have a process for regularly testing, assessing and
evaluating the effectiveness of technical and organizational measures for
ensuring the security of the processing (accomplished through its internal and
external audits).
This is a link to a webpage example of a company providing a corporate
statement of their intention to comply with the GDPR.