The purpose of Poetslife is to promote the art and discipline of American Tactical Civil Defense for families and small businesses and to contribute practical American civil defense preparedness guidance for all Americans through my articles in the The American Civil Defense Association (TACDA.ORG) Journal of Civil Defense and leadership as the volunteer Vice President of TACDA.

5/31/2018

General Data Protection Regulation GDPR Explained

 Block chain and GDPR analysis link here.

Now that the regulations have gone into effect on May 25, 2018, companies are beginning to pay attention. To help them understand the General Data Protection Regulation (GDPR).here is my white paper on this subject. The basic rules, principles, and impacts of both are presented below.

European Union General Data Protection Regulation (GDPR) White Paper

Table of Contents

European Union General Data Protection Regulations

On December 15, 2015, the European Union (EU) agreed to a draft of the General Data Protection Rules (GDPR) with potential fines of up to four percent of global revenues or 20 million EUR (whichever is higher), if an enterprise breaks those rules.
These rules, which are expected to go into effect in May 2018, apply to any companies that have or manage the data of customers in the EU regardless of whether the company itself is based outside the EU (with implications for cloud-based models).
So under these new rules, if a US company collects data from EU citizens, it would be under the same legal obligations as though the company had headquarters in say France, UK, or Germany — even though they don’t have any servers or offices there.
Any American company that does business in the EU needs to be in full compliance with GDPR by May 25th, 2018.  Even if your company has no presence in the EU, so long as you market to EU residents, even if it is through the web, you need to comply with the GDPR.
The foundational accountability requirement means that you must know all personal data you store and use. This is a major challenge as many organizations habitually store data redundantly.
Sustained compliance means that our product and service development and production processes may need to be updated to consider personal data storing and usage implications from architecture and design to deployment. These new requirements mean that we are now responsible to actually demonstrate how all personal data is effectively secured.
Rules for disclosure of breach and data protection officers will require implementation or update of operational processes, job descriptions, PR processes, etc.

This single Europe-wide regulation removes the complexities that businesses currently face complying with multiple local regulations across the EU. Currently, each of the 28 EU states interprets the existing rules in their own way, making compliance across the region complex and expensive.
The GDPR unifies EU data protection legislation, simplifying processes and legal obligations for any country dealing with more than one EU state. However, the scope of GDPR substantially increases the obligations on firms dealing with EU citizens' personal data.
Organizations outside the EU are subject to the jurisdiction of the EU regulators just by collecting data concerning an EU citizen. Such organizations will only have to deal with one single supervisory authority. Among other requirements, the GDPR includes a directive on data transfers for policing and judicial purposes.
The GDPR will apply to the U.K. and is likely to apply after the U.K. leaves the EU. The U.K. will still be a Member State of the EU on 25 May 2018. The GDPR comes into effect for all Member States, and so will come into force in the U.K. The U.K. will retain the GDPR following Brexit. 

Wide powers of enforcement are given to the EU Data Protection Regulators (DPRs). The DPRs will have the power to impose penalties in the form of fines against any business failing to comply with the new regulations. These penalties are significantly stronger than those provided under the current Data Protection Act (DPA).
The GDPR describes three levels of non-compliance, and each level has a band of fines associated with it. For the most serious instances of non-compliance, an organisation can expect a fine of up to 4% of annual global turnover or €20 million, whichever is greater.
GDPR is a set of articles, 99 in total, written by the European Union, which will harmonize the European data privacy laws and data protection laws across Europe. Again, the compliance date is May 25th, 2018. 
For the latest changes and updates to the GDPR, see: http://www.eugdpr.org/key-changes.html

US Versus EU Concepts of Privacy

In the US we think in terms of users, consumers and subscribers. In the EU, individuals and persons are at the center of any notion of privacy. Individuals are guaranteed protection of personal data through the Charter of Fundamental Rights, adopted in 2000, but only acquiring the full force of law in 2009 through the Treaty of Lisbon. Article 8, for example, states:
Protection of personal data:
1. Everyone has the right to the protection of personal data concerning him or her.
2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.
3. Compliance with these rules shall be subject to control by an independent authority.
This strong, explicit data protection basis in EU law does not have clear equivalency in the United States, and that gap has been at the center of the data protection and privacy related friction between these two economic blocs for years.

Overview of the GDPR Rules

Among the GDPR rules are requirements to:
·         Implement technical and organizational measures to ensure appropriate data security through means including, among others, “pseudonymisation and encryption of personal data”
·         Have in place a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of data processing
·         Communicate “without undue delay” personal data breaches to the subjects of such breaches when the breach is likely to result in a high risk to the rights and freedoms of these individuals

GDPR and the Cloud

GDPR compliance will not be possible if organizations do not control and secure data in cloud apps. Closely managing a business’ interactions with the cloud is a good starting point. To achieve this, we must:
·         Discover and monitor every cloud application in use by our employees.
·         Know which personal data sets are being processed by employees in the cloud – for instance, customer information such as name, credit card details, address, or other forms of personally identifiable information (PII).
·         Secure data by implementing policies to ensure that employees are not using unmanaged cloud services to store and process PII. Policies should be sufficiently granular in order to prevent unwanted behavior while simultaneously ensuring compliant use of the cloud can continue.
·         Coach users in best practice so they adopt the services sanctioned by IT.
·         Evaluate various cloud access security brokers to determine the enterprise-readiness of all cloud apps and cloud services so the business can guarantee that all data is protected both at rest and in transit.

Personal Data Definition

Personal data is defined in the GDPR as any information relating to a person who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, and online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
So in many cases online identifiers including IP address, cookies and other data artefacts will now be regarded as personal data if they can be (or are capable of being) without undue effort linked back to the data subject.
There is no distinction between personal data about individuals in their private, public or work roles — the person is the person.
It applies to data transfers across borders within the EU as well as setting minimum standards for data processing for policing purposes within each member state. (Due to UK and Ireland’s special status regarding justice and home affairs legislation, the directive’s provisions only apply in these countries to a limited extent.)
The regulations will apply to any organisation, regardless of location, that acts as a controller or processor of personally identifiable information of EU residents. The term controller refers to any individual or organisation that advocates how and for what business reason the personal data will be used.
Processing of data includes such tasks as collection, storage, recording, editing, or any use for operational purposes. The definition of personal data has been broadened to include additional characteristics that may be used to identify a living individual. Those characteristics include such data constructs as genetic, mental, economic, cultural or social identity.

GDPR Regulation Objectives

There are five primary objectives in the GDPR regulations. They are listed below along with their descriptions.
Objective
Description
Establish data privacy as a fundamental right
The GDPR considers data protection as a fundamental human right of an individual, which includes a “right to the protection” of their personal data. Anyone based in the EU, or anyone handling or targeting the personal data of an EU-based individual must have processes, technology, and automation to effectively protect personal data.
Clarify the responsibilities for EU data protection
The GDPR applies to a controller or a processor who is based or established in the EU, or to a company not based in the EU but who offers goods or services from outside the EU borders to a data subject in the EU or who monitors the behavior of data subjects in the EU.
Define a baseline for data protection
To avoid fragmentation and ambiguity, GDPR has set a baseline for data protection by requiring anyone processing the personal data of an individual that is in the European Union to follow the requirements laid down in the GDPR.
Elaborate on the data protection principles
The GDPR considers encryption as only one of the components of a broad security strategy, and mandates that organizations need to consider assessment, preventive, and detective controls based upon the sensitivity of the personal data they have.
Increase enforcement powers
The EU aims to ensure compliance with the GDPR by enforcing huge fines of up to 4% of the global annual revenue upon non-compliance.

Defined GDPR Roles

There are seven primary roles in the GDPR regulations. They are listed below along with their descriptions.
Role
Description
Data Subject
A person who can be identified directly or indirectly by means of an identifier. For example, an identifier can be a national identifier, a credit card number, a username, or a web cookie.
Personal Data
Any personal information, including sensitive personal information, relating to a Data Subject. For example, address, date of birth, name, location and nationality.
Controller
A natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data. For example, a controller can be an organization or Chief Information Officer (CIO).
Data Protection Officer
An individual working for a Controller or a Processor with extensive knowledge of the data privacy laws and standards. The Data Protection Officer (DPO) shall advice the controller or the processor of their obligations according to the GDPR and shall monitor its implementation. The DPO acts as a liaison between the controller/processor and the supervisory authority. A DPO for example can be a Chief Security Officer (CSO) or a Security Administrator.
A single DPO may represent a group of undertakings or multiple public authorities or bodies. The GDPR requires a DPO to be “designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices” and the ability to fulfill the tasks designated under Article 39. These tasks involve regulatory compliance, training staff on proper data handling, and coordinating with the supervisory authority, with an ability to understand and balance data processing risks.
Processor
A natural or legal person, agency or any other body which processes Personal Data on behalf of the Controller. For example, a developer, a tester, or an analyst. A Processor can also be a cloud service provider or an outsourcing company.
Recipient
A natural or legal person, agency or any other body to whom the personal data is disclosed. For example, an individual, a tax consultant, an insurance agent, or an agency
Enterprise
Any natural or legal person engaged in an economic activity. This essentially includes all organizations whether in the public or private sector, whether in the EU or outside of the EU.
Third Party
Any natural or legal person, agency or any other body other than the Data Subject, the Controller, the Processor and the persons who, under the direct authority of the Controller or the Processor, are authorized to process the data. For example, partners or subcontractors.
Supervisory Authority
An independent public authority established by a Member State (known as the National Data Protection Authority under the current EU Data Protection Directive), or auditing agency.

Primary GDPR Requirements

Highlights of the GDPR requirements include:
·         Companies will have to appoint a DPO (Data Privacy Officer) who is responsible for advising on and monitoring GDPR compliance, and is a point of contact for the authorities.
·         There are new regulations and requirements for collecting and recording personal data and processing activities.
·         Data authorities and consumers must be notified within 72 hours after the discovery of the breach.
·         A tiered penalty framework with fines of up to 4% of global annual turnover (or €20,000,000, whichever is higher) for more serious violations, and up to 2% (or €10,000,000) for other violations, such as failing to notify a data authority about a breach.
·         Local data authorities will have additional resources to investigate and audit data controllers, and processors and their sub-contractors.
·         A new European Data Protection Board will act as a super data authority to handle disputes between authorities.

Certification Requirements for the DPO

According to the European Data Protection Supervisor’s paper on Professional Standards for Data Protection Officers, the most relevant certification for a DPO is the one provided by the International Association of Privacy Professionals.
Eric Lachaud, in his article Should the DPO Be Certified?, for Oxford University’s International Data Privacy Law journal, reaches the conclusion that the most appropriate certification for the DPO is a combination of the IAPP’s Certified Information Privacy Professional credential for EU professionals (CIPP/E) and Certified Information Privacy Manager (CIPM). The IAPP also offers the Certified Information Privacy Technologist (CIPT) credential, as well as a version of the CIPP for the United States, and one for Canada and the U.S. federal government.
The CIPP/E, CIPP/US, CIPM, and CIPT credentials are certified under ISO standard 17024:2012.

Primary GDPR Sanctions

We are working now to comply with the May, 2018 deadline for the following provisions of the GDPR:
·         Right to be forgotten
·         “Clear and affirmative consent” to the processing of private data by the person concerned
·         Right to transfer your data to another service provider
·         Right to know when your data has been hacked
·         Ensuring that privacy policies are explained in clear and understandable language
·         Stronger enforcement and fines up to 4% of firms’ total worldwide annual turnover, as a deterrent to breaking the rules.
The data protection package also includes a directive on data transfers for policing and judicial purposes. It will apply to data transfers across borders within the EU as well as, for the first time, setting minimum standards for data processing for policing purposes within each member state.
The regulation applies if the data controller or processor (organization) or the data subject (person) is based in the EU. The regulation also applies to organizations based outside the EU if they process personal data of EU residents. The regulation does not apply to the processing of personal data for national security activities or law enforcement.

Data Portability

The GDPR requires that a person be able to transfer their personal data from one electronic processing system to and into another, without being prevented from doing so by the data controller.
Aimed at helping drive competition between service providers this part of the regulation seeks to drive automated transfers of data (using a common format yet to be defined) between services which primarily process customers automatically.  So, for example, these could include utilities, banks, telecoms and ISP’s. And the data must be provided by the controller in a structured and commonly used electronic format. The right to data portability is provided by Article 18.

Information Provided at Data Collection

The information that must be made available to a Data Subject when data is collected includes:
·         Identity and the contact details of the controller and DPO
·         Purposes of the processing for which the personal data are intended
·         Legal basis of the processing
·         Where applicable the legitimate interests pursued by the controller or by a third party
·         Where applicable, the recipients or categories of recipients of the personal data
·         Where applicable, that the controller intends to transfer personal data internationally
·         The period for which the personal data will be stored, or if this is not possible, the criteria used to determine this period
·         Existence of the right to access, rectify or erase the personal data
·         Right to data portability
·         Right to withdraw consent at any time
·         Right to lodge a complaint to a supervisory authority

Where the data has not been obtained directly from the data subject, perhaps using a 3rd party list, the list varies and includes:
·         From what source the personal data originate.
·         The existence of any profiling and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
There are some exceptions, such as the effort would be disproportionate (although this is unlikely be a good justification in day-to-day circumstances) and where the information has already been provided to the data subject.

Profiling

The regulation defines profiling as any automated processing of personal data to determine certain criteria about a person. “In particular to analyze or predict aspects concerning that natural person' s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.”
Individuals have the right not to be subject to the results of automated decision making, including profiling, which produces legal effects on him or her or otherwise significantly affects them. So, individuals can opt out of profiling.
Automated decision making will be legal where:

·         Individuals have explicitly consented to it
·         If profiling is necessary under a contract between an organization and an individual
·         If profiling is authorized by EU or Member State Law.

Legitimate Interests and Direct Marketing

The regulation specifically recognizes that the processing of data for “direct marketing purposes” can be considered as a legitimate interest. Legitimate interest is one of the grounds, like consent, that an organization can use in order to process data and satisfy the principle that data has been fairly and lawfully processed.
The act says that processing is lawful if “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”

EU Definition of GDPR Personal Data

According to the European Commission "personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a photo, an email address, bank details, and posts on social networking websites, medical information, or a computer’s IP address." 

Obtaining Consent

Companies must obtain valid consent explicit for data collected and purposes data used (Article 7, defined in Article 4). Consent for gathering data on children (defined as 12 and below) must be given by child’s parent or custodian, and verifiable (Article 8). Data controllers must be able to prove consent (opt-in) and consent may be withdrawn.
According to the Regulation consent means “any freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed.”
Although the consent itself need not be explicit, the purpose for which the consent is gained does need to be “collected for specified, explicit and legitimate purposes.” It needs to be obvious to the data subject what their data is going to be used for at the point of data collection.
Consent should be demonstrable in that organizations need to be able to show clearly how consent was gained and when. Consent must be freely given — a controller cannot insist on data that’s not required for the performance of a contract as a pre-requisite for that contract. Withdrawing consent should always be possible — and should be as easy as giving it.

GDPR Reporting a Data Breach

The reporting of a data breach is not subject to any de minimis standard and such breaches must be reported to the Supervisory Authority when they become aware of the data breach (Article 31). Individuals have to be notified if adverse impact is determined (Article 32).

GDPR Exceptions

GDPR does provide exceptions based on whether the appropriate security controls are deployed within the organizations.  For example a breached organization that has rendered the data unintelligible through encryption to any person who is not authorized to access the data, is not mandated to notify the affected record owners. 
The chances of being fined are also reduced if the organization is able to demonstrate a “Secure Breach” has taken place.
To address the GDPR compliance requirements, organizations need to employ one or more different encryption methods within both their on-premises and cloud infrastructure environments, including the following:
·         Servers, including via file, application, database, and full disk virtual machine encryption
·         Storage, including through network-attached storage and storage area network encryption
·         Media, through disk encryption
·         Networks, for example through high-speed network encryption
Strong key management is required to protect the encrypted data and to ensure the deletion of files and comply with a user’s right to be forgotten. Controllers must inform subjects of the period of time (or reasons why) data will be retained on collection.
If the data subject subsequently wishes to have their data removed and the data is no longer required for the reasons for which it was collected then it must be erased.
Note that there is a downstream responsibility for controllers to take reasonable steps to notify processors and other downstream data recipients of such requests.
Organizations will also need a way to verify the legitimacy of user identities and transactions, and to prove compliance. Security controls must be in place and be demonstrable and auditable.

Key GDPR Data Security Requirements

The key GDPR data security requirements can be broadly classified into three categories:

·         Assessment
·         Prevention
·         Monitoring/Detection
The GDPR also requires compliance with the data protection principles to enhance the quality and rigor of protection of the data. This section summarizes key data security requirements discussed in the GDPR

Assess Security Risks

The GDPR mandates that Controllers perform Data Protection Impact Assessments when certain types of processing of Personal Data are likely to present a “high risk” to the data subject. The assessment must include a systematic and extensive evaluation of organization’s processes, profiles, and how these tools safeguard the Personal Data (Article 35).

Prevent Attacks

At various places in the regulation, the GDPR reiterates the importance of preventing security breaches. The GDPR recommends several techniques to prevent an attack from succeeding (Article 32).

Encryption

The GDPR provides that in the event of a data breach, the Controller need not to notify data subjects if data is encrypted and rendered unintelligible to any person accessing it, thereby removing notification costs to the organizations (Article 34).

Encrypting Both Structure and Unstructured Data

GDPR requires organizations to safeguard personal data, which may include anything from data about political viewpoints to health history, and says that "this applies to all systems used to process the data, including cloud apps."
The difficulty in complying with this regulations is that many, if not most, personal data for which the organization is legally responsible are data not found in structured formats like databases, but things like email [messages] and random documents created using Office 365 and Box, and in cloud apps not sanctioned by IT.
Another complication is the proliferation of Bring Your Own Device (BYOD) across our organization that makes it difficult to know how to comply with GDPR if we don't know what data we have on these devices and where it resides.

Anonymization and Pseudonymization

Data anonymization is the technique of completely scrambling or obfuscating the data, and pseudonymization refers to reducing the linkability of a data set with the original identity of a data subject. The GDPR states that anonymization and pseudonymization techniques can reduce the risk of accidental or intentional data disclosure by making the information un-identifiable to an individual or entity (Recital 28).

Privileged User Access Control

The GDPR implies controlling privileged users who have access to the Personal Data to prevent attacks from insiders and compromised user accounts (Article 29).

Fine-grained Access Control

In addition to privileged user control, the GDPR recommends adopting a fine-grained access control methodology to ensure that the Personal Data is accessed selectively and only for a defined purpose. This kind of fine-grained access control can help organizations minimize unauthorized access to Personal Data (Article 25).

Data Minimization

The GDPR recommends minimizing the collection and retention of Personal Data as much as possible to reduce the compliance boundary. While collecting, processing, or sharing Personal Data, Controllers and Processors must be frugal and limit the amount of information to the necessities of a specific activity (Data 5).

Monitor to Detect Breaches

While preventive security measures help organizations minimize the risk of attack, they cannot eliminate the possibility that a data breach may occur. The GDPR recommends monitoring and alerting to detect such breaches through the following mechanisms.

Audit Data

The GDPR not only mandates recording or auditing of the activities on the Personal Data but also recommends that these records must be maintained centrally under the responsibility of the Controller. In other words, processors and third-parties must not be able to tamper or destroy the audit records. In addition to book-keeping, auditing also helps in forensic analysis in case of a data breach (Article 30).

Monitor and Timely Alert

Constant monitoring of the activities on Personal Data is critical for detecting anomalies. In addition to close monitoring, GDPR also mandates timely notifications in case of a breach (Article 33).

Quality of Protection

For both large and small organizations, implementing and administering data security without proper planning can obstruct day-to-day IT operations and result in a significant administrative overhead.
While lack of proper planning and increased costs may have in the past given some enterprises a reason to not implement security, with regulations such as the GDPR, security is a requirement, not an option. To address some of these challenges, GDPR stipulates the following to help ease the administrative overhead of the security controls and increase the quality of protection:

Data Security by Design and by Default

The GDPR mandates making data protection a core part of the system. Considering security during the initial design phase of a technology life cycle increases the security worthiness of the system and ensures that technical security controls will perform as expected (Article 25).

Centralization

The GDPR recommends centralized administration when dealing with security of multiple applications and systems as they help take immediate actions in case of a breach. Centralized controls also enforce uniformity across multiple targets, reduce the chances of errors on individual targets, and leverage the best practices across the enterprise (Recital 36).

Retention and the Right to be Forgotten

As has already been noted controllers must inform subjects of the period of time (or reasons why) data will be retained on collection.
Should the data subject subsequently wish to have their data removed and the data is no longer required for the reasons for which it was collected then it must be erased.
Note that there is a “downstream” responsibility for controllers to take “reasonable steps” to notify processors and other downstream data recipients of such requests.
Comprehensive Security
Threats and attacks can come from multiple sources and organizations must be prepared from all directions. The GDPR mandates protection of Personal Data in all stages of the data lifecycle such as data at-rest and in-transit (Article 32). 

Appendix A:  GDPR Resources

Resources used to create this European Union General Data Protection Regulation White Paper follow.
GDPR Legislation
GPDR Analysis

Prior Rules and Regulations: Safe Harbor 2.0

Appendix C:  Top Ten EU GDPR Action Points


Action Point
Description
Extra-Territorial Scope
Consider the extent to which the GDPR applies to you.
If you are a controller or a processor, and have an establishment in the EU, or are not established in the EU but offer goods or services to or monitor the behavior of EU-based individuals, you will need to comply with the GDPR and may need to appoint a representative.
One Stop Shop
If you are a controller or processor, consider where your main establishment is and who will be your lead supervisory authority.
If you are a controller, also consider whether processing decisions are taken in another EU establishment, which has the power to implement those decisions. If so, that decision-making establishment may be considered the main establishment.
Data Processors
If you are a controller, review and revise your data processing contracts to ensure they address the more prescriptive obligations of data processors.
If you are a processor, consider whether the processing contract clearly sets out the scope of your liability. You will be liable for any harm caused by a breach of the GDPR, to the extent that you have not complied with your contractual and statutory obligations
Accountability
Keep a record of your data processing activities as you will need to provide it to your supervisory authority, on request, to demonstrate how you comply with the GDPR. Consider whether you are carrying out ‘high risk’ processing.
If so, you will need to conduct a Privacy Impact Assessment. Consider your data privacy obligations when designing and developing new products and services.
Privacy Notices
Review and revise your privacy notices to meet the increased information rights of individuals. Consider the specific statutory ground(s) you rely on to legitimize your processing, and your data retention periods.
You will need to supply this information to data subjects in your privacy notices, and supervisory authorities on request.
Consent
Review how you are seeking, obtaining and recording consent and consider whether more explicit consent is needed to meet the requirements of the GDPR.
Consider whether you can rely on an alternative basis to legitimize your processing.
Individuals’ Rights
Review and revise your procedures to meet the new and enhanced rights of data subjects, and ensure your staffs understand how to respond to access requests.
Breach Notification
Review and revise your data breach management policy to ensure all breaches are reported to your supervisory authority.
Review and revise your security measures to ensure they are robust enough to meet the requirements of the GDPR.
International Data Transfers
Review your international data transfers and ensure appropriate transfer mechanisms are in place.
Sanctions
Consider your data processing activities and your existing compliance with data protection law.
Consider what changes need to be made to comply with the new statutory obligations under the GDPR, to avoid the risk of a fine (of up to €20m or 4% of your annual worldwide turnover), or a claim for (pecuniary or non-pecuniary) damages from data subjects if the GDPR is infringed.

 Appendix D:  EU GDPR Summary

Rights of Individuals
There has been a desire to strengthen data subject rights within the GDPR. To this end, there are a number of new (e.g. the Right to Erasure (Right to be Forgotten) or enhanced (Right to Information) data subject rights that will be included in the GDPR.
Information to be Provided on Collection 
Businesses need to make sure individuals understand who the controller is that is collecting their personal data and the purposes for which they are processing it. Organizations’ privacy policies will need to be updated in line with the requirements of the GDPR.
The new principle of accountability in the GDPR means there will be much more of an onus on controller businesses to demonstrate compliance with the data protection principles within the GDPR. 
Right to Erasure (Right to be Forgotten)
A Right to Erasure (Right to be Forgotten') has now been set out clearly in the GDPR that will allow individuals a qualified right to request that their data be erased, provided certain grounds apply (for example, the data is no longer necessary in relation to the purposes for which it was collected). Where relevant, businesses will have an obligation to erase the relevant personal data it holds concerning that individual without undue delay.
Data Protection Officer
In certain circumstances, businesses are required to appoint a DPO to enable those businesses to comply with its accountability obligations under the GDPR. This is a designated role with tasks set out in the GDPR, including responsibility for monitoring compliance with the GDPR.
Obligations on Data Processors
Under the Data Protection Act 1998 the statutory obligations are on data controllers only. However under the GDPR, data processors will also have obligations, for example, the processor will have a responsibility for implementing appropriate technical and organizational measures for the security of personal data during its processing activities.
Data Protection Impact Assessment  
Businesses will need to carry out a data protection impact assessment where the processing of personal data is likely to result in a high risk to the rights and freedoms of individuals.
The GDPR includes a requirement for controllers to report a personal data breach to its data protection supervisory authority (the ICO in the UK) without undue delay and where feasible, no later than 72 hours after being aware of the breach, unless the breach is unlikely to result in a risk to individuals’ rights and freedoms.
Where the personal data breach is likely to result in a high risk to individuals’ rights and freedoms, the controller will also need to communicate the breach to the individual without undue delay. 
What is the Impact if Businesses Get it Wrong?
The protection supervisory authority may impose in an administrative decision an up to 4% of total worldwide annual turnover of the preceding financial year, whichever is higher, for specified infringements. Individuals will also have the right to bring a claim for damage suffered as a result of an infringement of the GDPR. With the new rules entering into force on the 24th May 2018, businesses have two years to prepare for the changes.
The cost of non-compliance could be devastating and even fatal to many companies as you can be fined up to 4% of global annual revenue or €20 million, whichever is highest. The amount of the fine will be influenced by the nature, gravity and duration of the infringement.
For example, non-compliance for even a medium-sized bank like Charles Schwab Bank ($5.5 billion revenue) that provides online banking services to customers in Europe could potentially cost them up to $220 million, while non-compliance by a retail firm like Abercrombie & Fitch ($3.5 billion revenue) that provides upscale clothing for young consumers could potentially cost them up to $140 million. 

Appendix C:  Privacy by Design

The seven Privacy by Design (PbD) principles can help guide data security decisions and underpin GDPR compliance. GDPR do not cover every possible security scenario, and that’s where PbD can be useful.
1. Proactive not Reactive and Preventative not Remedial
The idea behind this first principle is that you should think about data privacy at the beginning of the data security planning process — not after a data breach. Consider this principle as a kind of an overall guideline for the rest of PbD.  Always be thinking privacy (ABTP).
2. Privacy as the Default Setting
Under GDPR, you’re supposed to give consumers the maximum privacy protection as a baseline: for example, explicit opt-in, safeguards to protect consumer data, restricted sharing, minimized data collection, and retention policies in place. PbD lowers the data security risk profile: the less data you have, the less damaging a breach will be.
3. Privacy Embedded into Design
Talk to a typical software developer, and he’s most worried about completing core functionality for the product. Data security techniques such as encryption and authentication are usually put on the backburner in the rush to get features online. And testing for the most common hackable vulnerabilities in software — typically injection attacks — is also often neglected.  These principles tell designers that they should think about privacy as a core feature of the product.
4. Full Functionality – Positive-Sum, Not Zero-Sum
The idea here is that PbD will not compromise business goals. Basically, you CAN have privacy, revenue, and growth. You’re not sacrificing one for the other. Think of this one as helping to establish a PbD culture in your organization.
5. End-to-End Security — Full Lifecycle Protection
Privacy protections follow the data, wherever it goes. The same PbD principles apply when the data is first created, shared with others, and then finally archived. Appropriate encryption and authentication should protect the data till the very end when it finally gets deleted.
6. Visibility and Transparency — Keep it Open
This is the principle that helps build trust with consumers. Information about your privacy practices should be out in the open and written in non-legalese. There should be a clear redress mechanism for consumers, and lines of responsibility in the organization need to be established.
7. Respect for User Privacy – Keep it User-Centric
This final principle just makes it very clear that consumers own the data. The data held by the organization must be accurate, and the consumer must be given the power to make corrections. The consumer is also the only one who can grant and revoke consent on the use of the data. 

Appendix D: EUR-Lex — Access to European Union Law 

Below are links to European Union law and publications.


Appendix E: Data Protection Officer Training Resources

There are a number of DPO training classes leading to certification. One that looks comprehensive and leads to certification is offered by the International Association of Privacy Professionals (IAPP).

How to Become DPO READY

The General Data Protection Regulation requires that many organisations appoint a DPO. Training and certification, such as that in the figure below, are available.
DPO ready 4-DAY Bundle Plus £2,995 | €3,545 | $3,695 Includes:
CIPP/E In-Person Training
CIPM In-Person Training
CIPP/E Online Training
CIPM Online Training
CIPP/E Certification Exam
CIPM Certification Exam
Complimentary IAPP Membership

One representative training course may be found at: https://iapp.org/train/data-protection-training/

GDPR Training and Certification 

IT Governance UK
Learn from the experts how to meet the requirements of the EU General Data Protection Regulation (GDPR). Gain practical understanding of the tools and methods for implementing and managing an effective compliance framework, and how to fulfil the role of data protection officer (DPO).

MultiMinds


If you want to learn more or are convinced you need help to prepare for the GDPR, just give us a call and we’ll be happy to come over or setup a meeting. And instead of a threat for your business, we can pivot this to an opportunity that will prove advantageous in the long run.

MediaPro

Our GDPR Readiness Toolkit includes valuable resources that will kick start your journey toward GDPR compliance, focusing in-part on how the GDPR will impact privacy awareness. Download this toolkit for access to:
·         White Paper: Expert Insights: Preparing for the GDPR
·         On-Demand Webinar: GDPR: The Shifting Tides of Global Privacy featuring privacy professionals from Mylan, Chevron, and MediaPro
·         The GDPR Cheat Sheet, a concise summary of how the GDPR will impact privacy professionals and privacy awareness training needs
MediaPro has 20+ years of experience creating engaging employee training content for the most risk-conscious organizations in the world. We’re proud to have the most up-to-date awareness content in the industry, backed by proven adult learning principles and our award-winning Adaptive Awareness Framework.

Summary of the GDPR Services We Must Provide


Among the GDPR-compliant service features we must provide are the following:
·         Checkbox consent mechanisms for explicit consent
·         Progressive permissions
·         Easy data record access mechanisms
·         Data correction and integrity mechanisms
·         Data portability
·         Data erasure and deletion
·         Scoped access for users and integrations
·         Data pseudonymization
·         Age gating

Summary of the GDPR Requirements

The GDPR significantly adds to the protections for EU data subjects afforded by the existing EU Data Protection Directive that it will replace, while authorizing record-level fines for non-compliance up to a maximum of 20,000,000 EUR or 4 percent annual global revenue of the preceding financial year, whichever is higher, for certain violations, and up to half those amounts for other violations.
Under Article 32, both controllers and processors are required to “implement appropriate technical and organizational measures” considering “the state of the art and the costs of implementation” and “the nature, scope, context, and purposes of the processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.”
The GDPR makes personal data controllers liable for the actions of their processors and responsible for compliance with the regulation’s personal data processing principles. Consequently, just as data controllers will be looking to make changes to become compliant before the regulation’s effective date, so too will they need their data processors to demonstrate compliance.

We must encrypt personal data in transit and at rest with transport layer security (TLS) and SSL certificates of at least 2048-bits and other measures to protect data in transit.

We must keep each client application instance and associated subject data isolated in its own logically discrete production environment; having unique session tokens, configurable session timeout values and password policies applied to prevent unauthorized access; encrypting data at rest in development, production and backup environments with full disk encryption; and storing passwords after being one-way hashed).

We must have the ability to ensure the ongoing confidentiality, integrity, availability and resilience of our processing systems and services (through a variety of safeguards, including data hosting replicated to several servers, data backup on hot servers and the capability to receive real-time notification of data subject record changes).

We must have the ability to restore the availability of and access to the personal data in a timely manner for a physical or technical incident.

We must have a tested Business Continuity and Disaster Recovery Plan.

We must have a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing (accomplished through its internal and external audits).

This is a link to a webpage example of a company providing a corporate statement of their intention to comply with the GDPR.