Despite the many rules and regulations, there are still security holes int he GDPR regime. For example, how does it handle the multitudes in any company's BYOD (Bring Your Own Device) platform? I analyse that security hole and others in my white paper below.
European Union General Data Protection Regulation (GDPR) Security Holes and More White Paper
GDPR Security Holes
Here is what a former Senior
Solutions Architect at Perficient has to say
about GDPR Security Holes. “Every place that I have worked at since the early
2000’s has had a BYOD (Bring Your Own Device) policy with set reimbursement
based on role. Very occasionally we would purchase tablets on the company dime
and they were usually replacing laptops. What has happened is that these
tablets have negatively impacted security, because consumer-based cloud
solutions were used when it was convenient for the users.
This reality of a mobile, disconnected workforce has
outweighed security concerns of their use. And we have gotten lazier: Neither
mobile devices nor laptops were encrypted and there was no effective way to
prevent leakage of data either due to lost devices or departing employees.”
How do we address this security hole? Perhaps use Airwatch to
protect the data?
Think of all the data in production systems that nobody uses
anymore. And what about dark or unstructured data, fragmented in crumbs
throughout emails, presentations, phone notes, spreadsheets, and so much more?
Keeping data you don’t need for business or regulatory purposes can be
unhealthy in terms of IT cost and it can also put your company at greater risk
in a data breach – and on top of that, you may be basing your business
decisions on data that is incorrect or no longer relevant. Getting your
organization ready for GDPR might sound difficult, but it’s actually the
perfect opportunity to take on this issue as well.
Very likely, some of data we store is what we would call ROT:
redundant, obsolete or trivial. It has no business value, but may still cost
money to store and maintain. However, when it comes to its unstructured data,
we are usually looking at a totally different picture. Personal information may
have been shared in emails between the company and physicians. Sensitive
customer and client information may have been extracted from production systems
for analytical purposes.
And spreadsheets containing confidential customer and client
information from our organization may have been saved locally. Most
organizations don’t have insight into their unstructured data stores — which is
why it’s often referred to as dark data.
Under GDPR, we must assess what personal information we have,
where we keep it and what we are using it for. We can create business value
from our data by leveraging new insights based on reliable information. We can
improve our decision-making processes to serve customers better and more
efficiently — and gain their trust by securing their data at the same time.
So, we can add value for our customers and clients while
complying with GDPR regulations if we adapt this strategic approach.
I've been reading a ton lately on GDPR and find
it a fascinating topic, considering the amount of impact it will have on
businesses, not just in the EU but all over the world (because if you market
to, and process information of, EU data subjects then you will be impacted).Note: I don't believe — at this time — that you
can actually receive "certification" for GDPR compliance. But in my
findings, there are many things you can be doing to prepare for the privacy
regulations, such as the ones below.
Here are 2 GDPR webinars:
Webinar: The Journey to GDPR: Your Guide to Data Protection
Technology, Tools and Key takeaways are:
·
How does the new
technology landscape factor into the GDPR?
·
How do you get
started with your compliance program?
·
What kinds of
tools and assistance are available?
Key
takeaways are:
·
Get started on
the path to ‘know your data’, which is a key prerequisite to moving forward.
·
Learn how to
navigate knowing your data and then protecting personal data can help you with
your GDPR obligations.
·
Get pointed in
the right direction with 5 top tips to help you smoothly sail as you get ready
for the GDPR.
Two
helpful GDPR articles include:
GDPR Training and Certification
EUR-Lex — Access to European Union Law
THE NEW EU DATA PROTECTION REGIME FROM AN HR PERSPECTIVE
By Stefan Nerinckx, Tim Van Canneyt and Gaƫtan
Goossens, Fieldfisher
INTRODUCTION
Just before Christmas and after years of negotiations,
the EU institutions agreed on the text of the EU's successor privacy
legislation: the General Data Protection Regulation (GDPR).
The GDPR will replace the 'patchwork quilt' of 28
different EU Member States' laws with a single, unifying data protection law,
which should lead to significantly greater data protection harmonization
throughout the EU.
In addition to harmonizing the EU data protection
legal framework, its main objectives are threefold:
·
First, the GDPR increases the
rights for individuals.
·
Secondly, it strengthens the
obligations for companies.
·
Thirdly, the GDPR dramatically
increases sanctions in case of non-compliance. Data protection regulators will
have the powers to impose fines up €20,000,000 or 4% of the total worldwide
annual turnover. Add to that the possibility for the regulators to impose a ban
on processing or the suspension of data transfers, the risk of class actions,
criminal sanctions and reputational damage, and it becomes clear that not
complying with the GDPR will not be an option.
For
these reasons, it is fair to say that the GDPR is the most important change in
data privacy law in the last twenty years.
Moreover,
it will affect all businesses, all over the world - as every organization has
employees and contacts, even if they don't have individual customers.
In
this article, we will provide a recap of the most significant changes that the
GDPR will bring from an HR perspective. Employers process lots of HR related
personal data on a daily basis. How will they be affected by the GDPR and what
steps should they take to become compliant with this new set of rules?
WHERE DO PRIVACY AND HR MEET ON THE
WORK FLOOR?
Maintaining
the balance between the protection of the privacy of the workers and the
prerogatives of the employer can be tricky in several circumstances such as in
the case of body searches on workers, camera surveillance, geolocation,
interrogation of workers, hotlines, the use of internet, email and social
networks, etc…. There are many laws that apply to this matter.
It
starts with article 8 of the European Convention on Human Rights, which lays
down rules concerning the protection of private and family life, the home and
correspondence. Case law based on this article stipulates employees have the
right to privacy, even in the workplace.
On
a national level, article 22 of the Belgian Constitution deals with privacy,
whereas article 29 relates to confidentiality of the mail. Article 314 bis of
the Penal Code addresses the tapping of telecommunications. Interception of
e-mail is covered by this legislation too.
Also
the Employment Contracts Act, which lays down, particularly in articles 16 and
17, the rights and obligations of the employer and the employee as well as
Collective Labor Agreement (CLA) 81 on the protection of the privacy of
employees with respect to the monitoring of electronic online communication
data in the workplace in the private sector are of importance. This list is not
exhaustive.
Furthermore,
employers also process private information about their employees. In this area
some major changes are to be expected very soon. Below you will find an
overview.
Processing
of HR-related data: harmonization but look out for additional local rules in
the HR context
The
main objective of the GDPR is to harmonize data protection laws throughout the
EU. Where a group of companies is established in several EU Member States, the
rules applicable to the processing of HR-related personal data will now be the
same. This is an important improvement for big multinationals, which are quite
often struggling to comply with the 28 local flavors of EU data protection law.
There
is, however, an important caveat to be made with regard to personal data in the
employment context. The GDPR expressly authorizes individual Member States to
implement more specific rules in respect of the processing of HR-related
personal data.
This
carve-out means that specific rules regarding the processing of personal data
for the purpose of recruitment, the performance of the employment contract,
diversity, health and safety, etc. may still be adopted on a national level.
For
HR professionals, it will therefore remain important to continue to follow
national law developments in the field of privacy in the workplace, in addition
to the more generic GDPR.
A BROADER SCOPE AND A GLOBAL IMPACT
The
GDPR will not only apply to employers processing the personal data of their
employees, but also to HR service providers that process such data on behalf of
the employer ("data processors"). This is an important change
compared to the current legal framework, where HR service providers (e.g.
social secretariats, providers of HRIS solutions) only have a contractual
obligation vis-Ć -vis the employer but are not directly accountable for
complying with the data protection regulations.
The
GDPR will also affect non-EU affiliates of a multinational if all HR data is
stored in a central system, accessible to affiliates worldwide. While the
mechanism for cross-border transfers of personal data has not been materially
changed compared to the existing rules, it will become more important for
companies to have a good understanding of the different HR data flows within
and outside of the group in view of implementing the required mechanisms to
legitimize these cross-border data transfers, especially since the European
Court of Justice ruled that the EU-US Safe Harbor can no longer be relied on.
For
intra-group cross-border transfers, Binding Corporate Rules (BCR) will become a
more important and attractive means of achieving compliance under the GDPR.
BCRs are now expressly mentioned in the GDPR as a lawful means of transferring
personal data to group companies outside the EU, and the process for getting
them approved has been further streamlined.
MORE DIFFICULT TO RELY ON CONSENT
This
is a highly relevant topic in the context of HR-related data processing. Today,
a lot of companies process personal data of employees on the basis of their
consent. Over recent years, this approach has been increasingly criticized.
People
questioned the validity of consent given by an employee, on the basis that the
latter did not really have a choice due to the hierarchal relationship and the
imbalance resulting therefrom. The GDPR wants to reinforce the value of consent
given by a data subject. It therefore requires that consent be given
unambiguously.
This
means the consent must be given freely, specifically and on an informed basis.
For the consent to be given freely, the refusal to give the consent should not
be detrimental to the data subject. Moreover, when the consent is given through
a declaration that also regulates other matters, the consent to the processing
of data has to be clearly distinguishable from other matters to be valid.
This
means that employers will need to carefully re-assess the legal ground on the
basis of which they process HR-related data. Where they rely on consent, they
will need to check whether they meet all the requirements imposed by the GDPR
and bear in mind that free consent implies that it may be revoked at any time.
In
most cases, companies will need to move to one of the other legal grounds to
(continue to) process HR-related personal data. This could be the contractual
necessity (e.g. for the processing of employee payment data), a legal
obligation (e.g. for the processing of employee data in relation to social
security) or the legitimate interest of the employer (e.g. in the context of
employee monitoring).
However,
the latter legal grounds all have their restrictions and must be narrowly
construed. It may well be that a company will have to stop processing the data
or limit the range of data processed, where it cannot rely on any of the legal
grounds for processing laid down in the GDPR.
RESPECT THE INCREASED RIGHTS OF YOUR
EMPLOYEES
The
GDPR significantly enhances the rights of data subjects.
Firstly,
with regard to the right to information, employers will need to provide more
detailed information as to the how and why of the processing of HR-related
personal data. This long list of information to be provided aims at giving more
transparency to the processing of data and by doing so enhancing security.
Secondly,
employees have a right of access to their data and a right to have inaccurate
data rectified. These existing rights have been modified in order to bring more
clarity but they are not extended that much.
Finally,
under the new so-called right to be forgotten, employees will be entitled to
require the employer to erase personal data about them in certain
circumstances. This may be the case where the data are no longer necessary for
the purpose for which they were originally collected, or where the employee has
withdrawn his/her consent.
ACCOUNTABILITY – COMPANIES MUST BE
ABLE TO DEMONSTRATE COMPLIANCE
The
GDPR introduces a number of new obligations for companies, which should trigger
a shift from paper-based compliance to actual and demonstrated compliance in
the field. As a result, the obligations to notify processing activities to the
data protection authorities will be abolished.
Instead,
the GDPR expects companies to implement a number of measures such as:
appointment of a (mandatory) data protection officer, carrying out (mandatory)
privacy impact assessments and (mandatory) consultation with the data
protection authorities before new data processing activities are commenced, as
well as keeping records of all their processing activities. These new
obligations will have a significant impact on how companies approach projects
that involve the processing of personal data.
IMPLEMENT A DATA BREACH NOTIFICATION
PROGRAM
On
top of the accountability package, the GDPR introduces a general obligation to
notify data breaches. While most US-based companies are already familiar with
the concept, this will be an important change for many EU businesses and one
that they do not particularly look forward to.
Where a company suffers a data breach, as a rule it must notify the data
protection regulator within 72 hours. If the notification is not done within 72
hours, there has to be a justification for this delay.
If
the data breach relates to HR-related data, the employer must notify the affected
employees without undue delay if the breach is likely to result in a high risk
to his/her rights and freedoms. To avoid notification fatigue, the GDPR
contains a few exceptions to this rule, e.g. if the data was encrypted.
CONCLUSION
It
is difficult to overstate the importance of the GDPR and it is clear that it
will significantly affect all businesses. Employers will need to very carefully
assess their current HR-related processing activities and identify the gaps
with the GDPR. On the basis of this gap analysis, they will need to update
their existing procedures and implement the required mechanisms to comply with
the new obligations. Failure to do so may result in significant fines or other
enforcement measures that could materially impede their business.
While
the GDPR will only become effective in about two years from now, it is critical
to start preparing the transition to new regime as soon as possible. Indeed,
the sheer scale and breadth of the changes will require a significant
investment of time and resources to ensure a company's data processing policies
and IT landscapes are compliant with the new rules.
Belgian
State Secretary for Privacy Bart Tommelein has stated that, prior to the entry
into force of the GDPR, Belgium will make changes to the current Privacy Act.
This means that a number of the obligations under the GDPR will become
effective under Belgian law before its official entry into force. Other EU
countries may take a similar approach.
To make it simple Varonis provide
some really simple infographics to understand GDPR.
The GDPR significantly enhances the rights of data subjects.
Firs, for the right to information, employers will need to
provide more detailed information as to the how and why of the processing of
HR-related personal data. This long list of information to be provided aims at
giving more transparency to the processing of data and by doing so enhancing
security.
Second, employees have a right of access to their data and
a right to have inaccurate data rectified. These existing rights have been
modified in order to bring more clarity but they are not extended that much.
Finally, under the new so-called right to be forgotten,
employees will be entitled to require the employer to erase personal data about
them in certain circumstances. This may be the case where the data are no
longer necessary for the purpose for which they were originally collected, or
where the employee has withdrawn his/her consent.
The GDPR introduces a number of new obligations for
companies, which should trigger a shift from paper-based compliance to actual
and demonstrated compliance in the field. As a result, the obligations to
notify processing activities to the data protection authorities will be
abolished.
Instead, the GDPR expects companies to implement a number
of measures such as: appointment of a (mandatory) data protection officer,
carrying out (mandatory) privacy impact assessments and (mandatory)
consultation with the data protection authorities before new data processing
activities are commenced, as well as keeping records of all their processing
activities.
These new obligations will have a significant impact on
how companies approach projects that involve the processing of personal data.
On top of the accountability package, the GDPR introduces
a general obligation to notify data breaches. While most US-based companies are
already familiar with the concept, this will be an important change for many EU
businesses and one that they do not particularly look forward to.
Where a company suffers a data breach, as a rule it must notify the data
protection regulator within 72 hours. If the notification is not done within 72
hours, there has to be a justification for this delay.
If the data breach relates to HR-related data, the
employer must notify the affected employees without undue delay if the breach
is likely to result in a high risk to his/her rights and freedoms. To avoid
notification fatigue, the GDPR contains a few exceptions to this rule, e.g. if
the data was encrypted.
For HR professionals, it will therefore remain important
to continue to follow national law developments in the field of privacy in the
workplace, in addition to the more generic GDPR.
The GDPR will not only apply to employers processing the
personal data of their employees, but also to HR service providers that process
such data on behalf of the employer (data processors).
This is an important change compared to the current legal
framework, where HR service providers only have a contractual obligation
vis-Ć -vis the employer but are not directly accountable for complying with the
data protection regulations.
But how companies are taking GDPR so far?
According to Help Net Security, 97
percent of companies don’t have a GDPR plan. Explanation of this survey can
found on the provided link.
Also go through the best practices to address GDPR
requirement from
Help
Net Security. According to them the main practices
are:
·
Hire a data protection officer (DPO)
·
Deploy an access governance solution
·
Control access managemen
·
Protect the Network
·
Facilitate secure mobile access
·
Ensure email security
And these are definitely adding value for any organization
for their data security strategy. As there are lots of data protection
challenges and issues for the organization and one must need to take it very
seriously to avoid any legal consequences and high penalties.
Another interesting aspects are the data protection issues
and it is always a wise choice to look after over the data protection issues
from the beginning and plan accordingly. What are the Top Data Protection
issues for HR Professionals? According to
SQUIRE
SANDERS, an international law firm here are the top ones.
Data Breach Response
EU Data Protection Rules impose specific requirements for
storing, processing and transferring personal data about EU employees –
employer’s liability exposure is increased by failure to prepare for data breach
incidents.
Bring Your Own Device (BYOD)
EU Data Protection Rules impose obligations on data
controllers (employers) to ensure the security of personal data they hold about
their employees.
User devices can easily pass malware and viruses onto
company platforms and impact security levels. Combining personal data of
employees with company data may complicate compliance with EU data protection
rules.
HRIS Platforms
Employers must abide by EU data protection rules when
rolling out a global HR information system involving the processing of EU
employee data outside of Europe.
Employee Monitoring and Cross-Border Investigations
EU rules limit the ability of EU legal entities to process
personal data within Europe, and to transfer it to foreign affiliates and third
parties, including non-EU governmental authorities.
Data Subject Access Requests
EU data protection rules give employees the right to
access personal data about them that is held by their employer, and also to
correct inaccurate information or request its deletion.
Proposed EU Data Protection Regulation
A new and highly controversial Regulation on data
protection is currently being debated by the EU institutions and, if adopted,
will become directly enforceable law in all EU Member States.
There are many more and companies definitely need to take
them seriously. It’s important that employers understand their
responsibilities and potential liabilities under data protection law.
Employers that ignore their legal obligations risk
reputational damage and potential prosecution in the courts. However, our
research shows that, where employees feel they are under excessive monitoring
or surveillance, they have more negative attitudes to their employer and are
more likely to suffer from stress.
Employers should therefore develop policies in this area
that take a compliant, but balanced, approach and ensure that employees are
aware of, and understand their rights and obligations under data protection
law.
GDPR and the UK (Brexit Question)
https://www.shrm.org/resourcesandtools/legal-and-compliance/employment-law/pages/eu-data-protection-regime.aspx
Europe's new data protection legal framework is set
out in the General Data Protection Regulation (GDPR), which will come into
force in all EU Member States on May 25, 2018, including the U.K. Key points
follow.
Key Points
1. A new EU data protection regime came into force on all EU Member States on 25 May
2018.
2. The GDPR
will apply to the U.K. and is likely to apply after the U.K. leaves the
EU. The U.K. will still be a Member State of the EU on 25 May 2018. The
GDPR comes into effect for all Member States, and so will come into force in
the U.K. The U.K. will retain the GDPR following Brexit.
3. The GDPR is evolutionary rather than
revolutionary. The GDPR does not mark a radical departure from the current
data protection regime (i.e., in the U.K. under the Data Protection Act 1998
(DPA)). There are, however, certain key changes that will focus attention in
the pensions industry.
4. There are four key developments that will affect
the pensions industry the most. The GDPR contains four key developments that
trustees, employers and the pensions industry will need to grapple with. These
are:
More detailed privacy notices, while still being
concise and easily understood.
·
Overlapping controller and
processor obligations, especially around security.
·
Mandatory breach notification
to regulators and members.
·
More severe sanctions for
noncompliance.
·
What's Happening on Data
Protection?
Regardless of the progress of Brexit negotiations, it
is very likely that the U.K. will still be a Member State of the EU on May 25,
2018. The GDPR will therefore apply to data controllers and processors in the
U.K. on and from this date and the Great Repeal Bill will translate the GDPR
into national law.
The Information Commissioner has also made it clear
she expects that the U.K. will want to keep in step with European data
protection standards after we leave the EU in order to facilitate cross-border
transfers but also as many U.K. controllers and processors will process
personal data of European citizens and are therefore caught by the GDPR in any
event as it has extraterritorial effect.
Pension scheme trustees will, therefore, need to
comply with the GDPR from May 25, 2018.
With just over one year to go until the GDPR goes into
force, it is now time to map your data flows and start reviewing current
policies, procedures, systems and practices and ensuring you understand your
data protection obligations.
The new law is not as radical a departure from the old
law as might have been feared. Broadly speaking, data processes that are lawful
under the U.K.'s DPA are likely to remain lawful under the GDPR. This should
provide some comfort to trustees to the extent they are compliant with the
current legal requirements. This is, however, subject to four important changes
that are particularly relevant to pension schemes.
What Are the Key Changes for Pensions Under the GDPR?
1. More detailed privacy notices. The
requirements relating to privacy notices under GDPR are more detailed and
specific than under the DPA and place more emphasis on making them
understandable and accessible. Privacy notices will need to contain additional
information, such as details of the legal basis for the processing of the
personal data that is held.
Existing privacy notices will therefore need to be
reviewed and updated accordingly.
2. Overlapping controller and processor obligations,
especially around security. Under the GDPR, data processors (i.e., those
who process personal data on behalf of a data controller, such as a scheme
administrator) will, for the first time, be subject to direct legal
obligations. This significant exposure to additional legal liability will make
compliance a higher priority among actuaries, employee benefit consultants and
other advisers.
In addition, the GDPR will require agreements between
trustees and these parties to cover various data protection issues. Data
controllers (such as trustees) are not relieved of their obligations under the
GDPR even if they have delegated to a third-party data processor.
3. Mandatory breach notification to regulators and
members. Under the GDPR, breaches of the data protection requirements must
be reported to the national supervisory bodies (i.e. the Information
Commissioner's Office in the U.K.) within 72 hours. If breaches are likely to
result in a high risk to the rights and freedoms of data subjects (i.e.,
pension scheme members, employees etc.), the breach has to be communicated
directly to the affected persons without undue delay.
4. More severe sanctions for noncompliance. The
GDPR imposes significantly greater fines for non-compliance, up to the greater
value of €20 million and 4 percent of global annual turnover for the majority
of data processing that is relevant for the pensions industry.
Author: Jason Coates is an attorney with Gowling WLG
in London. ©2017 Gowling WLG. All rights reserved. Reposted with
permission of Lexology.