The goal of the GDPR is to provide greater privacy protection for EU citizens by updating existing EU data protection in light of today’s digital world.
Guest Blog
By Greg Garner
U.S. companies that handle data belonging to customers living in the European Union may not realize that they will be subject to the General Data Protection Regulation when it takes effect May 25, 2018. The EU’s digital privacy and data protection law has taken on new significance following an executive order from the U.S. government in January, 2017. A modification of the Privacy Shield agreement with EU regulators means the GDPR will include extraterritoriality, which will require U.S. firms to properly secure information collected from EU citizens. As awareness of the extraterritorial nature of the law grows, expect many U.S. firms to put compliance on the front burner before it’s too late.
A Controller (information gathering organization) is responsible for the full process chain of entities that may interface with the Personal Identifiable Information (PII) of an EU citizen. The Controller can lose data control via data storage in the cloud, data sent to mobile devices, collaboration with third part vendors (this is where DocOrigin fits into GDPR).
The “Owner” of the PII is the customer. The customer is at the top if the pyramid of the PII. This can be represented in the following diagram:
GDPR highlight topics :
- Consent – Valid consent must be explicit for data collected and the purposes data is used for. Consent for children must be given by the child’s parent or custodian, and be verifiable. Data controllers must be able to prove “consent” (opt-in) and consent may be withdrawn.
- Breach Notification (within 72 hours) – Under the GDPR, the Data Controller will be under a legal obligation to notify the Supervisory Authority without undue delay. The reporting of a data breach is not subject to any de minimis standard and must be reported to the Supervisory Authority within 72 hours of the data breach. Individuals have to be notified if adverse impact is determined. In addition, the data processor will have to notify the controller without undue delay after becoming aware of a personal data breach.
- Under the GDPR, the Data Controller will be under a legal obligation to notify the Supervisory Authority without undue delay. The reporting of a data breach is not subject to any de minimis standard and must be reported to the Supervisory Authority within 72 hours of the data breach. Individuals have to be notified if adverse impact is determined. In addition, the data processor will have to notify the controller without undue delay after becoming aware of a personal data breach. However, the data processor or controller does not have to notify the data subjects if anonymized data is breached. Specifically, the notice to data subjects is not required if the data controller has implemented pseudonymization techniques like encryption along with adequate technical and organizational protection measures to the personal data affected by the data breach.
- Right to access – Under the GDPR, individuals will have the right to obtain:
- Confirmation that their data is being processed;
- Access to their personal data; and
- Other supplementary information – this largely corresponds to the information that should be provided in a privacy notice
- Right to be forgotten – A right to be forgotten was replaced by a more limited right to erasure in the version of the GDPR adopted by the European Parliament in March 2014. The data subject has the right to request erasure of personal data related to them on any one of a number of grounds including non-compliance with lawfulness that includes a case where the legitimate interests of the controller is overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.
- Rules regarding data portability – A person shall be able to transfer their personal data from one electronic processing system to and into another, without being prevented from doing so by the data controller. Data that has been sufficiently anonymized is excluded, but data that has only been de-identified but remains possible to link to the individual in question, such as by him or her providing the relevant identifier, is not. Both data that has been ‘provided’ by the data subject, and data that has been ‘observed’ — such as about their behavior — is within scope. In addition, the data must be provided by the controller in a structured and commonly used Open standard electronic format. Legal experts see in the final version of this measure a “new right” created that “reaches beyond the scope of data portability between two controllers.
- Data privacy by design/default – Data protection by Design and by Default requires that data protection is designed into the development of business processes for products and services. This requires that privacy settings must be set at a high level by default, and that technical and procedural measures should be taken care by the controller in order to make sure that the processing, throughout the whole processing life cycle, complies with the regulation. Controllers should also implement mechanisms to ensure that personal data is only processed when necessary for each specific purpose.
A report by ENISA (the European Union Agency for Network and Information Security) elaborates on what needs to be done to achieve privacy and data protection by default. It specifies that encryption and decryption operations must be carried out locally, not by remote service, because both keys and data must remain in the power of the data owner if any privacy is to be achieved. The report specifies that outsourced data storage on remote clouds is practical and relatively safe, as long as only the data owner, not the cloud service, holds the decryption keys.
- Data Protection Officer (DPO – a new position that is defined within the GDPR) The requirement to have a Data Protection Officer is new for many EU countries and criticized by some for its administrative burden.
Tasks:
- Get to know GDPR – 88 page booklet
- Conduct an audit
- Build a GDPR asset database
- Create a Risk model (DPIA)
- Vulnerabilities and threats
- Asset Value
- Indecent Response Plan
- Continuous Improvement
- Data collection, processing and analytics
- Assets
- Vulnerabilities
- Known Threats
- Data Classification
- PII (Personal Identifiable Information vs. non-PII)
- GDPR Automation
- Incident response workflow
- Process Orchestration
- Automated data collection
- Automated Remediation
- Incident response workflow
GDPR timeline
Now through October
Data discovery and classification
Asset discovery
Business Review
IT departments should review everything from defenses against external threats to the privacy and security of structured data running through enterprise resource planning systems and other applications.
November through January
Data purging
Risk Planning
Controls development testing
Reporting structure
Incident Response planning
Controls and Incident Response testing
Conclusions
- GDPR is imminent.
- GDPR is a sign of things to come.
- An organization may either embrace or resist the trend of GDPR.
- Requires management buy-in.
- GDPR provides an opportunity to improve risk management.
- GDPR provides an opportunity to get closer to the customer.
Challenge to GDPR in practice:
The biggest challenge might be the implementation of the GDPR in practice:
- The implementation of the EU GDPR will require comprehensive changes to business practices for companies that had not implemented a comparable level of privacy before the regulation entered into force (especially non-European companies handling EU personal data).
- There is already a lack of privacy experts and knowledge as of today and new requirements might worsen the situation. Therefore education in data protection and privacy will be a critical factor for the success of the GDPR.
- The European Commission and DPAs have to provide sufficient resources and power to enforce the implementation and a unique level of data protection has to be agreed upon by all European DPAs since a different interpretation of the regulation might still lead to different levels of privacy.
- Europe’s international trade policy is not yet in line with the GDPR.