The engaging white paper delivers the core facts you need to understand the fundamental nature of the GDPR regulations and what it means for your business and the management of its data.
1. If you are in the IT business and you have not yet
heard of General Data Protection Regulations
(GDPR), you might need to read this ASAP. If you
have heard of it but are not sure what it is all about,
this is a good time to get educated. A Gartner study
predicts that more than 50% of companies covered
by GDPR will not be in full compliance by the end
of 2018. Another study by SAS reports that only
45% of companies surveyed have a structure in
place and 58% admit that they are not aware of
the consequences for non compliance.
Like most government regulations, GDPR is long and
complex. GDPR bestows new and specific rights to
data subjects and requires new controls be put in place
by data controllers and processors. Specifically, here
is how the regulation defines personal data. “Personal
data is any information that can identify an individual
person. This includes a name, an ID number, location
data, (for example, location data collected by a
mobile phone) or a postal address, online browsing
history, images or anything relating to the physical,
physiological, genetic, mental, economic, cultural or
social identity of a person.” Note that this definition
is quite broad and will require significant changes in
IT process and organization. As with many laws and
regulations, ignorance is no excuse. Further, GDPR
consequences for non compliance are significant.
Therefore, it is recommended to spend some time
understanding this regulation, officially called
“Regulation (EU) 2016 679.” In the mean time, here
are a few key points.
GDPR was passed by the European Commission, The
Council of the European Union and the European
Parliament. It is broad in its scope and reach across
the EU and consequences for non-compliance can be
severe. Although the GDPR was passed in April of
2016, it does not take effect until May 25, 2018. In
the mean time, lets take a quick look at the purpose,
scope and consequences for non-compliance.
GDPR is a regulation intended to strengthen and unify
data protection for all individuals within the European
Union (EU). It also addresses the export of personal
data outside the EU. The primary objective of the
regulation is to give residents control of their personal
data and to simplify the regulatory environment for
international business by unifying the regulation within
the EU.
In general, regulatory compliance can be
cumbersome and costly. The GDPR, however unifies
data protection regulations across the EU making
it easier for international companies to understand
and comply with one rather than many conflicting
regulations. GDPR consolidates the cyber security
and privacy regulatory environment and standardizes
penalties for non-compliance. Sanctions for breach
can range from a warning for first offense or non-
intended non-compliance to fines up to 10,000,000
euro.
The most significant change from previous regulations
thatGDPRaddstootherregulationsistheaccountability
principle. Organizations will be required to show
how they comply with the principles by documenting
decisions taken about a processing activity.
Counting Down to GDPR in the EU
www.networkcritical.com
2. Who Needs to Comply?
Organizations that collect data from EU residents
(controllers) and organizations that process data on
behalf of controllers (processors) such as cloud service
providers and similar contractors are governed by
this regulation. Even organizations based outside the
EU that collect personal data from EU citizens are
held accountable for GDPR compliance. It does not
matter if your organization is small or global. If your
business is deemed a “controller” or a “processor”
you must comply with GDPR. The UK confirmed that
the decision to leave the European Union will not
affect the requirements to implement GDPR.
Key Points
Here are some thoughts consolidated from various
sources to keep in mind while you prepare for GDPR
compliance:
◆◆ Who is Responsible for GDPR Compliance - As
stated above, all companies processing or controlling
personal data that have customers in the EU need to
comply. Even companies in the UK post Brexit who
have customers in the EU will be governed by GDPR.
◆◆ Data subjects rights - Data subjects are customers
who provide personal data to a company. Data
subjects have expanded privacy rights including the
right of erasure, the right to access their data, and to
question decisions made purely on algorithmic basis.
◆◆ Internal record keeping requirements - There are
specific record keeping requirements that may include
the appointment of a Data Protection Officer in order
to manage compliance, audits and record keeping.
These regulations are broad and penalties are severe.
Cross functional requirements will likely require a
specialist who will manage compliance throughout
the organization.
◆◆ Cross Border Data Processing - When utilizing data
processors outside of the EU, companies need to be
sure that GDPR regulations are followed.
◆◆ Training - There will be new rights bestowed upon
data subjects. Staff must be trained to understand
and comply with these rights when requested.
◆◆ Pseudonymisation - This is a GDPR requirement to help
keep data subjects information safe. While subjects
data is under the control of a processor or a controller
it shall be pseudonymized. This is another word for
encryption or other methods of disguising data so it
can not be attributed to a specific data subject without
a key. Further the key must be kept separately from the
pseudonymized data. Essentially, don’t encrypt data
then keep the key with the encrypted data. This idea
sounds simple but it is surprising how often hackers
find the keys to the safe sitting on top of the safe.
Rights of Data Subjects
In addition to the data protection requirements, GDPR
includes individual protections like a data subject bill
of rights. GDPR sets out specific rights with which
processors and controllers must comply. These data
subject individual rights include:
◆◆ The right to be informed about what is being done
with data,
◆◆ The right of access,
◆◆ The right to rectification,
◆◆ The right to erasure,
◆◆ The right to restrict processing,
◆◆ The right to data portability,
◆◆ The right to object,
◆◆ Other rights related to automated decision making
and profiling.
As you can see from this list, data subjects have new
power over their personal data held by processors
and controllers. For years, organizations had little
Counting Down to GDPR in the EU
W03-1217-01
2017 Network Critical Solutions Ltd. All rights reserved
3. direct responsibility to the data subject regarding their
personal information. Therefore, the controls on access
and management of that data has been typically lax.
It will now be important for these organizations to
establish processes that will keep records current and
delete or archive information that is not active.
Many organizations keep all customer/subject data
in the files for use with outbound marketing, sales and
other customer outreach functions. Often, there are
few restrictions within the organization regarding who
has access to that information and how it is used.
That will change under GDPR. It will be prudent
to set specific policies regarding how long data
subject data should be in active files and whether
or when it should be deleted or archived. The type
and frequency of outreach to the data subject for
permission to update and maintain their information
should also be considered.
Access to stored information is a process that will
likely change in many organizations. Historically,
customer data is readily available to anyone in
the organization with a computer. With increased
scrutiny on protection of customer information, it may
be a good idea to develop strict data access policies
throughout the organization. A good example is
the Equifax breach in the United States where 450
million customer records were stolen. The damage
here could have been greatly reduced if access to
that information were segmented and layered. Even
if one access level were breached, other levels may
have still been protected. No one in any organization
has a need for permanent permission to access all the
data all the time.
Determine Lawful Basis
Under GDPR, organizations will be required to
determine and document a lawful basis for processing
personal information. The lawfulness of processing
conditions include:
◆◆ Consent of the data subject
◆◆ Processing is necessary for the performance of a con-
tract with the subject
◆◆ Processing is necessary to be in compliance with a
legal obligation
◆◆ Processing is necessary to protect the vital interests of
a data subject or another person
◆◆ Processing is necessary in the performance of a task
carried out in the public interest or in the exercise of
official authority vested in the controller
◆◆ Processing is necessary for the purposes of legitimate
interests pursued by the controller or a third party, ex-
cept where such interests are overridden by the inter-
ests, rights or freedoms of the data subject.
There are other special categories of data which have
their own special conditions such as employment
related data, data of persons incapable of providing
consent, not-for-profit organizations and others. It is
recommended that all sections of these categories be
reviewed.
Breach Reporting
Reporting a breach will become a requirement under
GDPR. There will be requirements for organizations
to report a breach to the supervisory authority. In
addition, depending on the type of breach and
the information that was taken, notification of the
individuals affected may also be necessary. The
notification will require more information than a
simple statement such as, “ABC organization has
experienced a data breach.” The notification will
need to include, the nature of the breach, categories
and number of individual records lost, name an
contact information of the Data Protection Officer, a
description of the consequences to the individuals and
detail of the measures to be taken by the organization
to mitigate any potential damage to the individuals.
Counting Down to GDPR in the EU
W03-1217-01
2017 Network Critical Solutions Ltd. All rights reserved
4. As noted above penalties for not reporting a breach
within 72 hours of the organization becoming aware
of it can be quite severe.
Data Protection Officer
It is apparent that a new IT specialty will soon be in high
demand, Data Protection Officer. This position will
requiredatanetworkingandITskillsaswellastheability
to understand complex legal requirements, develop
GDPR compliant data protection, documentation
and reporting policy, work across functional areas
and develop training requirements for IT and non-IT
employees within organizations. This should be a
high level function with the authority to set and enforce
internal consequences for policy breaches. As we
have seen, the accountability principles of GDPR put
a heavy burden on organizations that do not comply
with he regulations. The Data Protection Officer will
be a critical internal GDPR advocate, compliance
officer and enforcer to protect the organization from
the liability of non-compliance.
Time is of the Essence
You may have be thinking that there is plenty of time to
get ready GDPR. Hopefully, after reading this paper,
you are now motivated to learn more about GDPR.
As you prepare or adjust your 2018 budget, be
sure to include a high level position of Data Protection
Officer. You will also want to include funds for
increased documentation requirements and new
employee training on GDPR compliance throughout
your organization.
Protection Technology
Of course there are many other requirements for GDPR
compliance such as Privacy by Design and Default,
Data Portability and more. Certain appliances such
as Data Loss Protection and Intrusion Prevention
Systems, may assist in protection from what can
be very expensive breaches and sanctions for non-
compliance. These appliances can be simply and
safely attached to data links by using TAPs and
packet Brokers without risking network performance
or availability. So, while you are preparing for
GDPR compliance, be sure your perimeter protection
is also up to date with appropriate traffic visibility and
link security. For more information on visibility and
perimeter protection go to www.networkcritical.com.
Deploying cyber security technology, diligent
employee training on email use and data access,
as well as well defined network security policy with
consequences will help keep data secure. The best
way to deal with a breach is to not have a breach.
Counting Down to GDPR in the EU
W03-1217-01
2017 Network Critical Solutions Ltd. All rights reserved