The new EU General Data Protection Regulation (GDPR) is the biggest shake-up in privacy legislation and data management approach for many years. It will impact any organization throughout the world that processes personal data relating to EU citizens. Organizations that breach the regulation can be fined up to four percent of their annual global turnover or 20 million Euros, whichever is greater.
Breaches will apply to firms that do not have adequate customer consent for processing their personal data or violate the principle of the privacy-by-design concepts and model.
It is crucial to note that both data controllers and processors are subject to the rules, especially if they fail to either carry out a privacy impact assessment or notify the authority (ICO, the Information Commissioner’s Office, in the UK) about a breach.
In this article, we will look at GDPR from the IT security perspective where ISO 27001plays an important role.
GDPR: AN INSIGHT
Firstly, we investigate the main characteristics of GDPR and key differences from previous EU directives.
GDPR defines how EU citizens’ data must be handled by countries inside and outside the EU. Furthermore, the regulations will apply to the processing of personal data in the EU by a data controller or processor who is not in the EU. For example, any business that provides services or goods to EU residents is by definition processing EU citizens’ data and therefore will have to comply. In addition, GDPR encompasses personally identifiable data within social media, photos, email addresses and IP addresses.
GDPR has changed and reinforced the conditions of consent in that it expects clear, plain language consent from data subjects in an easy, accessible and intelligible form. Subsequent withdrawal of the consent must be as effortless as giving it.
3. Fines and Penalties
GDPR sanctions substantial fines of up to €20m or four percent of annual revenue.
4. Privacy by Design
Processes will need to be amended to consider privacy by design whereby the controller must apply adequate technical and organizational procedures to fulfill the requirements of GDPR and protect the rights of individuals (data subjects).
5. Data Portability
Personally identifiable data must be portable by open use of common file formats that are machine-readable when the data subject receives them.
6. Right to Access
GDPR provides the right to data subjects to request the data controller to confirm whether their personally identifiable data is being processed, where, and for what purpose. In addition to this, the data controller must provide a free electronic copy of any personally identifiable data.
7. Right to be Forgotten
The data subject is entitled to request that the data controller permanently or on-demand delete his/her personally identifiable data, cease further distribution of the data, and demand third parties halt processing of the data.
8. Breach Notification
As a data breach is likely to result in a risk to the rights and freedoms of individuals, GDPR requires a mandatory breach notification to be submitted to the relevant authority within 72 hours of the organization first becoming aware of the breach. In addition, data processors are required to notify their customers without unnecessary delay.
9. Data Protection Officer (DPO)
It will be mandatory for data controllers and processors to appoint a DPO. However, this only applies to those data controllers and processors whose central activities entail processing operations that need consistent and systematic monitoring of data subjects on a large scale or of special groups of data.
MAPPING IT SECURITY GOVERNANCE AND GDPR
IT governance will be impacted by the requirements of GDPR but there are benefits to organizations, too. The regulations will encourage them to have a more secure data management approach in place. Compliance will require an IT governance framework to be adjusted to encompass issues such as personal responsibilities relating to data transfer, data subject consent, and privacy by design.
GDPR is not explicit on several topics, and it could take years for the legal interpretation of such matters to become clear. The first court cases will help to provide clarity. From an IT governance point-of-view, organizations should focus on the dynamics of legal, technical and organizational factors.
As discussed, GDPR introduces several privacy arrangements and control mechanisms that are intended to safeguard personal identifiable data. Many of those controls are also recommended by ISO/IEC 27001:2013, ISO/IEC 27002:2013 and other “ISO27k” standards, as well as COBIT 5.
For example, ISO27K controls, such as A.18.1.4 and A.9.1.1, relate to privacy and risk assessment. Both controls can be interpreted as addressing privacy concerns around data transfer or privacy by design in relation to personally identifiable information or data subject information.
Regarding COBIT, the IT Management Framework and its management practices of APO01 relate to organizational structure. COBIT 5 also refers to privacy officers with responsibility for screening the risk and organizational impacts of privacy regulations whilst ensuring such legislations are adhered to. This definition is similar to article 37 of GDPR with its requirement for the designation of a Data Protection Officer (DPO).
As discussed, the aspects of GDPR that directly concern IT security governance are varied. One of the main issues, however, will be to assess the capability of IT governance to identify and pinpoint identifiable personal data in the organization. This is a condition of Article 30, regarding requesting records of processing activities.
In addition, it is a requirement for rights of access by the data subject in Article 15, the modification of incorrect personal data in Article 16, and the right to be forgotten in Article 17. Therefore, these requirements provide a good basis for readiness. Organizations with good data management in place that enable them to describe the information lifecycle will automatically be compliant with most of the GDPR requirements.
To work towards ensuring compliance of their data, organizations should take the following actions:
- Establish and locate all personal identifiable data that is within the scope of GDPR.
- Focus explicitly on data risk management for a complete risk picture of data, using data categorization based on their processing and storage in various services and facilities.
- Note that an effective data risk management demands a definition of adequate protection process and procedures for the various categories of GDPR data.
- Coordinate and map data protection needs to other services and IT systems across the entire organization.
The GDPR comes into force on 25th May 2018, and the Government has confirmed that the UK’s decision to leave the EU will not affect commencement of the new regulations. It is evident that the new rules should provide enhanced safeguarding of personal data and give data subjects more control over their data.
With a comprehensive plan in place well in advance, organizations that act as data controllers or processors will be able to ensure compliance with the new rules in a timely manner, including implementing an adequate testing period. Organizations will need to investigate their current IT security and data assurance practices to perform a gap analysis between where they are now and where they need to be by next May at the latest.
Adopting recognized standards such as ISO27001 and COBIT will go a long way towards achieving greater transparency over data, and building regular reviews into such activities will also support compliance going forward. Robust tried and tested controls will support IT governance activities and protect individuals from loss of control over their personal data, as well as businesses from financial and, not to be underestimated, reputation loss through failure to comply with the new regulations.
In our next article, we will look at other elements of GDPR in regard to Data Privacy by Design (DPD), Data Impact Assessment (DPI), data subject consent, dealing with data breaches, and the appointment of Data Protection Officer (DPO).