The new EU General Data Protection Regulation (GDPR) is the biggest shake-up in privacy legislation and data management approach for many years. It will impact any organisation throughout the world that processes personal data relating to EU citizens. Organisations that breach the regulation can be fined up to four percent of their annual global turnover or 20 million Euros, whichever is greater.
Breaches will apply to firms that do not have adequate customer consent for processing their personal data or violate the principle of the privacy-by-design concepts and model.
It is crucial to note that both data controllers and processors are subject to the rules, especially if they fail to either carry out a privacy impact assessment or notify the authority (ICO, the Information Commissioner’s Office, in the UK) about a breach.
In this article, we will look at GDPR from the IT security perspective where ISO 27001 plays an important role.
GDPR: An Insight
Firstly, we investigate the main characteristics of GDPR and key differences from previous EU directives.
GDPR defines how EU citizens’ data must be handled by countries inside and outside the EU. Furthermore, the regulations will apply to the processing of personal data in the EU by a data controller or processor who is not in the EU. For example, any business that provides services or goods to EU residents is by definition processing EU citizens’ data and therefore will have to comply. In addition, GDPR encompasses personally identifiable data within social media, photos, email addresses and IP addresses.
GDPR has changed and reinforced the conditions of consent in that it expects clear, plain language consent from data subjects in an easy, accessible and intelligible form. Subsequent withdrawal of the consent must be as effortless as giving it.
3. Fines and Penalties
GDPR sanctions substantial fines of up to €20m or four percent of annual revenue.
4. Privacy by Design
Processes will need to be amended to consider privacy by design whereby the controller must apply adequate technical and organisational procedures to fulfill the requirements of GDPR and protect the rights of individuals (data subjects).
5. Data Portability
Personally identifiable data must be portable by open use of common file formats that are machine-readable when the data subject receives them.
6. Right to Access
GDPR provides the right to data subjects to request the data controller to confirm whether their personally identifiable data is being processed, where, and for what purpose. In addition to this, the data controller must provide a free electronic copy of any personally identifiable data.
7. Right to be Forgotten
The data subject is entitled to request that the data controller permanently or on-demand delete his/her personally identifiable data, cease further distribution of the data, and demand third parties halt processing of the data.
8. Breach Notification
As a data breach is likely to result in a risk to the rights and freedoms of individuals, GDPR requires a mandatory breach notification to be submitted to the relevant authority within 72 hours of the organisation first becoming aware of the breach. In addition, data processors are required to notify their customers without unnecessary delay.
9. Data Protection Officer (DPO)
It will be mandatory for data controllers and processors to appoint a DPO. However, this only applies to those data controllers and processors whose central activities entail processing operations that need consistent and systematic monitoring of data subjects on a large scale or of special groups of data.
Mapping IT Security Governance and GDPR
IT governance will be impacted by the requirements of GDPR but there are benefits to organisations, too. The regulations will encourage them to have a more secure data management approach in place. Compliance will require an IT governance framework to be adjusted to encompass issues such as personal responsibilities relating to data transfer, data subject consent, and privacy by design.
GDPR is not explicit on several topics, and it could take years for the legal interpretation of such matters to become clear. The first court cases will help to provide clarity. From an IT governance point-of-view, organisations should focus on the dynamics of legal, technical and organisational factors.
As discussed, GDPR introduces several privacy arrangements and control mechanisms that are intended to safeguard personal identifiable data. Many of those controls are also recommended by ISO/IEC 27001:2013, ISO/IEC 27002:2013 and other “ISO27k” standards, as well as COBIT 5.
For example, ISO27K controls, such as A.18.1.4 and A.9.1.1, relate to privacy and risk assessment. Both controls can be interpreted as addressing privacy concerns around data transfer or privacy by design in relation to personally identifiable information or data subject information.
Regarding COBIT, the IT Management Framework and its management practices of APO01 relate to organisational structure. COBIT 5 also refers to privacy officers with responsibility for screening the risk and organisational impacts of privacy regulations whilst ensuring such legislations are adhered to. This definition is similar to article 37 of GDPR with its requirement for the designation of a Data Protection Officer (DPO).
As discussed, the aspects of GDPR that directly concern IT security governance are varied. One of the main issues, however, will be to assess the capability of IT governance to identify and pinpoint identifiable personal data in the organisation. This is a condition of Article 30, regarding requesting records of processing activities.
In addition, it is a requirement for rights of access by the data subject in Article 15, the modification of incorrect personal data in Article 16, and the right to be forgotten in Article 17. Therefore, these requirements provide a good basis for readiness. Organisations with good data management in place that enable them to describe the information lifecycle will automatically be compliant with most of the GDPR requirements.
To work towards ensuring compliance of their data, organisations should take the following actions:
- Establish and locate all personal identifiable data that is within the scope of GDPR.
- Focus explicitly on data risk management for a complete risk picture of data, using data categorisation based on their processing and storage in various services and facilities.
- Note that an effective data risk management demands a definition of adequate protection process and procedures for the various categories of GDPR data.
- Coordinate and map data protection needs to other services and IT systems across the entire organisation.
The GDPR comes into force on 25th May 2018, and the Government has confirmed that the UK’s decision to leave the EU will not affect commencement of the new regulations. It is evident that the new rules should provide enhanced safeguarding of personal data and give data subjects more control over their data.
With a comprehensive plan in place well in advance, organisations that act as data controllers or processors will be able to ensure compliance with the new rules in a timely manner, including implementing an adequate testing period. Organisations will need to investigate their current IT security and data assurance practices to perform a gap analysis between where they are now and where they need to be by next May at the latest.
Adopting recognised standards such as ISO27001 and COBIT will go a long way towards achieving greater transparency over data, and building regular reviews into such activities will also support compliance going forward. Robust tried and tested controls will support IT governance activities and protect individuals from loss of control over their personal data, as well as businesses from financial and, not to be underestimated, reputation loss through failure to comply with the new regulations.
In our next article, we will look at other elements of GDPR in regard to Data Privacy by Design (DPD), Data Impact Assessment (DPI), data subject consent, dealing with data breaches, and the appointment of Data Protection Officer (DPO).
About the Authors:
Reza Alavi has been working in various IT positions in the last 15 years and currently working as an information Security Consultant, helping his clients to become more effective and efficient typically through the strategic of information systems, risk management and security governance. Previously, Reza was working for a number of business consultancy firms which specialise in wide range of consultancy services such as information and IT security, risk management, business continuity, security governance and strategy in the Middle East.
Juliet Flavell formerly worked in the high pressure environment of IT project management and service provision within the legal sector. In 2016 she became accredited as a Chartered IT Professional and currently runs a technology non-profit organisation.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.