With less than 8 months to go, few CEOs and their CIOs can have failed to have heard of GDPR. However, we are still receiving calls from businesses that have yet to implement any measures to comply with the 25th May 2018 deadline.
While GDPR is about protecting personal data – our employees, our customers, and any other individual’s data that is processed or stored by our organisations – it is also about protecting your business too. Fines of up to €20 million (or 4% of annual gross turnover) provides a compelling reason to act now and ensure your business is compliant.
GDPR is an EU directive that aims to consolidate data protection regulations across EU member states. Currently national laws on data protection means there is a variety of interpretations on data privacy. GDPR is also the successor to a previous directive dating from 1995. Since then we have seen a huge amount of innovation that impacts data privacy and this new legislation increases the scope of the 1995 directive to address these challenges.
Below is an overview of the key factors you need to understand to get started with GDPR. For a more detailed analysis our partners Beta Systems have written a useful whitepaper exploring GDPR – download a copy here. You may also be interested in an event we’re hosting in London on the 18th October 2017 called GDPR: What’s The Fuss About? details here.
What businesses are affected by GDPR?
In short, everyone.
GDPR affects all businesses that collect and process personal data on EU nationals or individual’s resident in the EU: including citizens from non-EU countries that are ‘in the EU’. If your business is based in an EU member state, this means you. If your business is outside the EU but handles personal data from individuals in the EU, it means you.
Processing of personal data in GDPR
GDPR governs the processing of all personal data.
Processing refers to the collection of any data on an individual in the EU for any purpose. This ranges from data collected for the innocuous company newsletter and other marketing activities, to data stored pertaining to employees, customer data used to facilitate transactions and any other personal data the organisation collects.
The new legislation is also very clear on how data is processed according to the purpose it has. Namely that personal data can only be processed if there is a clear purpose for doing so, and that only relevant data to this purpose can be collected. It can’t then be used for other purposes:
“[data can only be] collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;”
What constitutes ‘personal data’? In the context of this legislation it is defined as, “any information relating to an identified or identifiable natural person (‘data subject’)”.
Rights for individuals
GDPR gives individuals – you and me – new rights that organisations must comply with. These are:
- The right to be informed – controllers (the entity that determines the purpose of collecting personal data) must provide information to data subjects regarding the collection and processing of their personal data.
- The right of access – data subjects may request a copy of the personal data being processed; therefore, organisations must have the systems in place to provide this.
- The right to rectification – data subjects have the right to have inaccurate or incomplete data is erased or rectified.
- The right to erasure – data subjects have the right to erasure of personal data (the “right to be forgotten”) if the data is no longer needed for its original purpose, the data subject withdraws the given consent, and no other lawful ground exists or the data has been processed unlawfully.
- The right to restrict processing – data subjects have the right to restrict the processing of personal data under certain conditions.
- The right to data portability – data subjects have a right to receive a copy of their personal data in a commonly used machine-readable format, and transfer their personal data from one controller to another or have the data transmitted directly between controllers.
- The right to object – if the processing of personal data is based on public interest or legitimate interests of the controller, data subjects have the right to object to the processing of personal data.
- Rights in relation to automated decision making and profiling.
Obligations of controllers and processors
Controllers (those entities that determine the purpose of collecting and processing data) and processors (those entities that processes personal data on behalf of the controllers) have specific obligations under GDPR.
For example, controllers must be able to demonstrate that processes and measures are in place that ensure they comply with the GDPR framework. This means organisations must be prepared to face audits. Section V of GDPR sets out the ‘Codes of conduct and certification’ that provides controllers with a framework to ensure compliance.
Security of personal data
As well as data privacy, GDPR also addresses data protection in the section on ‘Security of personal data’. The main principle of this is that controllers and processors must have suitable measures in place to protect personal data from theft. The onus is on the organisation to assess risk and threats and ensure adequate security measures are in place.
However, the following are identified as minimum requirements:
- the pseudonymisation and encryption of personal data;
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
- a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
Authorities and Sanctions
As mentioned at the top of this article, organisations face fines of up to €20 million for a violation of GDPR. Currently the ICO in the UK only has the power to fine up to £500,000. Each member state will be responsible for monitoring GDPR by appointing independent public authorities to do so. They will be expected to collaborate with their opposing bodies in other member states.
How does IAM fit into GDPR?
At Burning Tree we have a particular interest in Identity and Access Management (IAM) and how these systems can be deployed to protect personal data and help organisations become GDPR compliant.
A requirement of GDPR is that personal data is “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures”
GDPR also requires the controller to “implement appropriate technical and organizational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed.”
Set out in the minimum requirements for the security of personal data is the clause that controllers must have “the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.”
All these requirements can be achieved with effective IAM systems; in fact, the latter would be hard not to achieve without such solutions.
If your organisation has not got the systems in place to comply with GDPR by next May, it is time to get support. Software vendors like Beta Systems have IAM solutions that are straightforward to implement and will remove much of the GDPR burden from your CIO.
Burning Tree is hosting a free event for business leaders and information security professionals in London called GDPR: What’s All The Fuss About? To register for this event, click here.