[data can only be] collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;”
What constitutes ‘personal data’? In the context of this legislation it is defined as, “any information relating to an identified or identifiable natural person (‘data subject’)”.
Rights for individuals
GDPR gives individuals – you and me – new rights that organisations must comply with. These are:
- The right to be informed – controllers (the entity that determines the purpose of collecting personal data) must provide information to data subjects regarding the collection and processing of their personal data.
- The right of access – data subjects may request a copy of the personal data being processed; therefore, organisations must have the systems in place to provide this.
- The right to rectification – data subjects have the right to have inaccurate or incomplete data is erased or rectified.
- The right to erasure – data subjects have the right to erasure of personal data (the “right to be forgotten”) if the data is no longer needed for its original purpose, the data subject withdraws the given consent, and no other lawful ground exists or the data has been processed unlawfully.
- The right to restrict processing – data subjects have the right to restrict the processing of personal data under certain conditions.
- The right to data portability – data subjects have a right to receive a copy of their personal data in a commonly used machine-readable format, and transfer their personal data from one controller to another or have the data transmitted directly between controllers.
- The right to object – if the processing of personal data is based on public interest or legitimate interests of the controller, data subjects have the right to object to the processing of personal data.
- Rights in relation to automated decision making and profiling.
Obligations of controllers and processors
Controllers (those entities that determine the purpose of collecting and processing data) and processors (those entities that processes personal data on behalf of the controllers) have specific obligations under GDPR.
For example, controllers must be able to demonstrate that processes and measures are in place that ensure they comply with the GDPR framework. This means organisations must be prepared to face audits. Section V of GDPR sets out the ‘Codes of conduct and certification’ that provides controllers with a framework to ensure compliance.
Security of personal data
As well as data privacy, GDPR also addresses data protection in the section on ‘Security of personal data’. The main principle of this is that controllers and processors must have suitable measures in place to protect personal data from theft. The onus is on the organisation to assess risk and threats and ensure adequate security measures are in place.
However, the following are identified as minimum requirements:
- the pseudonymisation and encryption of personal data;
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
- a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
Authorities and Sanctions
As mentioned at the top of this article, organisations face fines of up to €20 million for a violation of GDPR. Currently the ICO in the UK only has the power to fine up to £500,000. Each member state will be responsible for monitoring GDPR by appointing independent public authorities to do so. They will be expected to collaborate with their opposing bodies in other member states.
How does IAM fit into GDPR?
At Burning Tree we have a particular interest in Identity and Access Management (IAM) and how these systems can be deployed to protect personal data and help organisations become GDPR compliant.
A requirement of GDPR is that personal data is “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures”
GDPR also requires the controller to “implement appropriate technical and organizational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed.”
Set out in the minimum requirements for the security of personal data is the clause that controllers must have “the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.”
All these requirements can be achieved with effective IAM systems; in fact, the latter would be hard not to achieve without such solutions.
If your organisation has not got the systems in place to comply with GDPR by next May, it is time to get support. Software vendors like Beta Systems have IAM solutions that are straightforward to implement and will remove much of the GDPR burden from your CIO.
Burning Tree is hosting a free event for business leaders and information security professionals in London called GDPR: What’s All The Fuss About? To register for this event, click here.