General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of personal information of individuals within the European Union (EU). The GDPR sets out the principles for data management and the rights of the individual, while also imposing fines that can be revenue-based. The General Data Protection Regulation covers all companies that deal with data of EU citizens, so it is a critical regulation for corporate compliance officers at banks, insurers, and other financial companies. GDPR came into effect across the EU on May 25, 2018.
The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and is designed to:
- Harmonize data privacy laws across Europe,
- Protect and empower all EU citizens data privacy
- Reshape the way organizations across the region approach data privacy.
GDPR reshapes the way in which sectors manage data, as well as redefines the roles for key leaders in businesses, from CIOs to CMOs. CIOs must ensure that they have watertight consent management processes in place, whilst CMOs require effective data rights management systems to ensure they don’t lose their most valuable asset – data.
Below is an illustration of the GDPR timeline
Requirements of the GDPR of 2018
The GDPR itself contains 11 chapters and 91 articles. The following are some of the chapters and articles that have the greatest potential impact on security operations:
- Articles 17 & 18 – Articles 17 and 18 of the GDPR give data subjects more control over personal data that is processed automatically. The result is that data subjects may transfer their personal data between service providers more easily (also called the “right to portability”), and they may direct a controller to erase their personal data under certain circumstances (also called the “right to erasure”).
- Articles 23 & 30 – Articles 23 and 30 require companies to implement reasonable data protection measures to protect consumers’ personal data and privacy against loss or exposure.
- Articles 31 & 32 – Data breach notifications play a large role in the GDPR text. Article 31 specifies requirements for single data breaches: controllers must notify Supervising Authorities (SA)s of a personal data breach within 72 hours of learning of the breach and must provide specific details of the breach such as the nature of it and the approximate number of data subjects affected. *Article 32 requires data controllers to notify data subjects as quickly as possible of breaches when the breaches place their rights and freedoms at high risk.
- Articles 33 & 33a – Articles 33 and 33a require companies to perform Data Protection Impact Assessments to identify risks to consumer data and Data Protection Compliance Reviews to ensure those risks are addressed.
- Article 35 – Article 35 requires that certain companies appoint data protection officers. Specifically, any company that processes data revealing a subject’s genetic data, health, racial or ethnic origin, religious beliefs, etc. must designate a data protection officer; these officers serve to advise companies about compliance with the regulation and act as a point of contact with SAs. Some companies may be subjected to this aspect of the GDPR simply because they collect personal information about their employees as part of human resources processes.
- Articles 36 & 37 – Articles 36 and 37 outline the data protection officer position and its responsibilities in ensuring GDPR compliance as well as reporting to Supervisory Authorities and data subjects.
- Article 45 – Article 45 extends data protection requirements to international companies that collect or process EU citizens’ personal data, subjecting them to the same requirements and penalties as EU-based companies.
- Article 79 – Article 79 outlines the penalties for GDPR non-compliance, which can be up to 4% of the violating company’s global annual revenue depending on the nature of the violation.
GDPR Compliance Steps
Following the General Data Protection Regulation compliance steps detailed below will not only help diminish data breach risks and help organisations comply with the GDPR, build the trust with customers and be able to grow business.
source: CMS Distribution
Step 1: Strategic planning for GDPR in your organisation: The General Data Protection Regulation brings enhancements of existing data protection legislation, as well as new requirements. Unless there is full visibility of the current state of the data privacy framework, it will be difficult to assess the extent of the work required to achieve compliance with the GDPR.
- Conduct an in-depth research to gain understanding about the organisation’s current situation in relation to compliance.
- Check if the organisation needs to appoint a Data Protection Officer (DPO) to take responsibility and control of data protection issues in the company.
Step 2: Data mapping and audit: An essential step in preparing for compliance with the General Data Protection Regulation (GDPR) is conducting a data mapping and audit.
- Mapping out of all the organisations’ data flows, which is a process of drawing up an extensive inventory of the data to get a comprehensive understanding of where the data flows from, within and to.
- Start the audit process to assess data protection practices around those flows of information and look at whether you have effective policies and procedures in place.
Step 3: Policy development and review: Building consensus up-front is the key to any successful GDPR compliance project. It needs to be rehearsed from the CEO/managing director downwards.
- Focus on the policy development and review. Start from formalising the GDPR project start with the key stakeholders: Management, HR, Operations, IT, Accounting, Marketing and etc
- Create an action plan which would include all the tasks that need to be completed before GDPR comes into the force
- Focus on the priorities – key areas where might be high risk of data breaches.
Step 4: Staff training and awareness: The pivotal component of any organisation’s GDPR compliance framework is employee awareness and education.
- surveying your employees to evaluate their current understanding about General Data Protection Regulation and their knowledge gaps.
- create training/workshops to your staff
- prioritise the training to those who work in the key areas of your organisation that involve high risk or high volume processing, such as, marketing and HR.
Step 5: Business support and monitoring for compliance Putting standards and procedures in place in order to mitigate risks of potential data breaches
- Creating and monitoring privacy policies and procedures should be priority
- Implementing and monitoring organisational controls to comply with the GDPR.
- Determine which provisions of the GDPR will apply to the organisation and whowill be reponsible for the General Data Protection Regulation implementation.
- Set up appropriate measures to evaluate how the organisation will comply with GDPR requirements.
- Monitor issues with compliance with data protection legislation
- Independent testing and quality assurance to ensure that data protection processes and procedures are being adhered to
- Instances of non-compliance should be logged and analysis undertaken to identify trends in non-compliance
- Establish clear processes for reporting data breaches to the data protection officer to ensure that data breaches are brought to the attention of the regulator within the time frames laid down by the GDPR.
GDPR Accountability and Compliance Companies covered by the GDPR are accountable for their handling of people's personal information. This can include having data protection policies, data protection impact assessments and having relevant documents on how data is processed.
In recent years, there have been a score of massive data breaches, including millions of Yahoo, LinkedIn, and MySpace account details. Under GDPR, the "destruction, loss, alteration, unauthorised disclosure of, or access to" people's data has to be reported to a country's data protection regulator where it could have a detrimental impact on those who it is about. This can include, but isn't limited to, financial loss, confidentiality breaches, damage to reputation and more. The ICO has to be told about a breach 72 hours after an organisation finds out about it and the people it impacts also need to be told.
For companies that have more than 250 employees, there's a need to have documentation of why people's information is being collected and processed, descriptions of the information that's held, how long it's being kept for and descriptions of technical security measures in place.
Additionally, companies that have "regular and systematic monitoring" of individuals at a large scale or process a lot of sensitive personal data have to employ a data protection officer (DPO). For many organisations covered by GDPR, this may mean having to hire a new member of staff – although larger businesses and public authorities may already have people in this role. In this job, the person has to report to senior members of staff, monitor compliance with GDPR and be a point of contact for employees and customers. "It means the data protection will be a boardroom issue in a way it hasn't in the past combined," Denham says.
There's also a requirement for businesses to obtain consent to process data in some situations. When an organisation is relying on consent to lawfully use a person's information they have to clearly explain that consent is being given and there has to be a "positive opt-in". A blog post from Denham explains there are multiple ways for organisations to process people's data that doesn't rely upon consent.
Besides the definitions as a criminal offense according to national law following Article 83 GDPR the following sanctions can be imposed:
- a warning in writing in cases of first and non-intentional noncompliance
- regular periodic data protection audits
- a fine up to €10 million or up to 2% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater, if there has been an infringement of the following provisions: (Article 83, Paragraph 4)
- the obligations of the controller and the processor pursuant to Articles 8, 11, 25 to 39, and 42 and 43
- the obligations of the certification body pursuant to Articles 42 and 43
- the obligations of the monitoring body pursuant to Article 41(4)
- a fine up to €20 million or up to 4% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater, if there has been an infringement of the following provisions: (Article 83, Paragraph 5 & 6)
- the basic principles for processing, including conditions for consent, pursuant to Articles 5, 6, 7, and 9
- the data subjects' rights pursuant to Articles 12 to 22
- the transfers of personal data to a recipient in a third country or an international organisation pursuant to Articles 44 to 49
- any obligations pursuant to member state law adopted under Chapter IX
- noncompliance with an order or a temporary or definitive limitation on processing or the suspension of data flows by the supervisory authority pursuant to Article 58(2) or failure to provide access in violation of Article 58(1)