My goodness! D-Day, May 25 is right around the corner! GDPR is thought by many to be the regulation of regulations approved in 2016 and scheduled to be enforced by May 25, 2018.
Many customers are still asking, What is GDPR? At a very basic level, GDPR is the General Data Protection Regulation developed to strengthen the rights of individuals in the European Union (EU). Honestly, it’s a representation of all the controls measures that a mature organization should already have in place in regard to user rights with a mandatory reporting requirement cherry on top!
Over the past few months, the industry has moved from asking general questions to asking more specific questions to help them gravitate towards the direction of readiness. Once you surpass the compliance basics (which is no simple task) such as identifying where personal data resides across all devices, applications, and system platforms, then the fun begins. This includes consideration of where the data is collected and stored, understanding why it was collected, how it is processed and shared, as well as how long it is retained. All of these are required considerations under the regulation. Here are some common and not so common GDPR FAQ’s:
Q: What constitutes “personal data” for GDPR?
A: Forget the simple term PII (Personally Identifiably Information). While the term at its base level still applies, GDPR extends well beyond the items most people recognize in terms of PII such as name, address, SSN, and credit card number. Some additional items can include an email address, bank details, social networking posts, computer IP address, political opinions, religious or philosophical beliefs, genetic data, biometric data, and sexual orientation to name a few. Basically, any information that can be tied to an actual person’s private, professional or professional life is considered “personal data”.
Q: What is a Data Subject?
A: The term used to refer to a “natural” person whose personal data is processed by a controller or processor.
Q: What is a Data Controller?
A: A Data Controller is the entity that determines the purposes, conditions and means of the processing of personal data. This can simply be referred to as the ‘company’ or ‘organization’ processing customer data.
Q: What is a Data Processor?
A: A Data Processor is an entity which processes personal data on behalf of the Data Controller.
Q: What is a DPO and when is one needed?
A: A DPO is a Data Protection Officer. A DPO must be appointed in the case of: (a) public authorities (with the exception of courts acting in their judicial capacity), (b) organizations that engage in large scale systematic monitoring, or (c) organizations that engage in large scale processing of sensitive personal data (Article 37).
Q: What is the role of the DPO?
A: The minimum tasks of a DPO are defined in Article 39 of the GDPR. They are primarily there to educate the organization, monitor compliance and act as the first point of contact for supervisory authorities and individuals. The DPO should report to the highest level of management (board level), operate independently, and be provided with sufficient resources to meet GDPR requirements. They can be a current employee of the company; however, the DPO’s responsibilities cannot create a conflict of interest with their other position.
Q: Can the DPO’s responsibility be put on several people?
A: In regard to the heavy lifting provided by the DPO, companies with multiple affiliates can have these responsibilities placed on a single appointed DPO or create a parent/child scenario in which DPO duties may be performed by a person employed by the controller, processor, or even run by a third-party service provider. The static piece to this would be that the DPO must be readily accessible from any of these affiliated entities when called upon.
Q: How long does an organization have to provide notification in the event of a security breach?
A: Breach notification must be done within 72 hours of first becoming aware of the breach. Service providers regulated by GDPR will also be required to notify their customers “without undue delay” after first becoming aware of a data breach.
Q: How long does an organization have to respond to a data subject’s request for their personal information or the reason why a company is retaining their information?
A: A company has 45 days to respond to a data subject’s request for their personal information. The organization should have an automated way to search all database instances and collect what info you have on subjects or the task can be very time consuming.
Q: What types of fines can be levied upon an organization for non-compliance?
A: A company can be fined 2% for not having their records in order (Article 28), not notifying the supervising authority and data subjects about a breach, or not conducting an impact assessment. Organizations that are found in violation could face fines up to the greater of €20 million or 4% of annual global turnover (revenue) for the most serious infringements such as not having sufficient customer consent to process data, or violating the core of Privacy by Design concepts.
Q: If an organization adheres to other compliance regulations such as NIST, ISO 27001, PCI DSS 3.2, will the company be considered compliant under GDPR regulations?
A: Compliance with other regulations/frameworks does not guarantee compliance under GDPR; however, it could be a great step towards compliance. The main purpose for all the mentioned regulations is the protection of customer or sensitive data. Not only has GDPR expanded what constitutes personal/sensitive data but the regulation also has the “customer information requests and reporting” functions that extends beyond most other frameworks. At the very least, additional scoping activities must be performed on systems who have met or exceeded other compliance regulation tests.
Q: If conformance to the regulation was broken down into several phases, how would the phases be described?
A: There are primarily four (4) phases loosely described as follows:
- Discovery/Detect/Identify Phase – Identifying the systems where data is collected and stored, why it was collected, and how it is processed and shared.
- Manage/Governance Phase – Defining and implementing policies and procedures.
- Protection Phase – Implementing controls to prevent, detect and respond to vulnerabilities/breaches.
- Reporting Phase – Ensuring proper records are kept and easily generated to respond to requests from data subjects and governing bodies when required.
Basically, the regulation is all about user rights and the ability for companies to provide, delete, or modify a data subject’s information when requested. There are eight (8) fundamental rights of individuals under GDPR. They are:
- The right to be informed – Organizations must be completely transparent in how they are using personal data.
- The right of access – Individuals will have the right to know exactly what information is held about them and how it is processed.
- The right of rectification – Individuals will be entitled to have personal data rectified if it is inaccurate or incomplete.
- The right to erasure – Also known as ‘the right to be forgotten’, this refers to an individual’s right to having their personal data deleted or removed without the need for a specific reason as to why they wish to discontinue.
- The right to restrict processing – Refers to an individual’s right to block or suppress processing of their personal data.
- The right to data portability – This allows individuals to retain and reuse their personal data for their own purpose.
- The right to object – In certain circumstances, individuals are entitled to object to their personal data being used.
- Rights of automated decision making and profiling – The GDPR has put in place safeguards to protect individuals against the risk that a potentially damaging decision is made without human intervention.
As mentioned earlier, the measures implemented in preparation for adherence to GDPR compliance should minimize the risk of breaches and uphold the protection of personal data. The process is meant to improve the overall protection of the environment and not to add unnecessary responsibilities and expenses. For most organizations this is likely to mean more governance controls, additional policies, process improvement and enforcement, and in some cases, employing an outside firm to assess your company’s current security posture.
Oh yeah, and a little magic pixie dust won’t hurt either!