General Data Protection Regular (GDPR). Practicalities and Preparation


General Data Protection Regular (GDPR). Practicalities and Preparation.




Summary
GDPR. What, Why and When?
General Data Protection Regular (GDPR) is new legislation which impose new data security requirements for personal information within the European Union (EU) and is effective from 25th May 2018.
GDPR is primarily concerned with transparency of the intent and purpose of the data that an organisation wants to collect and why, demonstrating privacy is taken seriously by having the appropriate control measures in place, and not holding information where there isn’t a business need or longer than the purpose it was intended for.
The impact of this new legislation is wider spread than the EU as it affects organisations globally that may operate within the EU and/or holds personal information about EU citizens without having an EU presence. GDPR applies to public and private sector organisations including not for profit, if you are an organisation that offers services and/or goods or harvests data for analytical purposes which is related to EU citizens, then there is a legal obligation to comply with GDPR.
GDPR cannot be ignored as non-compliance whether accidental or deliberate will result financial penalties and disclosure of breaches. No organisation no matter how small or large can afford reputational damage where breaches have been publicly disclosed or financial penalties.

What does GDPR change?
In a nutshell, GDPR changes the following:
·         How organisations interact with consumers and potential consumers of services;
·         Management of Personal Information and the Individuals Rights relating to their data;
·         Policy and Process;
·         Reporting of data breaches;
·         Governance including audit and record keeping demonstrating compliancy for the life of the data;
·         System Security core to operations;
·         New roles focusing on privacy and protection of data;
·         Training of staff in management and privacy of data and compliancy with legislation and policy.
·         Regulatory Fines of 4% of global annual turnover or a maximum Euro 20 million for non-compliance and security breaches.
When?
GDPR will be enforced throughout the EU from 25th May 2018.
Regulation
GDPR Regulation (Regulation(EU) 2016/679 of the European Parliament) will regulate how organisations control and process personal data.  Four years of preparation and debate shaped the new GDPR regulation which was approved by the EU Parliament on 14 April 2016 and a further 25 months for the regulation to be enforced throughout the EU. For more information on the GDPR timeline refer to https://www.eugdpr.org/gdpr-timeline.html or the legislative process https://www.eugdpr.org/the-process.html. 

GDPR is organised into 11 chapters and 15 sections and in total consists of 99 articles. Including the following:
1.       Chapter 1: General Provisions
2.       Chapter 2: Principles
3.       Chapter 3: Rights of the Data Subject
4.       Chapter 4: Controller and Processor
5.       Chapter 5: Transfer of personal data to third countries of international organizations
6.       Chapter 6: Independent Supervisory Authorities
7.       Chapter 7: Co-operation and Consistency
8.       Chapter 8: Remedies, Liability, and Sanctions
9.       Chapter 10: Delegated Acts and Implementing Acts
10.   Chapter 11: Final provisions
For a list of the articles refer to https://www.eugdpr.org/article-summaries.html.
This paper will not explain the chapters or articles of the regulation and recommends that the sources of information listed in ‘Further Reading’ are explored.
 
Personal Data – What is it?
Data is a big part of everyday life and it’s a part that very little or any thought is given to by the average consumer of services. Data is generated every time a consumer of a service shops online, uses an app, signs up to a service and/or mailing list, streams a file or ‘like’ a social media post.
According to Data Marketing Company DOMO 2.5 quintillion bytes of data are generated per day. The infographic in Figure 1 illustrates how the data is generated. However, it must be pointed out that the infographic excludes services provided by retailers, government and financial services, health care providers, utility companies, etc.


Personal or Personal Identifiable Data is data that relates to a person or can be linked back to a person directly or indirectly. Article 4 states that personal data’ is data that “an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location number, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”
This is a board set of data containing both sensitive and non-sensitive information. This is also known as Personal Information or Personal Identifiable Information depending on the country of origin. It includes the includes the listed items, but is not limited to those items:
·         Personal data and unique identifier:
o   IP addresses
o   Mobile Device IDs
o   Name
o   Insurance Number
o   Health Number
o   Date of Birth
o   Religion
o   Ethic Origin
·         Genetic data and biometric data:
o   Gene sequence
o   Fingerprints
o   Facial recognition
o   Retinal scans
·         Pseudonymous data:
o   Any data processed in a way that identifiers are replaced.


How to Prepare for GDPR
Preparation is key to understanding how GDPR will impact the data held and its intended use, relevance and timeliness to the service(s) provided by you or your organisation.
·         Create a list of tasks, so that you are in control of the preparation and implementation of activities that will support compliancy such as:
o   Gap analysis of current data protection practices and GDPR compliancy.
o   Analysis of data held and purpose with mapping to legitimate business need in the context of GDPR.
o   Define date flows to demonstrate how data is captured, processed, stored and disposed of.
o   Management of non-compliant areas and improvement initiatives.
·         Define and implement policy and procedures:
o   Privacy and Personal Data Protection
o   Data Protection Impact Assessment
o   Information Security Incident Response
o   Personal Data Breach Notification
o   Data Consent and rights of the data subject
o   Data Request
o   Data Transfer
o   Data flows and use
·         Create and define roles to enable data protection:
o   Data Controller
o   Data Processor
o   Data Protection Officer
o   Information Security Manager
·         Define data protection responsibilities and accountability for all employees.
·         Train staff this all employees as data protection is everyone’s responsibility.
·         Compliancy and review.
GDPR will not be a one-time activity. It will require ongoing reviews and assessments to ensure that the controls, policies and procedures implemented are compliant, effective and efficient.  Therefore, in the first year of GDPR being enforced it would be recommended that every quarter an organisation should check that it has achieved its objectives and is compliant. If a security breach occurs then those checks need to be conducted before the scheduled check and areas of non-compliance are addressed.
A good check that training has been effective and policy/process understood is to simulate breaches and audits. This will highlight areas of concern that need to be addressed. It would be far cheaper to identify a breach during controlled testing and less damaging to brand reputation. Remember a breach will result in a fine which may result in financial ruin if under able to pay the fine and/or loss of revenue due to reputational damage.
It is important that the designated Data Protection Officer is aware of regulatory and legislative changes which may impact how data collected, processed and stored by an organisation and its relevance to GDPR.

Consent
Consent is important and an organisation must receive consent from the data subject (person) to allow the organisation to collect, process and store the data as defined in its privacy policy. Consent can be change by the data subject and organisations must be able to respond to changes and demonstrate that the change has been made. The GDPR introduces the “right to be forgotten” this means that an organisation must not store data after the business need has passed.
Additionally, data subjects have the right to “data portability” which means that their data can be used for other business purposes.

GDPR Checklist
A simple measure of compliancy is to use a Checklist. It does not need to be complicated to start with and can be easily tailored to the needs of the organisation no matter how large or small.
An example checklist is shown in Figure 2:
Figure 2 - Example GDPR Checklist

Security
All organisations regardless of sector, size or turnover are at risk of a security compromise. What reduces the risk is being aware of your vulnerabilities and implement security monitor, detection and prevention controls.
Under GDPR if a security breach does occur the organisation will be fined of 4% of global annual turnover or a maximum Euro 20 million depending on the type of breach.

Therefore, it is imperative the data security model, policy and processes communicate clearly why data is collected, how it is processed and stored.  Roles such as Data Controller and Processor with the Information Security Officer are key to providing a secure environment in which the organisation can operate and its crucial that employees are trained so that they understand their responsibility to maintain a secure environment and protect data integrity.  Its worth considering that humans are normally the weakest link in cyber-attacks.





Further Reading
1.       EU GDPR Portal https://www.eugdpr.org/
2.       Data Deluge: What People Do on the Internet, Every Minute of Every Day  https://www.inc.com/john-koetsier/every-minute-on-the-internet-2017-new-numbers-to-b.html
3.       Is This The End of Email Marketing? How to Survive the GDPR Regulations https://blog.hubspot.com/marketing/email-marketing-gdpr-regulations?utm_campaign=Marketing%20Blog%20Weekly%20Email%20Sends&utm_source=hs_email&utm_medium=email&utm_content=59999188
4.       DOMO https://www.domo.com/
5.       UKFAST Are you Ready for the GDPR?    http://pdf.ukfast.co.uk/Whitepaper/gdpr_is_around_the_corner_whitepaper.pdf
6.       http://data.consilium.europa.eu/doc/document/ST-5419-2016-INIT/en/pdf

Written by Katie Walsh

Comments

Post a Comment

Popular posts from this blog

The emergence of a new style of business leadership: Quantum Leadership

Image
The emergence of a new style of business leadership: Quantum Leadership Leadership is about the action of leading a group of people or an organisation. Organisational structure dictates how work is assigned and managed in a company. Small organisations may have a relatively flat structure, especially newly formed companies. However, a company's organisational structure will become pyramidal in shape as more employees are hired. Typically, a pyramidal structure consists of the following layers from top to bottom: CEO, President, Vice-Presidents, Managers, Team Leaders and Supervisors and employees. While most company structures are pyramidal, companies still use different types of organisational structures. The type of organizational structure a company uses is often contingent on the type of customer it serves. The way companies are run is generally from the top to the bottom layers. Thus, it creates a management structure model that is followed quite widely in today’s
Read more

Cloud Computing Security

Image
Cloud Computing Security Cloud computing security has never been so much a critical requirements as it is today. According to the siliconAngle website, the following figures reflects  the evolution of cloud usage in the last few years: · By 2015, end-user spending on cloud services was deemed to be reaching  more than $180 billion  · It is predicted that the global market for cloud equipment will reach $79.1 billion by 2018  · If given the choice of only being able to move one application to the cloud, 25% of respondents would choose storage  · By 2014, businesses in the United States were spending more than $13 billion on cloud computing and managed hosting services  ·  44% annual growth in workloads for the public cloud versus an 8.9% growth for “on premise” computing workloads is expected till 2018 · 82% of companies reportedly saved money by moving to the cloud  · More than 60% of businesses utilize cloud for performing IT-related operations · 14% of companies downsized thei
Read more

The nature of ethics in companies

Image
The nature of ethics in companies Ethics mean many different things to people as well as enterprises. Fundamentally, ethics can be explained as a set of rules of behaviour based on ideas about what is morally good and bad. Ethics plays an important role today as it is generally used by individuals and enterprises to make a statement about what their code values are. For the business world, ethics are covering all aspects of operations and is relevant to both individuals and entire organisations. They are created by individuals based on their moral stands, by organisation stands or by the legal bodies.   This mixture creates the norms, values, ethical and unethical practices that are used to guide businesses. In the final analysis, they help businesses to maintain a better connection with their stakeholders. One of a great challenge we have with ethics is morality…. For example, is it moral to sell armaments to a bell
Read more