Effective May 25, 2018 entities around the world with European Union presence or users are subject to comply with The General Data Protection Regulation (GDPR), a revised European data protection law. This new data protection law is designed to protect individual’s rights to their data and is forcing sweeping changes to how organisations manage data.
The GDPR provides a single set of rules for all EU member states to ensure uniform compliance and carries strict data protection requirements with severe penalties for non-compliance— including fines of $25 million USD or up to 4 per cent of worldwide annual revenues, whichever is greater. The regulation doesn’t just apply to EU organisations, it also applies to organisations based outside of the EU, if they process personal data of EU residents.
The GDPR further defines the relationships between data subjects, and the data controllers and the data processors which collect and maintain individual’s data. An express focus on maintaining transparency and answerability in these relationships is also required.
Knowing where data lies
If any company operations incorporate the data of individuals living in the EU, then the GDPR will be in effect for the organisation, whether the organisation resides in the EU or not. Maintaining appropriate data collection and privacy processes is paramount. Consent must be explicit with transparently worded agreements.
As part of this consent the GDPR mandates it must contain the individual’s “right to be forgotten”, allowing data subjects the right to control how their data is to be used up to it being returned or deleted.
In addition to updating data collection and notification processes, a review of what data is already held and where it resides must be completed. The expanded definition of personal data to include anything that could possibly be used to identify an individual should be considered as well. This responsibility reaches any database used by an organisation, including Enterprise Resource Planning (ERP) and Human resource management systems.
Keys to data governance
Deciding how data will be used, for what purpose and by whom is paramount to complete data governance. Entities are required under the GDPR to only collect the minimum necessary information required for their purposes. Careful examination of other regulations which require the data to be collected and maintained should be under consideration as well. GDRP Compliance
Governance, data maps and risk assessments should also include suppliers who act as data processers under the regulation. Agreements need to establish the responsibilities of suppliers as data processers, and provide appropriate SLAs around data protection measures. Access methods and methods for classifying and tracking data usage or transfer also need to be examined and potentially updated.
Lastly, updated training to employees must be considered to effectively communicate new or updated data governance requirements, and to teach them about the requirements of the GDPR.
Data protection measures
Unexpectedly, data assessments should also include measures for defensive and privacy measures taken to ensure data is only accessible by appropriate personnel for appropriate reasons. GDPR requires a certain level of cyber security protection to maintain on-going compliance and verification of capabilities. Response measures for vulnerabilities and breaches are a necessary part of any protection plan developed.
In the event of a breach, organisations are required to notify regulators within 72 hours. This is a shared responsibility across data controllers and data processors. Service providers should leverage standard contractual clauses with data controllers to delegate shared responsibilities for its security controls needed to protect EU Resident personal data.
The following standard and advanced services are used to support our client’s compliance to the GDPR. To provide additional assurance, services are externally audited twice per year and independently reported on in our SOC 2 Type II report and ISO 27001 certification.
- Least privileged, roll based Access Controls and multifactor authentication (MFA)
- RTO & RPO’s for Disaster Recovery
- Encrypted Networks and Backups, Encrypted Storage & Database
- Retention/archival of operational records and appropriate removal of destruction of data/media
- Endpoint Protection, Security Information and Event Management (SIEM) and security logging
- Security Operation Centre (SOC), Cyber Security Operation Centre (CSOC), and advanced Security & Privacy response organisation
- Client portal with real time asset status to support client inventories and data flows
- Security zone isolation networks and client dedicated firewall configurations, with IPS/IDS
The Secure-24 privacy organisation includes a Privacy Officer / Data Protection Officer and Privacy Manager, who oversees regular training provided to staff, performance of Data Privacy Impact Analysis (DPIA) where necessary, and testing and performing organisational response plans. In addition, Secure-24 has established a Privacy Notice. To support data controllers most effectively in the US, Secure-24 is registered with and complies with the requirements under the EU-US Privacy Shield and the Swiss-US Privacy Shield.
The EU–US Privacy Shield is an agreement between the European Union (EU) and the United States (US), which allows U.S. companies to certify for compliance with privacy laws of transatlantic data transfer protecting EU citizens, adopted July 12, 2016. Switzerland rejected the EU-US Privacy Shield framework and adopted its own version (Swiss-US Privacy Shield) on April 12th, 2017. Active organisations in both frameworks can be found on the Privacy Shield website.
Jaclyn Miller, Vice President of Audit and Compliance, Secure-24
Image Credit: Docstockmedia / Shutterstock