Understanding GDPR

For the past few months a lot has been spoken, written and talked about GDPR Compliance. Below write up is amalgamation of major takeaways from all the articles and actual GDPR document (OK, I did not read the whole document, but I did read few parts from it). If you find I have missed something that I have missed and I should have mentioned, please do point out, cause this is something which we have to get right. I’ll start with first highlighting some key aspects of GDPR – like:

  • What is GDPR
  • Key Regulatory Requirements
  • Role of IT Professionals
  • Actions for Compliance (12 Steps)

What is GDPR –

It’s not something new and before GDPR we had Data Protection Act so if you had it implemented then you will go through less pain since a lot of elements are partially covered by it. The whole idea and concept is to know how the data is collected, where the data resides, stored, processed, deleted, who can access it and how it’s used for EU citizens. This means that organizations will be required to show the data flow or life-cycle to minimize any risk of personal data being leaked and all required steps are in place under GDPR. In short, GDPR is to have common sense of data security ideas, minimize collection of personal data, delete personal data that’s no longer necessary, restrict access, and secure data through its entire life-cycle and also by adding requirements for documenting IT procedures, performing risk assessments under certain conditions, notifying the consumer and authorities when there is a breach, as well as strengthening rules for data minimization.

Key Regulatory Requirements –

  • Privacy by Design:   PbD is referenced heavily in Article 25 of the GDPR, and in many other places in the new regulation. Privacy by Design (PbD) focuses on minimizing data collection and retention and gaining consent from consumers when processing data are more explicitly formalized.  The idea is to minimize collection of consumer data, minimize who you share the data with, and minimize how long you keep it. Less is more: less data for the hacker to take, means a more secure environment. So the data points you collected from a web campaign over three years ago — maybe containing 15000 email addresses along with favorite pet names — and now lives in a spreadsheet no one ever looks at. Well, you should find it and delete it. If a hacker gets hold of it, and uses it for phishing purposes, you’ve created a security risk for your customers. Plus, if the local EU authority can trace the breach back to your company, you can face heavy fines.
  • Data Protection Impact Assessments: When certain data associated with subjects is to be processed, companies will have to first analyze the risks to their privacy. This is another new requirement in the regulation. You may also need to run a DPIA if the nature, scope, context, and purposes of your data processing place high risk to the people’s rights and freedoms. If so, before data processing can commence, the controller must produce an assessment of the impact on the protection of personal data. Who exactly determines whether your organization’s processing presents a high risk to the individuals’ rights and freedoms? The text of the GDPR is not specific, so each organization will have to decide for itself. If you find more details about it, please mention in the comments below.
  • Right to Erase and to be Forgotten: Discussed in Article 17 of the GDPR, it states that “The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where … the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; … the data subject withdraws consent on which the processing is based … the controller has made the personal data public and is obliged … to erase the personal data”. There’s been a long standing requirement in the DPD allowing consumers to request that their data be deleted. The GDPR extends this right to include data published on the web. This is the still controversial right to stay out of the public view and “be forgotten”. This means that in the case of a social media service that publishes personal data of a subscriber to the Web, they would have to remove not only the initial information, but also contact other web sites that may have copied the information. The new principle of extraterritoriality in the GDPR says that even if a company doesn’t have a physical presence in the EU but collects data about EU data subjects — for example, through a web site—then all the requirements of GDPR are in effect. In other words, the new law will extend outside the EU. This will especially affect e-commerce companies and other cloud businesses.
  • Breach Notification: A new requirement not in the existing DPD is that companies will have to notify data authorities within 72 hours after a breach of personal data has been discovered. Data subjects will also have to be notified but only if the data poses a “high risk to their rights and freedoms”. Breaches can be categorized according to the following security levels:
      • Confidentiality Breach: where there is an unauthorized or accidental disclosure of, or access to, personal data.
      • Integrity Breach: where there is an unauthorized or accidental alteration of personal data.
      • Availability Breach: where there is an accidental or unauthorized loss of access to, or destruction of, personal data (include where data has been deleted either accidentally or by an unauthorized person).
  • Fines: The GDPR has a tiered penalty structure that will take a large bite out of offender’s funds. More serious infringements can merit a fine of up to 4% of a company’s global revenue. This can include violations of basic principles related to data security — especially PbD principles. A lesser fine of up to 2% of global revenue — still enormous — can be issued if company records are not in order or a supervising authority and data subjects are not notified after a breach. This makes breach notification oversights a serious and expensive offense.

Role of IT Professionals

Information Security today is just not limited to the IT Department of any organization and as businesses have evolved during time, so does the need for everyone in the business for making his or her contribution to the security of the organisation’s information, and for protecting the personal data the organisation uses. You will notice that most GDPR webinars are attended by  business managers, compliance people and the like and these people are responsible for operating and overseeing GDPR compliance. Asking colleagues what data they hold, and getting the company lawyer to update standard contract terms and write privacy notices. But they can’t really do all this stuff on their own since they need IT for doing most of the work like providing a dump of the database schema, gives a guaranteed correct version and don’t forget the unique access required to scan the various files stored in local hard disks and networked file shares for the millions of files we use in the form of documents, emails, spreadsheets, meeting notes, etc. It is extremely important to engage the  IT Team from the discovery phase, for example: most of us hardly ever had one because nobody’s really been sufficiently bothered to spend the money and ask what data you hold about them. The other thing you need to understand is whether there’s a gap between how you think you work and how you actually work. For Example backups: Even though customer’s backup strategy is documented, do you really understand how it’s implemented by the tech teams? How your disk-to-disk-to-tape setup really works? Who transports the tapes to offsite storage? Do you destroy tapes when you say you will? If you’ve erased someone’s data on request, does the tech team re-delete the data from the live system if they’ve had to restore from backup?

Nearly every organization I have come across keeps some sort of back up with them and not everyone is fully utilizing the Cloud infrastructure and Back up tools. The data aspect is important and becoming compliant is one thing, but being able to quantify compliance is quite another. Specifically Data Protection Admins (note – there is a reason I did not mention backup administrators, since Data Protection / Management team shall manage backups, Archives, LTR copies etc.) who handle the data for company and its customers. Having a sound and tested data protection scheme which can report well also is what customers need, that is something which can be delivered by DellEMC DPS solutions.

Actions for Compliance

Below is a list of actions the organization needs to take in order to comply with GDPR and notice that I have not mentioned any timeline, since different organizations have different data set sizes and they may require less to more amount of time to carry out same set of actions.

  • Step 1 – Data Mapping: Identify and map your data processing activities, including data flows and use cases in order to create a comprehensive record of activities since GDPR requires you to keep detailed records of data processing activities. These records can be used to assess the compliance steps required by the business going forward and respond quickly to data breaches and to individuals who request their own data.
  • Step 2 – Privacy Governance / Data Protection Officer: Improve the corporate governance policies and structure to ensure that they are effective to achieve reasonable compliance throughout the business. Organizations who are in EU or deal heavily with EU users data have to assign a “Data Protection Officer” who meets GDPR criteria.
  • Step 3 – Data Sharing: Customers have to identify any data sharing with third parties, determine the role of those parties and put appropriate safeguards in place since GDPR imposes mandatory content for certain agreements and requires the clear assignment of roles and responsibilities.
  • Step 4 – Justification of Processing: Review or establish legal bases for processing, for key use cases. Plan and implement  remedial action to fill any compliance gaps, GDPR requires that all data processing has a legal basis and makes usage more difficult. GDPR also contains restrictions / additional obligations relating to the use of automated processing, including profiling.
  • Step 5 – Privacy Notices & Consents
  • Step 6 – Data Protection Impact Assessment: Assess whether the business carries out any “high risk” processing under the GDPR. If so, carry out a Data Protection Impact Assessment (DPIA) and, if necessary, consult with your supervisory authority, vendors (this is where we come in with NetWorker, DD, Avamar, Storage assessments as we can inform customer of their backup data, retention policies etc.).
  • Step 7 – Policies: Review and supplement the company’s existing suite of polices and processes dealing with data  protection, including those dealing with data retention and integrity, such as data accuracy and  relevance. The GDPR imposes stricter obligations to keep data accurate, proportionate and no longer  than necessary.
  • Step 8 – Individuals Rights: Organizations have to identify the new individual rights provided by the GDPR and establish procedures for dealing  with them. Review the procedures in place in order to comply with existing rights and set up any new internal procedures and processes, where required.
  • Step 9 – Data, Quality, Privacy by Design: Organizations have to make sure that GDPR compliance is embedded in all applications and processes that involve personal data from the start. Default settings must comply with the GDPR.
  • Step 10 – International Data Transfers: Organizations have to make sure they Identify and review the data transfer mechanisms in place in order to comply with the GDPR. Fill any gaps, including entering into Standard Contractual Clauses with service providers and group companies.
  • Step 11 – Data Security & Breach Management Process: Review the data security measures in place to ensure they are sufficient and to assess whether the specific measures referred to in the GDPR are (or should be) in place. Review or establish an effective Data Breach Response Plan (this is where we can talk a bit about IRS, encryption, WORM functionality of DPS products.). The GDPR implements stricter requirements regarding appropriate technical and organizational data security measures. It also requires data breaches involving risk to individuals to be reported to supervisory authorities without delay and within 72 hours (unless a longer period can be justified); affected individuals must also be notified if the breach is high risk.
  • Step 12 – Roll out of Compliance Tools & Staff Training: Roll-out amended and new privacy notices and consent forms. Publish new and revised policies and procedures and conduct training of key personnel on GDPR compliance.

Complete GDPR information can be found at: https://gdpr-info.eu/