1Are the requirements for GDPR from May 2018, much different to what we do today?
Much of the GDPR is lifted directly from current EU legislation on Data Privacy: The Data Protection Directive (officially Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and the free movement of such data) is a European Union directive adopted in 1995 which regulates the processing of personal data within the European Union. It is an important component of EU privacy and human rights law.
GDPR has been updated to cover social, automated and manual data, adapted to suit the new technological environment. The spirit of the data privacy regulations remains practically unchanged. However, the data privacy change will be rapid, and therefore some significant additions should include:
GDPR has been updated to cover social, automated and manual data, adapted to suit the new technological environment. The spirit of the data privacy regulations remains practically unchanged. However, the data privacy change will be rapid, and therefore some significant additions should include:
- Clear rules and definitions for GDPR terms such as “Processing” and “Consent” that fits the size of the organisation;
- The role, requirement and responsibilities of the Data Protection Officer;
- The introduction of vastly increased penalties, with a likelihood of sanctions enforcement.
2What are the timelines?
The GDPR regulations are enforceable as of May 25, 2018.
3What is an SAR?
A Subject Access Request (or SAR) is a requirement for a Data Subject (a customer, private individual or employee) – to see the personal data that is stored and is processed on their behalf. The SAR request must be in writing to the Data Controller. The Data Controller then has 40 days to provide the requested information back to the subject.A nominal processing fee can be charged.
SARs are expected to be widely-invoked. Therefore organisations must be aware of the stored personal, where it resides and must be able to provide it when requested.
Further decisions on removing or masking the data, depending on the nature of the Data Subject’s request, are addressed I our seminars.
SARs are expected to be widely-invoked. Therefore organisations must be aware of the stored personal, where it resides and must be able to provide it when requested.
Further decisions on removing or masking the data, depending on the nature of the Data Subject’s request, are addressed I our seminars.
4What is Data Portability?
Porting is the task of doing any work necessary to make the computer program run in a unique environment. Portability is a characteristic attributed to a computer program that is used in operating systems other than the one where it was created without requiring any major rework. In addition to different computer languages, porting may also require data conversion and adaptation to the new system procedures for running an application.
Data portability is the ability for Data Subjects to reuse their data across interoperable applications. Data Portability requires that an SAR is presented in a comprehensive, machine-readable format to the Data Subject to take ownership of the data and transfer it to another Data Controller.
In our seminars, we address the Data portability issues concerning identifying, contextualising and promoting data portability efforts when implementing GDPR.
Data portability is the ability for Data Subjects to reuse their data across interoperable applications. Data Portability requires that an SAR is presented in a comprehensive, machine-readable format to the Data Subject to take ownership of the data and transfer it to another Data Controller.
In our seminars, we address the Data portability issues concerning identifying, contextualising and promoting data portability efforts when implementing GDPR.
5If you are embarking on a GDPR project, How should I start and what should we do first?
Our suggestions are as follows, but please read our blogs; (link).
- Start with a top-down view of your risks and get a GDPR project program up & running. Go thru the attached presentation step by step;
- Demonstrating that reasonable approach is taken to addressing GDPR compliance.
- We recommend not to attempt to close every issue or every gap in your compliance efforts but make sure that the security and data protection standards operate efficiently.
- Following a GDPR standard like ISO 27001/2 or similar.
- Understand the new (to you) and/or highlighted GDPR requirements
- Ensure that a working compliance program is established and include:
- Start with a top-down risk assessment, followed by a detailed data privacy assessments on your systems, processes and data.
- Review your current approach to archiving and deletion of data, and document retention in all areas where data is stored or processed and identify the GAPS.
- Identify and appoint responsible “data champions” and appoint a Data Protection Officer if suitable.
- Develop a corporate culture of privacy by design and by default when processing data.
- Introduce Change management, appropriate awareness and training programs.
- Develop processes for dealing with SARs and Data Portability requirements.
- Ensure that Breach Notification Process is in place and monitor its efficiency.
- Identify any third party contractors and sub-contractors who act as Data Processors.
- Ensure that processing standards are adequate
- Appropriate GDPR clauses must exist in all vendor contracts.
- Conduct a bottoms-up risk assessment, followed by a detailed Data Privacy Impact Analysis to assess systems, processes and data for GDPR compliance.
6Why the hype on huge penalties for GDPR non-compliance?
There are two categories of administrative fines
Category A; penalties are capped at the greater of either €10 million or 2% of your worldwide annual turnover. This category addresses preparedness and administrative or regulatory failures whereas actual breaches.
Category B fines can be up to €20 million Euro or 4% of global annual turnover – Category B addresses the significant failures in monitoring compliance.
The greater figure will apply in both categories.
Perhaps if the company can document that reasonable compliance effort is enforced and monitors a well-functioning GDPR program, leniency in fines could be granted the event of a violation.
Please note that not all punishments are financial. The local supervisory authority could enforce the immediate ceasing of dat processing. For some organisations, could be more dangerous than monetary penalties.
Category A; penalties are capped at the greater of either €10 million or 2% of your worldwide annual turnover. This category addresses preparedness and administrative or regulatory failures whereas actual breaches.
Category B fines can be up to €20 million Euro or 4% of global annual turnover – Category B addresses the significant failures in monitoring compliance.
The greater figure will apply in both categories.
Perhaps if the company can document that reasonable compliance effort is enforced and monitors a well-functioning GDPR program, leniency in fines could be granted the event of a violation.
Please note that not all punishments are financial. The local supervisory authority could enforce the immediate ceasing of dat processing. For some organisations, could be more dangerous than monetary penalties.
7My company is ISO 27001 compliant, does that mean that we are ready for the GDPR?
Compliance with different standards such as ISO, Sarbanes Oxley, COBIT, Copenhagen Compliance® Framework, COSO, and others go a long way towards ensuring the underlying data privacy issues are secure and leveraged for GDPR compliance. However, GDPR introduces new requirements not covered by some of the frameworks or standards. These are processes around Breach Notifications, Subject Access Requests, the right to be forgotten, etc., etc. Use the GDPR standards as building blocks for an effective GDPR compliance program, not as a replacement.
8Do I need to hire a DPO?
Before May 2018 more clarity on the circumstances when an organisation needs to hire a Data Protection Officer, will be apparent. However, all public entities will appoint a DPO.
Our suggestion is that an organisation of a reasonable size selects a DPO considering the increasing emphasis on the importance of data privacy in the business environment If the large-scale processing of personal data is part of your core business, then appoint a DPO. Even if your organisation is exempt from the DPO requirement, you are still obliged to comply with all other aspects of the GDPR.
Our suggestion is that an organisation of a reasonable size selects a DPO considering the increasing emphasis on the importance of data privacy in the business environment If the large-scale processing of personal data is part of your core business, then appoint a DPO. Even if your organisation is exempt from the DPO requirement, you are still obliged to comply with all other aspects of the GDPR.
9Can my DPO have another or multiple roles within the organisation?
Remember the usual accountability, conflict of interest and segregation of duties to be independent and autonomous, as the DPO cannot be influenced or otherwise directed in his/her responsibilities.
Appointing the CIO or an existing HR Manager as a DPO may not be the best solution. Due to the nature and scale of DPO’s responsibilities, it would be preferable for your DPO not to have other roles within the organisation.
Appointing the CIO or an existing HR Manager as a DPO may not be the best solution. Due to the nature and scale of DPO’s responsibilities, it would be preferable for your DPO not to have other roles within the organisation.
10what are the options if the organisation does not have the resources for a full-time DPO
Organisations that do not have the resources or cannot justify a full-time employee may choose to pool their resources into a single shared Data Protection Officer’ position. Smaller private organisations, e.g. a chain of restaurants or an association of shops or hotels, may do the same for similar reasons.
11Can the DPO position be outsourced to a third party?
Categorically yes, there are apparent benefits as well. The DPO position requires a high level of expertise with GDPR issues on IT and data privacy in general. Relatively few individuals may possess the necessary qualifications. A third-party can have the advantage of specialising in these subject matters. Outsourcing to a third-party could mean that a single person can act as the official DPO. A host of certified auditors, lawyers and GDPR experts also provide this service.
12Where lies the GDPR compliance responsibility in the organisation?
The size and the scale of the organisation determines the decisions;
Smaller entities can allocate responsibility to who has the time and ability for a compliance program.
In larger, more structured entities, it could be Legal and/or HR departments. GDPR is ultimately about Information Security and Compliance, as GDPR applies to personal data; individuals working in security, audit and internal controls are likely to have the framework and mindset which is inherently suitable for this responsibility.
Ultimately Compliance requires a high degree of collaboration. Therefore the recommendation is to identify “data champions” from different functions of the organisation and appoint them as equal partners in the compliance efforts.
In larger, more structured entities, it could be Legal and/or HR departments. GDPR is ultimately about Information Security and Compliance, as GDPR applies to personal data; individuals working in security, audit and internal controls are likely to have the framework and mindset which is inherently suitable for this responsibility.
Ultimately Compliance requires a high degree of collaboration. Therefore the recommendation is to identify “data champions” from different functions of the organisation and appoint them as equal partners in the compliance efforts.
13What about Brexit – is GDPR irrelevant to the UK now that Article 50 has been triggered?
Brexit cannot take place before the GDPR May 25, 2018, deadline. UK would be subject to GDPR compliance if the UK were to leverage businesses across Europe with relations involving data processing or transfers into or out of the UK.
GDPR is multi jurisdictional, and therefore one of the key components of GDPR is to ensure that their international partners or third parties are also compliant with GDPR. Even if the company does not operate outside of the UK, compliance with data protection regulations is mandatory.
GDPR is multi jurisdictional, and therefore one of the key components of GDPR is to ensure that their international partners or third parties are also compliant with GDPR. Even if the company does not operate outside of the UK, compliance with data protection regulations is mandatory.
14What about the EU-U.S. Privacy Shield Framework?
The EU-U.S. Privacy Shield Framework was put in place (as a replacement for Safe Harbor) to strengthen processing standards for US-based entities in regards to EU citizens.
The Privacy Shield is an arrangement (agreement) to safeguard transatlantic exchanges of data between the US and EU. The first annual review of the EU-U.S. Privacy Shield is scheduled for September 2017.
The Privacy Shield is an arrangement (agreement) to safeguard transatlantic exchanges of data between the US and EU. The first annual review of the EU-U.S. Privacy Shield is scheduled for September 2017.
15What about US-based companies which operate globally?
Our data processor is based on [location X], with a data centre in [location Y] and a server operating out of [location Z] – does GDPR still apply?
Please check with professional on this and similar subjects.
16Data sharing/supplier contracts to ensure GDPR compliance on data transfers.
What are the examples of the types of requirements that could be included in data sharing/supplier contracts to ensure GDPR compliance on data transfers? The general components of the contract must include the following items.
A. Have in place appropriate technical (“Privacy Enhancing Technology”) and organisational protective measures (“OPMs”) against unauthorised or unlawful processing, or the accidental loss, destruction, alteration, disclosure, access or unapproved use, sharing or breach of any Personal/Sensitive Data acquired or aggregated by it pursuant to this Agreement;
B. Take reasonable steps to ensure the reliability of the Supplier Personnel who have access to the Personal/Sensitive Data and that the organisation has an effective training and ongoing assurance programme;
C. Provide the Controller with such information, assistance and co-operation to provide detailed transactional logs regarding PII/Sensitive data, attacks against websites or social media sites, abuses of identity or privileges, validation of PII Data destruction, transfer of Data Controller; these events and the subsequent actions shall be maintained at evidential quality in accordance with applicable standards and maintain the chain-of-custody in support of eDiscovery; these logs and event actions are required to establish the Supplier’s and Supplier’s subcontractor's compliance with the obligations relating to data protection and Information Governance contained in the applicable data protection legislation; and
D. Inform the appropriate Authorities of the relevant members of the controller or Country Authority as soon as reasonably practicable, of any breach of security or any particular risk of which it becomes aware, to the security of any of the Personal/Sensitive Data being processed.
E. Inform the affected individuals, by said breach, by the applicable Laws regarding a reporting of events related to compromises to PII Data.
A. Have in place appropriate technical (“Privacy Enhancing Technology”) and organisational protective measures (“OPMs”) against unauthorised or unlawful processing, or the accidental loss, destruction, alteration, disclosure, access or unapproved use, sharing or breach of any Personal/Sensitive Data acquired or aggregated by it pursuant to this Agreement;
B. Take reasonable steps to ensure the reliability of the Supplier Personnel who have access to the Personal/Sensitive Data and that the organisation has an effective training and ongoing assurance programme;
C. Provide the Controller with such information, assistance and co-operation to provide detailed transactional logs regarding PII/Sensitive data, attacks against websites or social media sites, abuses of identity or privileges, validation of PII Data destruction, transfer of Data Controller; these events and the subsequent actions shall be maintained at evidential quality in accordance with applicable standards and maintain the chain-of-custody in support of eDiscovery; these logs and event actions are required to establish the Supplier’s and Supplier’s subcontractor's compliance with the obligations relating to data protection and Information Governance contained in the applicable data protection legislation; and
D. Inform the appropriate Authorities of the relevant members of the controller or Country Authority as soon as reasonably practicable, of any breach of security or any particular risk of which it becomes aware, to the security of any of the Personal/Sensitive Data being processed.
E. Inform the affected individuals, by said breach, by the applicable Laws regarding a reporting of events related to compromises to PII Data.
17How to move privacy issues from mapping/gap analysis to the remediation phase.
Unless specifics are known, the response can be wide-ranging - depending on the gaps that are discovered.
1. First, you need to identify and categorise where the gaps are; does it affect the policy, process, security, data management, understanding or compliance issues.
Therefore, the remedies could include policy specification, the establishment of a framework, the provision of procedural guidance, data discovery, data quality improvement, an awareness campaign, a staff training program, internal control enhancements and more, all depending on where the significance of the gap issue or where the root cause of the problem lies.
2. After identification and the categorisation, the next phase is to diagnose the gaps to the GDPR risks.
A robust risk management framework is a must.
If the companies data protection strategy is risk-based, then risk acceptance is a reliable option with remediation involving a number of compensating controls.
Depending on the gravity of the known risks, the gaps can either be addressed right away or gathered with similar findings from each category to avoid minor system changes. If a major risk or system exposure is identified, it is wise to address it immediately due to the complexity and to get guidance from other stakeholders for its solution.
1. First, you need to identify and categorise where the gaps are; does it affect the policy, process, security, data management, understanding or compliance issues.
Therefore, the remedies could include policy specification, the establishment of a framework, the provision of procedural guidance, data discovery, data quality improvement, an awareness campaign, a staff training program, internal control enhancements and more, all depending on where the significance of the gap issue or where the root cause of the problem lies.
2. After identification and the categorisation, the next phase is to diagnose the gaps to the GDPR risks.
A robust risk management framework is a must.
If the companies data protection strategy is risk-based, then risk acceptance is a reliable option with remediation involving a number of compensating controls.
Depending on the gravity of the known risks, the gaps can either be addressed right away or gathered with similar findings from each category to avoid minor system changes. If a major risk or system exposure is identified, it is wise to address it immediately due to the complexity and to get guidance from other stakeholders for its solution.