Over the last few months there has been a proliferation of articles concerning the General data Protection Regulation (GDPR). Most have echoed similar points however despite this it was interesting to see in a report published by Symantec that 96% of companies still do not understand the GDPR, and it would seem that the deluge of content is not causing any changes on that ground.
So here at RiverSafe we have put together our thoughts on what businesses really need to know about GDPR.
What is the GDPR?
For those who dont know, since the mid-1990’s, legislation that protects the information privacy of individuals in the European Union (EU) has been primarily based on the EU Data Protection Directive, which sets out the minimum standards on data protection in Europe. Each country within the EU has taken this directive and transposed it into their own, local data protection laws, and here in the UK we have the Data Protection Act 1998
The directive was deemed outdated and has not changed since 1995. Four years in the making, GDPR is the new EU legislation that will come into effect from May 2018. The UK, despite of Brexit, will be adopting the law.
Below is a brief summary of the changes we feel will have most impact.
The GDPR strengthens the rights that individuals have to control their own data, in particular the right to data portability. This means an individual has the right to transport his/her personal data from one organisation to the next. The personal data must be provided to the individual in a structured, commonly used and machine-readable format. The impact of this rule could be signifcant. For example, what does it mean commercially when your client can ask for a copy of all their personal data and takes this to your competitor? But also technically it may be a challenge.
Data breach notification
Every organisation that processes personal data needs to make sure that this data is properly safeguarded against loss, theft, unauthorised access, etc. Security of the personal data is so important that the GDPR includes a personal data breach notification rule. This says that when a breach of security occurs, this breach should be reported within 72 hours and if it is likely to result in a high privacy risk for individuals, than these individuals must be informed.
The obligation to notify local authorities of personal data being processed has gone. However, in its place organisations must now maintain a record of processing activities under its responsibility so they must keep an inventory of all personal data processed.
Data protection by design and by default
Data protection by design and by default are both included in the GDPR. This means two things. First, it will be mandatory when designing a new system, process, service, etc. that processes personal data, to make sure that data protection considerations are taken into account. Moreover, organisations need to be able to prove that they have done so. Second, the new system, process, service, etc must include choices for the individual on how much personal data they wish to share.
Expanded territorial scope
Organisations that target EU residents via the internet with services, goods or for monitoring, have to be compliant with EU rules on privacy of those residents’ data.
If you process personal data on behalf of another organisation, the GDPR has a significant change for you. Where so far all the burden of compliance with privacy legislation was on your client, now you have some obligations directly yourself.
Right to be forgotten
The right to erasure of personal data already exists in the current Directive but is now elevated in the GDPR. Under the new regulation all organisations that process personal data must remove all of that data if one condition (out of a list of six) is met.
The GDPR introduces Data Protection Impact Assessments (DPIA) as a means to identify high risks to the privacy rights of individuals when processing their personal data. When these are identified, the GDPR expects that an organisation formulates measures to address these risks.
The need to take proper information security measures to ensure the confidentiality, integrity, availability and resilience of processing systems and services has always been a part of privacy legislation. New is that the GDPR champions pseudonymisation and encryption of personal data: Furthermore it is stressed that security should be based on a risk assessment, however not of the risks the organisation faces, but the risks impacting individuals.
Accountability and data governance
Data protection legislation in the EU has always been based on a number of principles that need to be adhered to. Lawfulness, fairness, purpose limitation and transparency are good examples. The GDPR introduces a new principle: accountability. Organisations will not only be responsible for adhering to all the principles, they also must be able to demonstrate compliance with them.
One of the most discussed aspect of the GDPR must be its explicit mentioning of fines. For example, for less serious violations, the maximum is € 10 million or 2% of total annual worldwide turnover of the preceding year (whichever is higher); for more serious violations this goes up to
€20 million or 4%.
One stop shop
For organisations that operate across the EU, a sort of ‘one stop shop’ system for supervisory authorities in Europe will be introduced. The Lead Supervisory Authority will be the primary authority organisations need to deal with, but under circumstances local authorities can step in as well.
Approved certification mechanism
The legislators have acknowledged that for many organisations being able to proof that they adhere to the GDPR will be an advantage. For that purpose data protection certification mechanisms and data protection seals and marks are being introduced.
Local governments have been given the ability to add or adapt provisions to fit their local data protection needs. Views on how much individuals’ personal data should be protected and from whom are deeply rooted in local culture and it is expected that that many governments will make provisions for this.
Next steps for any organisations now that the final text of the GDPR is known is to identify how this new legislation may impact them. This will of course vary per organisation, but in general terms, privacy consists of making sure you address not only the legal aspects but all the other aspects highlighted above.
By Kumar Sumeet, Principal Security Consultant, RiverSafe