1. Please clarify what GDPR is?
Regulation (EU) 2016/679 repeals Directive 95/46/EC (referred to as General Data Protection Regulation - GDPR) and seeks to harmonise the protection of fundamental rights and freedoms of natural persons in respect of processing activities and to ensure the free flow of personal data between Member States. The new data protection regulation will also be known as GDPR
As countries within the EU trade across a borderless Europe there is a need to share and exchange personal data freely, and therefore a need for a more robust regime to protect personal data (often referred to as PII (Personally Identifiable Information)). This Regulation is intended to contribute to the accomplishment of an area of freedom, security and justice and to the well-being of individuals, backed by strong enforcement
- Data protection breaches, right across the globe, continue unabated. As the collection, handling, processing, analysis, sharing and reporting increases exponentially between organisations – certainly with the use of ‘big data’ - there is a need to ensure that the rights of individuals are appropriately protected
- Additionally, lax control and processing of personal data, resulting in the unauthorised exposure of an individual’s personal information will no longer be tolerated. The consequence of infringements will be very significant financial sanctions against transgressors
- GDPR comprises 11 Chapters and 99 Articles* Whilst there is a considerable framework and supporting information already published, there’s still many details still to come. We will see more clarification as over the coming months, and lots of discussions interpreting the various requirements
- You may wish to visit our own article highlighting what Jirasek Security can be in a position to assist you in your preparation
2. When will GDPR come into force?
Unlike a Directive, the Regulation does not require any enabling legislation to be passed by national governments and will enter into application on 25th May 2018
- This is just the start line: therefore, organisations must have implemented all the necessary requirements by May 2018
- The impact of this new regulation should not be underestimated. Responsibilities and accountability go beyond current EU Member State data protection legislation. Business process, administrative, procedural and technical amendments will be required
3. How should I implement GDPR?
As mentioned previously, there are many changes to current Member State legislation and these will need careful handling. Those companies that have no or poor current data protection practises will struggle to meet the deadline. You should start immediately
- Assemble a task force as soon as possible, and appoint a Board member to sponsor, support and fund the project
- There will be extra staff requirements, many will need data and privacy skills, knowledge and experience. Without the right expertise, organisations will struggle to meet the deadline
- Current thinking is that in Europe alone there will need to be an additional 18,000 appointees to handle the protection of personal data. Globally this is estimated at 75,000
4. Is GDPR now complete?
Although the regulation documentation has been completed there are still robust debates because not all details are known. The Article 29 Working party will continue to provide guidance and clarification as we near the implementation data
- The new regulation is already giving rise to many discussions and controversy: amendments are still being proposed
- Interpretations – even our own - will continue for years to come, even after the 25th May 2018
5. Can you clarify what is personal data?
Article 4 gives very specific definition thus: ‘‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person’
The regulation does not apply to the processing ‘…of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security and the free movement of such data…’
- Under the DPA 1998 personal data wasn’t prescribed in this way, more a general leaning that is generally any 2 items of information that could identify an individual was deemed to be personal data
- Data can be electronic and physical
- Personal data must be processed lawfully, fairly and in a transparent manner
6. Can you clarify what is sensitive data?
GDPR identifies this as “special category” information fairly succinctly: " Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited.”
- Article 9 provides for exceptions such as where it is required by entities such as legal authorities, public interest, health matters etc.
7. How accountable will companies be?
The regulation requires that all organisation must be transparent in the way that they handle the processing of personal data
- This doesn’t mean that the company has to divulge its technical secrets. This is more that if and when audited (and probably more importantly if they are subject to an investigation by a Member State supervisory authority – for the UK this is currently the ICO) that entities are able to show clear and documented capabilities on the technical, procedural, policy elements of data governance they use to keep PII safe and secure
- Audit records would be a good place to start, as is the collecting and analysis of data transfer logs, especially where PII is farmed out to a data processor
- Records of consent, DPIA documentation would also be acceptable proof
- We would also expect to see how policies are enforced and how effective data privacy awareness training is handled and recorded
8. What are the news rules regarding consent?
The controller shall be able to demonstrate that the data subject has given explicit consent to processing of his or her personal data
However, Consent for children under 13 must be given by child’s parent or custodian, and verifiable (Article 8). Data controllers must be able to prove "consent" (opt-in) and consent may be withdrawn.
- Organisations must show clearly, on demand by any authorised body, documented consent and for what reason the data is being used
- This is an additional element when compared to the UK DPA 1998. Companies can no longer rely on a blanket ‘opt-out’
- Data subjects should also be kept informed should their personal data usage change
9. What does the ‘Right to be Forgotten’ mean?
Article 17 refers to the Right to erasure, often referred to as the Right to be forgotten where the data controller shall on request erase the personal data of the data subject, and without undue delay
- Erasure must be undertaken if the data subject withdraws his/her consent or if the data is being unlawfully processed. Exemptions exist for example for appropriate regulatory or legislative obligations
- Typically, this happens quite a lot currently, where personal data is collected for a valid reason, and is then used for say marketing purposes without the express wish of the individual
10. The UK is leaving EU, will GDPR still apply?
- Brexit will make little difference to the implementation of the new European data protection regulations. The UK will still be part of the EU come May 2018
- However, Elizabeth Denham, Information Commissioner at the ICO has already said that the UK will be embracing GDPR. The Regulation is aimed at consistency and harmonisation across the EU, and the UK will continue to provide services to other EU Member States
- Additionally, the new law is globally reaching: it will be applicable to any organisation that processes EU citizen data
- In Article 3 this is known as ‘Territorial scope’
11. Do I need to appoint a DPO?
It will be mandatory where the processing is carried out by a public authority or body, the processing is carried out by a public authority or body, except for courts acting in their judicial capacity, and personal data relating to criminal convictions and offences
- It seems sensible to appoint a DPO in all cases where personal data is being processed, either by a controller or processor
- You may hear someone say that if an entity is less than 250 employees they do not need a DPO. This is incorrect. That number refers to record keeping but there are also criteria / caveats attached to this (Article 30)
- However, we know that in Germany there will be strict criteria of who that may (or may not) be appointed to be a DPO because of a conflict of interest. For example, in one case a company has already been fined for appointing an IT Manager as their DPO
- Although an appointee doesn’t have to be someone dedicated to data protection he/she must be an expert, where Article 37 specifically says, “…shall be designated on the basis of professional qualities and, in particular, expert knowledge of law and practices…”
- There is nothing to stop an organisation outsourcing the role of DPO
- DPOs are not personally responsible in case of non-compliance with the GDPR. The GDPR makes it clear that it is the controller or the processor who is required to ensure and to be able to demonstrate that the processing is performed in accordance with its provisions (Article 24(1)). Data protection compliance is a responsibility of the controller or the processor.
12. Are the basic data protection principles the same?
Almost. In both cases personal data processed lawfully, fairly and in a transparent manner in relation to the data subject, and it must be accurate
- The DPA 1998 has 8 principles but the GDPR has only 6
13. Can you clarify the fines that may be imposed: is it 2% or 4%?
Both percentages are correct, it depends on which Articles are infringed as to what Administrative fines shall be levied
- Up to €20 million or 4% of total world-wide annual turnover for the preceding financial year, whichever is the greater for Articles 5, 6, 7 & 9, 12-22, 44-49 and other obligations pursuant to certain Chapters
- Up to €10 million or 2% of total world-wide annual turnover for the preceding financial year, whichever is the greater for Articles 8, 11, 25-39, 42 and 43. Other Articles may also fall into this category
- It is likely that those organisations who take comprehensive and verifiable steps to protect PII that fines will be smaller or significantly reduced
- Important: for a single breach incident it is possible that multiple fines could be levied. For example, if PII is stolen and there is a potential for harm to come to data subjects, infringements could cover poor protection measures but also that if those individuals concerned aren’t notified in a reasonable time frame, that would constitute 2 separate infringements of GDPR
14. When should I report a potential breach?
Article 33 requires that a breach involving personal data shall be reported, “…without undue delay and, where feasible, not later than 72 hours after having become aware of it.”. Failure to do so should be made clear to the supervisory authority with reasons for that delay
Where that breach is, “…is likely to result in a high risk to the rights and freedoms of individuals…" the controller shall notify the data subject where the communication,"… shall describe in clear and plain language the nature of the personal data breach and contain at least the information and measures…” and what counter-compromise actions have been undertaken, without undue delay.
- Our opinion is that the data controller will need a watertight reason for not reporting within the timeframe. The Article specifically gives controllers the ability to report in stages if that is appropriate but, again, without undue delay
- It is extremely important to note that in addition to any administrative sanction they should consider other impacts and associated consequences. We have listed what we consider could be additional financial implications
- If data is anonymised or obfuscated in some way – termed ‘pseudonymisation’ in the Regulation - then if that data cannot be read without a special “key” then there is no need to report such the incident:
- A good example is data encryption where unless you have the decipher key then the information presented is mere gobbledygook, and a person’s identity cannot be derived from ‘word rubbish’
- It’s worth noting that the encryption key(s) must be itself protected from unauthorised access
- A key component within GDPR is that you must have some sort of incident management process in place, should a breach, loss, or compromise occur. Not only that, it must be published to the right counter-compromise teams and be well practised – see comment on fines above
- Where individuals’ personal data has been compromised you may wish to consider securing some form of monitoring such as that offered by companies such as Experian or Equifax as part of any impact reduction offering
15. What does privacy by design & default mean?
Articles 24 & 25 requires the data controller (and processor) to show that they have taken the necessary and appropriate measures to protect PII, such as plans, policies and technical controls, organisational controls such as data minimisation, access, period of storage, secure disposal (including technical erasure), ownership, and responsibility for PII.
The controller, ”…shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed.”
- We would expect organisations to have a map of where every data repository is located, what types of personal data is stored there, how data flows between systems, especially between the controller and any other 3rd party or data processor
- If a data processor cannot prove (evidence) that they have specific controls and measures in place then, as a data controller, we would have serious reservations about using that 3rd party partner
16. What’s the difference between a controller and a processor?
The data controller would always be responsible for the protection of PII, even if he/she outsources the actual processing and storage to a data processor. Therefore, the data controller owns responsibility of the data whether processing is outsourced to a 3rd party or not
- GDPR places additional legal obligations on processors that isn’t in the DPA 1998
- Processors are also required to maintain records of personal data and processing activities
- Organisations will need to review - and update - current contract documentation ensure that any 3rd party partner or data processor are aware of their new obligations under GDPR
- Entities must be ready to look at new contracts if a current processor either can’t or won’t comply with the new requirements
- As a reminder, data subjects own their personal data which is then used by someone else
17. What about PII that I have already?
If you haven’t already identified what PII you already have then you will need to start thinking about a data protection strategy without delay, otherwise you will not be ready for 25th May 2018
- Undertake a data privacy health check to provide a view of where you are and how big the compliance task ahead may be
- Look at GDPR governance, people and communication, policy and processes, current PII processing, technical controls and measures and current information security / cyber security strategy and measures in place
- It is seriously worth considering getting help in your preparation if you haven’t already done so, or to review the effort of your internal data privacy staff
- A key element is to investigate just what PII you do process, why, to what extent, and does it comply with both current and future EU legislation
- Start mapping those data repositories immediately
18. What is a DPIA?
The Data Protection Impact Assessment (DPIA) is a new name for the Privacy Impacts Assessment (PIA) that we currently undertake when deciding on new technical and procedural solutions to process personal data in some way
- It makes little difference if you call it DPIA or PIA or anything else
- Article 35 requires a DPIA in particular when using new technologies but also that the decision takes into account “...the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data”
- The Regulation requires that DPIAs are always undertaken for the above purpose
- Article 36 influences the obligations under Article 35 in that the advice must be sought from the supervisory authority if the DPIA assessment indicates a very high risk to PII even after deploying mitigating controls
- Paragraph 7 of Article 35 provides the criteria to be applied for the assessment
19. Isn’t implementing GDPR costly?
Yes, it can be if you haven’t any current data protection in place, much less so if you are already caring for the safety and security of PII
- The main reason for this much stricter regime is that organisations haven’t been protecting PII to the required level of satisfaction, certainly when there are different data protection laws throughout the EU. The increase of data breaches, directly affecting individuals, is also indicating that entities aren’t keeping up with their need to continuously review their protection measures
- Therefore, administrative fines of up to €20 million or 4% of total world-wide annual turnover – together with the additional costs as noted above - will cost far more than biting the bullet
20. Can you explain the terms rectification and erasure?
There is no explicit description with the regulation and this is currently the topic of widespread debate. Rectification can mean that part of a record isn’t correct and that the data subject has requested that the anomaly be put right. Whereas erasure means that complete removal of data.
An important point to rectification and erasure is that after completion, there is an obligation for the, “…notification of such actions to recipients to whom the personal data have been disclosed Article 17(2) and Article 19”.
- It is prudent to think about data both in its electronic form and as a physical document
- The controller must accede to a request from a data subject within 30 days or give a reason why the request cannot be complied with
- On area of deliberation is how can archived data be effectively erased or destroyed. There is considerable difficulty in finding a single record amongst hundreds of thousands, spread over many electronic media, i.e. backup tapes going back months, years
- Computer media and documents can also be securely destroyed, for example shredding of documents, physical destruction of hard disks, degaussing of magnetic media. Not forgetting that not all computer media is magnetic, such as DVD’s, whilst hard drives are ‘mag media’ as are tape drives
- Debates about erasure include the degaussing, which is the process of decreasing or eliminating a remnant magnetic field. In essence some form of magnetism is passed over the medium which disrupts the data stored so that it is no longer readable or can be reconstructed. There are differences of opinion as to how effective this is
21. What’s this I hear about transparency?
Transparency is mentioned in several Articles and is a key principle of GDPR whereupon organisations must be able to prove that they have the necessary organisational, technical and procedural measures in place. Controllers are required to maintain a record of processing activities under its responsibility
- Article 30 provides a list of requirements and links to Article 32 in which the data controller must show that the technical and organisational security measures are adequate to protect the data
22. Is there a glossary of terms?
Whilst there isn’t a glossary the GDPR documentation provides several pages of definitions to help us better understand the new requirements
- This list is not exhaustive, such as the terms ‘rectification’ and ‘erase’, and expect this to grow
23. What challenges do you envisage?
From discussions with colleagues in the IT, cyber security, data privacy and compliance teams they are experiencing a range of challenges. Below is a selection of data protection failings we come across daily
- Unstructured data: certainly within files stores, spreadsheets, duplication of data by various teams
- Silo mentality: teams rarely work in unison, but create their own data stores
- Lack of control of egress: few controls to prevent PII leaving the organisation
- Lack of internal control: data sprawl and duplication within SharePoint
- Personal data being retained for far too long: and never disposed of or erased securely
- Little transparency: organisations hiding their (lack of effective) controls
- IT: often a lack of appropriate technical controls
- Data repositories: often there’s no idea which systems handle or share personal data
- Misuse of PII: used for other than its original purpose. Business and IT development teams are often guilty of this infringement
- Privacy Impact Assessment (PIA): project managers often fail to undertake a PIA – known as a Privacy Impact Assessment (called DPIA under GDPR) where personal data is involved
- PII responsibility: disparate accountability and ownership for PII throughout an organisation