Roll up, roll up, shouts the cybersecurity tout at the conference. “Are you ready to be dazzled by our GDPR product, service and expert?”
We smile, groan or “tut tut.” We watch, listen, agree to a meeting, or scold and walk away.
Everyone's an “expert” these days and all products solve the problem of GDPR, or at least that's what we're being told.
Whether this is the case or not, we can be sure of one thing. The General Data Protection Regulation (GDPR) will come into force in less than a year's time, on May 25th 2018, and it will replace the existing data protection framework under the EU Data Protection Directive.
Personally, I see this as a good thing. But, many business owners in my network are concerned, and regularly ask me: What exactly does this mean? How does it change things? Who will be affected? How much will it cost to become compliant? How long will it take to become compliant? Will those huge fines really be levied?
Cybersecurity professionals ask me: Does it present an opportunity for us in cybersecurity? Can it enable better protection for all data, improved security processes, increased budgets, and access to the top table? And, can we trust the GDPR vendors, service providers and so called “experts” to help us navigate the regulation and implement changes?
Having performed research, accessed my own trusted sources for answers, and listened to knowledgeable professionals discuss this at conferences recently, like Quentyn Taylor, Dhivya Venkatachalam, Mark Crosbie, Dane Warren, and David Joao Vieira Carvalho, I want to share my findings with you.
I also want to let you know that if you'd like to know more about GDPR, you can sign up for Microsoft Office’s next episode of Modern Workplace, GDPR: What you need to know, which is airing on June 13th, 2017 at 8 AM PDT/ 4 PM BST.
Let's start by examining, albeit briefly in this post, what the GDPR is, and what it aims to do.
What is the GDPR? The GDPR is a regulation that's been in the making for years. It's been created to modernise and simplify data protection for international business by unifying regulation within the EU, and to give control back to EU citizens and residents over their personal data. It applies to all companies that collect and process personal data of EU citizens and residents. And, essentially, it's become the first global data protection law with time specific breach notification guidelines, and potential hefty sanctions for non compliance.
The GDPR specifies many requirements, is complex, and subject to interpretation, but the areas that seem to be causing debate amongst those made accountable for it are those that deal with new obligations on such matters as: data subject consent, data anonymisation, data breach notification, data mapping, cross-border data transfers, data privacy by design, liabilities for data controllers and processors, and the appointment of Data Protection Officers (DPOs). The reasons why are obvious – these requirements involve major operational reform.
Let's look at them in a bit more detail.
Data privacy and data protection. The GDPR is only interested in personal data, which it defines as “any information relating to an identified or identifiable natural person,” and as a result it's doing two things. Firstly, it's adjusting the balance between data privacy and data protection. Secondly, it's broadening the definition of personal data and bringing new kinds of personal data under regulation.
For example, it considers any data that can be used to identify an individual (data subject) as personal data, i.e. direct identifiers like a name, home address, photo, email address, ID number, bank details, posts on social networking websites, plus online identifiers such as IP addresses, cookies, RFID tags, mobile device IDs, etc. It also outlines special provisions and compliance requirements for “sensitive personal data” which include genetic data, biometric data, health data, religious or philosophical beliefs, trade union membership, and data relating to sexual orientation, race, ethnicity, political opinions, and so on.
Consent to collect and use personal data. Under the GDPR all organisations collecting personal data must be able to provide proof that consent was given. This needs to be explicit and specific for the exact purpose for which the data is held or processed. This means that going forward they'll need to be able to explain what personal data will be collected, how it will be processed, and how it will be used. It also means that they'll need to interrogate all the personal data they currently hold electronically and non electronically, and find out whether they've the right level of consent, and if they don’t, they’ll have to delete it.
The right to be forgotten. The GDPR requires organisations not to hold personal data for any longer than is absolutely necessary, not to change the use of the personal data from the purpose for which it was originally collected unless consent is given, and to be able to delete any personal data at the request of the data subject.
Pseudonymisation. The GDPR defines this new concept as the processing of personal data so it can't be attributed to a specific data subject without the use of additional information. This additional information must be kept separately and be subject to technical and organisational measures to ensure that the personal data isn't attributed to an identified or identifiable natural person. A good example of pseudonymisation is hashing or encryption, and when an organisation can effectively anonymise its personal data, it substantially mitigates its risk for non GDPR compliance.
Data mapping and cross-border transfers. Although the GDPR doesn't make huge changes to the provisions of the EU Data Protection Directive it does introduce some new clauses for cross-border data transfers and some important changes to the recognition of “adequate” countries. Many see this as the right thing to do as IT isn't static, suppliers continually change, and the Internet knows no boundaries. Furthermore, with the globalisation of IT, many organisations are struggling to pinpoint where their data actually resides, at which point in time, and that obviously presents a risk when having to secure it.
The appointment of Data Privacy Officers (DPO) for certain organisations. Irrespective of a company's size, the GDPR requires public authorities processing personal information to appoint a DPO, as well as other entities, when “core activities” require “regular and systematic monitoring of data subjects on a large scale” or consist of “processing on a large scale of special categories of data.” The regulation views the DPO as an extension of the data protection authority i.e. they're there to ensure personal data processes, activities and systems conform to the law by design.
Mandatory privacy impact assessments (PIAs) and privacy by design. Where privacy breach risks are deemed high, the GDPR requires data controllers to conduct PIAs. This means that when projects involve personal data, privacy will have to be considered from the start and be built into processes and technologies by design. These types of projects will need to begin with a privacy risk assessment, and they'll need to be close collaboration with the DPOs so compliance can be ensured throughout the project's lifecycle. Many professionals see this as a good thing, as it presents another opportunity to get access to the top table.
Liability for data processors as well as data controllers. Up until the GDPR, liability for data processing only affected data controllers (those who owned the data). Now, under the GDPR this responsibility and liability is extended to all organisations that touch personal data.
Data breach reporting. The GDPR requires organisations to notify the relevant data protection authorities within 72-hours of discovering a personal data breach. In other words, “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.” Having a limited breach notification time-frame means that organisations will need to ensure they've got adequate people, processes and technologies in place to help them detect and respond. They'll need to present a security breach report to the right supervisory body, which will need to include the facts surrounding the breach, the effects of the breach, the actions taken after the breach, and the DPOs contact details if appropriate.
Fines and sanctions. Under the GDPR there are a wide variety of sanctions that can be imposed, and in a number of ways. For example, some might result in a warning in writing, or regular periodic data protection audits, or fines. If it's the latter, these will be split into 2 broad categories:
- The highest category (Article 83(5)) is up to €20 million or 4% of global annual turnover for the preceding financial year, whichever is the greater. This fine applies under certain criterion, for example, for breaching: the basic principles for processing (including conditions for consent, data subjects’ rights); international transfer restrictions; and any obligations imposed by Member State law for special cases (e.g. processing employee data and certain orders of a supervisory authority.)
- The lower category (Article 83(4)) is up to €10 million or 2% of the organisation's annual global turnover of the preceding financial year. This fine applies if there's been a breach of obligations of the controllers and processors (including security and data breach notification obligations), certification bodies and a monitoring body.
Finally, in terms of whom to trust when it comes to GDPR vendors, service providers and experts, my advice is to ask your trusted sources or to crowd source the information you require. There are many vendors and consultants in the market who can help and operate with integrity.
Now I want to hear from you…
- Tell me what aspect of the GDPR challenges you, or if you’ve got more advice please let me know and share it here.
- Then, if you'd like to know more about GDPR, sign up for Microsoft Office’s next episode of Modern Workplace, GDPR: What you need to know, which is airing on June 13th, 2017 at 8 AM PDT/ 4 PM BST.
During this episode you'll hear from two experts who'll be taking a closer look at the global impact of this all-encompassing privacy law. Brendon Lynch, Microsoft’s Chief Privacy Officer will share his tips on how to move your organisation towards GDPR compliance. Karen Lawrence Öqvist, who's an expert in the GDPR and the CEO at Privasee, will also offer an EU perspective on this new law. Together, these experts will give you insights on how you can best strategise to meet your most urgent cybersecurity needs as they pertain to the GDPR.
Finally, in the spirit of full disclosure, please be aware that I’ve received compensation for promoting this #ad for Microsoft Office Modern Workplace Episode. Because your success is important to me, I only align myself with brands I believe in, and Microsoft is one of them.