GDPR Compliance – A Primer
Starting May 25th 2018, businesses across EU, who handle private data of Europeans, need to comply with regulation GDPR – General Data Protection Regulation. At its core GDPR has sweepingly wide scope and requires any organization that processes, holds, or owns European data or is based in the EU needs to adhere to the regulation.
So irrespective of where an organization physically is in the world or in the value chain hierarchy of services – It needs to comply with GDPR, even if it holds/processes personal data of even 1 European user or customer.
The European Data Protection Directive (Directive 95/46/EC) on the protection of individuals with regard to the processing of personal data and on the free movement of such data) is adopted. This directive was written before the explosion of internet and data. The directive itself was non-binding and law enforcement rules differed wildly from country to country in European Union.
With passage of time, European economy got further globalized and resulted in business relationships & partnerships with countries within and outside EU. As part of these relationships, data started flowing amongst the countries where data privacy and security standards may or may not be at the same level as in EU.
In spirit this regulation, gives control to European citizens over their data and control its use for business reasons.
The regulation itself is sweeping in its scope and nature, hence we are quoting few articles, we believe are of utmost importance for IT Security.
- Who should comply with GDPR – any company either based in the EU or which deals with any data involving EU citizens or organizations are required to comply. This directive includes any service provider such as an IT service provider who merely is managing IT infrastructure into its ambit.
- What constitutes Personal Data under GDPR – Under GDPR, Personal data covers a much wider range of information that may include social media posts, photographs, lifestyle preferences, IP Addresses, Cookie ids and transaction histories. In other words, all PII is personal data but not all personal data is PII. Building a successful GDPR compliance program will require to consider the full range of personal data as defined by the EU.
- Breach Notification & Management – GDPR has a well-defined notification protocol to handle breaches where customer data might have been compromised. For example, companies will need to report any breaches to country’s Data Protection Authority within 72 hours. Data processors or any service providers who do not hold the data but process it also need to make disclosures.
- Data Protection Officer (DPO) – GDPR envisages a separate role DPO to ensure organization’s compliance with GDPR. DPO is responsible to manage and implement policies in line with GDPR regulations throughout data lifecycle.
- Single Supervisory Authority – EU has setup a single authority to deal with GDPR regulations as opposed to earlier regime of leaving it open for individual countries.
Article 25, 32, 35 provide certain focus areas for the organizations in terms of technology, application, infrastructure and other technical aspects.
Article 32(b) mentions in particular:
Article 32 nudges towards risks
GDPR regulations stipulate to apply controls commensurate with the level of risk. For example, some or all of the following controls may need to be implemented depending upon type of data in question –
- Data Encryption
- Pseudonymization of data
- Robust Vulnerability Management Program (See our white paper on Vulnerability Maturity Model)
- Segregation of duties
- Principles of least privilege
Article 58 of the GDPR provides the supervisory authority sweeping powers to levy fines under Article 83 based on several factors, including:
- The nature, gravity and duration of the infringement (e.g., how many people were affected and how much damage was suffered by them)
- Whether the infringement was intentional or negligent
- Whether the controller or processor took any steps to mitigate the damage
- Technical and organizational measures that had been implemented by the controller or processor
- Prior infringements by the controller or processor
- The degree of cooperation with the regulator
- The types of personal data involved
- The way the regulator found out about the infringement
Quantum of fine is pretty hefty. Some of the criteria is –
- The greater of €10 million or 2% of global annual turnover – In case the default is on technical measures.
- The greater of €20 million or 4% of global annual turnover – In case default is on the corec provisions of GDPR