Understanding whether a company is impacted by GDPR is a key first step. A survey, carried out at RSA 2017 by Imperva, found that just 43% of companies are preparing for GDPR, 29% were not preparing, and 28% were unaware of any specific preparations being made.
Even if a company has no base in one of the European Union’s 28 countries, it can still be held accountable if it mishandles the personal data of EU residents.
Part Two of "EU GDPR Demystified" will focus on how the GDPR legislation defines personal and sensitive data and examine the new requirements facing those that control and process personal data belonging to European Union residents.
Think of all the user data an organization collects, stores, and transmits, i.e., web forms, cookies, user preferences, etc. Under GDPR, all personal data must be processed lawfully, fairly, and in a transparent manner in relation to the data subject.
GDPR provides guidance on what constitutes personal identifiers. It is designed to align better with today’s technologies, services, and how firms collect and use personal data. In the GDPR legislation, personal data is defined as:
"Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity” (see Article 4).
GDPR has also created special categories of personal data, which include highly sensitive data such as genetic information, political beliefs, and trade union memberships. Special rules apply here (see Article 9).
According to Whitecase, companies need to think carefully about what they are collecting:
“For some organizations, the explicit inclusion of location data, online identifiers, and genetic data within the definition of “personal data” may result in additional compliance obligations (e.g., for online advertising businesses, many types of cookies become personal data under the GDPR, because those cookies constitute 'online identifiers')."
GDPR is quite strict on what the data controller and processor must do in order to process personal data. Here are the main rules:
The processing of personal data can only lawfully take place if:
It is likely that many companies, upon considering what is personal data and what are the responsibilities under GDPR to collate and process it, will consider measures to reduce the amount of personally identifiable data they store and only store what is necessary for only as long as necessary for fulfilling the specific purpose.
One of the big challenges for organizations is to understand how they must revamp their consent procedures in order to legally process personal data. GDPR is clear that consent must be a specific, informed, unambiguous, and freely given agreement from the EU data subject. It must clearly indicate acceptance of the proposed data processing. Pre-ticked boxes or inactivity will not constitute consent.
“This could include ticking a box when visiting an internet website, choosing technical settings for information society services, or another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes, or inactivity should not, therefore, constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes" (see Article 32).
Data that is already anonymized--where the European subject cannot in any way be identified from the data--falls outside the scope of this legislation. The GDPR is all about identifiable personal data.
“The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. This Regulation does not, therefore, concern the processing of such anonymous information, including for statistical or research purposes” (see Article 26).
Both data controllers and processors are mandated to implement “appropriate and organisational measures to ensure a level of security appropriate to the risk.” This includes encryption and (a new concept for European data protection law) pseudonymization.
"Pseudonymization" refers to the practice of processing personal data in such a way that the data cannot be tied back to a specific individual. This is effectively an additional privacy wall, where information that directly identifies an individual is separate and unattributable to personal and sensitive data. Pseudonymization might indeed reduce the risks associated with data processing without negatively impacting the data’s utility; however, it is not designed to replace other security measures:
“The application of pseudonymisation to personal data can reduce the risks to the data subjects concerned and help controllers and processors to meet their data-protection obligations. The explicit introduction of "pseudonymisation" in this Regulation is not intended to preclude any other measures of data protection” (see Article 28).
Under GDPR, both the controller and processor will be responsible for ensuring a “level of security appropriate to the risk.” The controller will need to ensure and demonstrate that processing is performed in accordance with this regulation. This means that the controller will be responsible for selecting data processors that provide sufficient technical and organizational measures to meet the requirements of this Regulation and ensure the protection of the rights of the data subject.
Security considerations include:
Failure to do so puts the organization at risk of steep penalties, including a fine of up to €20 million or 4% of the previous year’s turnover.
The first task, outlined in the previous article of this series, was to determine whether a company is impacted by EU GDPR. Now that we have established a better understanding of how the GDPR defines personal and sensitive data, an information audit of any system that might collate or process personal data of European subjects is recommended.
It is wise to consider bringing in outside help for this task. For one, internal resources always develop a few blind spots which can be much more easily seen by an expert unfamiliar with the system architecture. Second, having external readiness assessments experts can radically speed up the process, saving both time and money.
Additionally, this information will be invaluable when meeting with senior stakeholders, decision-makers, lawyers, data managers, and cybersecurity experts to flesh out all the implications, if any, that GDPR may impose on operations.
In the next GDPR post, we will provide a curated checklist of issues to consider to aid in the journey to comply with the new European GDPR regulation coming into effect in May 2018.
We would like to thank Kevin Gorsline for providing insight and expertise that greatly assisted this research.
Kevin Gorsline is a Managing Director in J.S. Held's Global Investigations Practice who joined following J.S. Held's acquisition of TBG Security. For several years, Kevin served as the Chief Operating Officer and head of the Risk and Compliance practice at TBG Security, where he was responsible for providing the leadership, management, and vision necessary to ensure that the company had the proper operational controls, administrative and reporting procedures, and people systems in place to effectively grow the organization and to ensure financial strength and operating efficiency. His experience and leadership throughout his career have been focused on developing and delivering information security services and solutions, providing outstanding client service, and driving profitable revenue growth. Kevin brings established proficiency as an IT leader with extensive experience in risk and compliance services, applications development, and implementation projects both in the United States and abroad.
Kevin can be reached at [email protected] or +1 843 890 8596.
Cybercriminals increase their attacks during tax season. This article outlines steps taxpayers can take to protect their identity and data....
In Part II of addressing cyber claims challenges, we identify gaps in coverage and quick fixes for a smoother claims process....
A Virtual Chief Information Security Officer (vCISO) can be a cost-effective solution to AI cyberattacks....