Insights

EU GDPR Demystified: A Straightforward Reference Guide for US Firms (Part Two)

J.S. Held Strengthens Family Law Practice with Asset Acquisition of Luttrell Wegis

Read More close Created with Sketch.
Home·Insights·Articles

Understanding whether a company is impacted by GDPR is a key first step. A survey, carried out at RSA 2017 by Imperva, found that just 43% of companies are preparing for GDPR, 29% were not preparing, and 28% were unaware of any specific preparations being made.

Even if a company has no base in one of the European Union’s 28 countries, it can still be held accountable if it mishandles the personal data of EU residents.

Part Two of "EU GDPR Demystified" will focus on how the GDPR legislation defines personal and sensitive data and examine the new requirements facing those that control and process personal data belonging to European Union residents.

How GDPR Defines Personal Data

Think of all the user data an organization collects, stores, and transmits, i.e., web forms, cookies, user preferences, etc. Under GDPR, all personal data must be processed lawfully, fairly, and in a transparent manner in relation to the data subject.

GDPR provides guidance on what constitutes personal identifiers. It is designed to align better with today’s technologies, services, and how firms collect and use personal data. In the GDPR legislation, personal data is defined as:

"Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity” (see Article 4).

GDPR has also created special categories of personal data, which include highly sensitive data such as genetic information, political beliefs, and trade union memberships. Special rules apply here (see Article 9).

According to Whitecase, companies need to think carefully about what they are collecting:

“For some organizations, the explicit inclusion of location data, online identifiers, and genetic data within the definition of “personal data” may result in additional compliance obligations (e.g., for online advertising businesses, many types of cookies become personal data under the GDPR, because those cookies constitute 'online identifiers')."

How to Process Personal Data Lawfully

GDPR is quite strict on what the data controller and processor must do in order to process personal data. Here are the main rules:

  • Data must be collected for specified, explicit, and legitimate purposes.
  • Data must be limited only to what is needed for the specified purposes.
  • Every reasonable step must be taken to keep the data up to date.
  • Data must be kept in a form that prevents the identification of data subjects for no longer than necessary for the specified purposes.
  • Data must be kept secure against loss, theft, and damage (see Article 5).

The processing of personal data can only lawfully take place if:

  • The EU data subject has given consent for data processing for specific purposes.
  • The processing is necessary to fulfill a contractual obligation to the EU data subject.
  • The data must be processed to comply with a legal obligation.
  • The processing is necessary to protect the vital interests of the data subject (see Article 6).

It is likely that many companies, upon considering what is personal data and what are the responsibilities under GDPR to collate and process it, will consider measures to reduce the amount of personally identifiable data they store and only store what is necessary for only as long as necessary for fulfilling the specific purpose.

User Consent and GDPR

One of the big challenges for organizations is to understand how they must revamp their consent procedures in order to legally process personal data. GDPR is clear that consent must be a specific, informed, unambiguous, and freely given agreement from the EU data subject. It must clearly indicate acceptance of the proposed data processing. Pre-ticked boxes or inactivity will not constitute consent.

“This could include ticking a box when visiting an internet website, choosing technical settings for information society services, or another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes, or inactivity should not, therefore, constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes" (see Article 32).

What About Personal Data That Is Already Anonymized?

Data that is already anonymized--where the European subject cannot in any way be identified from the data--falls outside the scope of this legislation. The GDPR is all about identifiable personal data.

“The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. This Regulation does not, therefore, concern the processing of such anonymous information, including for statistical or research purposes” (see Article 26).

What Is Involved in Anonymizing Personal Data for GDPR?

Both data controllers and processors are mandated to implement “appropriate and organisational measures to ensure a level of security appropriate to the risk.” This includes encryption and (a new concept for European data protection law) pseudonymization.

"Pseudonymization" refers to the practice of processing personal data in such a way that the data cannot be tied back to a specific individual. This is effectively an additional privacy wall, where information that directly identifies an individual is separate and unattributable to personal and sensitive data. Pseudonymization might indeed reduce the risks associated with data processing without negatively impacting the data’s utility; however, it is not designed to replace other security measures:

“The application of pseudonymisation to personal data can reduce the risks to the data subjects concerned and help controllers and processors to meet their data-protection obligations. The explicit introduction of "pseudonymisation" in this Regulation is not intended to preclude any other measures of data protection” (see Article 28).

What Are the Security Implications for Data Processors and Controllers?

Under GDPR, both the controller and processor will be responsible for ensuring a “level of security appropriate to the risk.” The controller will need to ensure and demonstrate that processing is performed in accordance with this regulation. This means that the controller will be responsible for selecting data processors that provide sufficient technical and organizational measures to meet the requirements of this Regulation and ensure the protection of the rights of the data subject.

Security considerations include:

  • Using pseudonymization and encryption to protect the personal data of EU subjects.
  • Ensuring system resilience in terms of confidentiality, integrity, and accessibility.
  • Being able to restore the availability and access to personal data in a timely matter in the event of an incident.
  • Demonstrate a process for regular security testing.

Failure to do so puts the organization at risk of steep penalties, including a fine of up to €20 million or 4% of the previous year’s turnover.

TBG Security Recommends

The first task, outlined in the previous article of this series, was to determine whether a company is impacted by EU GDPR. Now that we have established a better understanding of how the GDPR defines personal and sensitive data, an information audit of any system that might collate or process personal data of European subjects is recommended.

It is wise to consider bringing in outside help for this task. For one, internal resources always develop a few blind spots which can be much more easily seen by an expert unfamiliar with the system architecture. Second, having external readiness assessments experts can radically speed up the process, saving both time and money.

Additionally, this information will be invaluable when meeting with senior stakeholders, decision-makers, lawyers, data managers, and cybersecurity experts to flesh out all the implications, if any, that GDPR may impose on operations.

In the next GDPR post, we will provide a curated checklist of issues to consider to aid in the journey to comply with the new European GDPR regulation coming into effect in May 2018.

Acknowledgments

We would like to thank Kevin Gorsline for providing insight and expertise that greatly assisted this research.

Kevin Gorsline is a Managing Director in J.S. Held's Global Investigations Practice who joined following J.S. Held's acquisition of TBG Security. For several years, Kevin served as the Chief Operating Officer and head of the Risk and Compliance practice at TBG Security, where he was responsible for providing the leadership, management, and vision necessary to ensure that the company had the proper operational controls, administrative and reporting procedures, and people systems in place to effectively grow the organization and to ensure financial strength and operating efficiency. His experience and leadership throughout his career have been focused on developing and delivering information security services and solutions, providing outstanding client service, and driving profitable revenue growth. Kevin brings established proficiency as an IT leader with extensive experience in risk and compliance services, applications development, and implementation projects both in the United States and abroad.

Kevin can be reached at [email protected] or +1 843 890 8596.

Find your expert.

This publication is for educational and general information purposes only. It may contain errors and is provided as is. It is not intended as specific advice, legal, or otherwise. Opinions and views are not necessarily those of J.S. Held or its affiliates and it should not be presumed that J.S. Held subscribes to any particular method, interpretation, or analysis merely because it appears in this publication. We disclaim any representation and/or warranty regarding the accuracy, timeliness, quality, or applicability of any of the contents. You should not act, or fail to act, in reliance on this publication and we disclaim all liability in respect to such actions or failure to act. We assume no responsibility for information contained in this publication and disclaim all liability and damages in respect to such information. This publication is not a substitute for competent legal advice. The content herein may be updated or otherwise modified without notice.

You May Also Be Interested In
Perspectives

How to Defend Against Identity Theft This Tax Season

Cybercriminals increase their attacks during tax season. This article outlines steps taxpayers can take to protect their identity and data....

Perspectives

Strategies to Avoid Cyber Insurance Claim Challenges: Part II

In Part II of addressing cyber claims challenges, we identify gaps in coverage and quick fixes for a smoother claims process....

Perspectives

Benefits of a Virtual Chief Information Security Officer (vCISO) in the Age of AI-Driven Cyberattacks

A Virtual Chief Information Security Officer (vCISO) can be a cost-effective solution to AI cyberattacks....

 
INDUSTRY INSIGHTS
Keep up with the latest research and announcements from our team.
Our Experts