On May 25, 2018, the European Union (EU) gave effect to the General Data Protection Regulation (GDPR) that establishes personal data protection principles and requirements and is aimed to uphold the rights of personal data subjects. It imposes harsher punishments for a failure to comply with personal information storage and processing rules, sets global data protection standards, and regulates cross-border data transfer.
The new regulation applies to all European and foreign companies, including Russian ones, that provide services within the European Economic Area or process large volumes of personal information of subjects (individuals) inside the European Union (e.g., online stores, airlines, and banks), with transparent data processing being the main requirement.
The GDPR introduces two terms for organizations: ‘data controller’ and ‘data processor’. ‘Data controller’ means an organization that initiates and ensures proper processing of personal data of its employees or customers, secures the rights of data subjects, and reports to the supervisory authority. A data controller may delegate this role to a data processor. ‘Data processor’ means an organization that processes personal data on behalf of a data controller. However, it is a data controller, who shall be held liable for any personal data breach during processing or data processor’s misconduct. An organization can act as a data controller and processor at the same time, e.g. it may process personal data of customers, while also being a controller of employees’ personal data.
The new regulation is intended to better secure personal information of individuals located inside the EU. According to InfoWatch Analytical Center, personal data breach accounted for 64.8% of the total number of leaks from organizations worldwide in 2017. Personal data stolen by intruders are used in fraud schemes that may result in financial and reputational losses for a victim.
GDPR-compliant legal entities will be more trusted by European customers and counterparties and thus will be able to expand their business and customer relations. Moreover, the new regulation has superseded several regional laws and covered the entire European Union. Now, Russian companies that either have branches in Europe or simply process personal data of subjects located in the EU (e.g., ticket sales companies) need to comply with the uniform legislation, rather than separate regulations of various countries as before.
However, the GDPR establishes huge penalties for violators. Thus, a company must pay the greater of 4% of its annual worldwide turnover or €20 million if it violates basic processing principles or data transfer rules, ignores a data processing prohibition imposed by the supervisory authority, infringes upon data subject's rights, and so on. A smaller yet significant fine of €10 million or 2% of annual worldwide turnover shall be imposed on a company that violates the procedure of data breach notification, lacks a data protection officer (where necessary), illegally processes children’s personal data, etc. At the same time, the GDPR does not yet regulate fine imposition procedure for non-EU companies. For now, there are two possible scenarios in the event of a data processing violation by such businesses. First, a company at fault may be banned from processing personal data belonging to subjects inside the EU, in which case it won’t be able to maintain its relations with European customers. Second, if a Russian company acts as a data processor, then a fine will be imposed on a EU controller, which, in turn, will impose the same on such processor (the relevant clause shall be included in agreements between such companies).
Therefore, personal data processors should be absolutely sure they do not violate the GDPR requirements.
10 key steps to ensure GDPR compliance
Step 1. Audit personal data and document all personal data processing stages
For personal data processing to be recorded as per the GDPR, first thing a company should do is to audit personal data.
Even though the audit scope may differ from one company to another, it should at all times answer at least the following questions:
• What is qualified as ‘personal data’ under the GDPR?
• What personal data are collected and processed by the organization?
• Where are data stored (including third-party systems) and where are servers located?
• What is personal data lifecycle (from collection to deletion)? Are such data transferred to third parties?
• What is data storage period and format, including database type?
Step 2. Define legal basis for personal data processing
Once personal data are identified, categorized, and analyzed, a company should be able to explain data processing purposes. Pursuant to Article 5 of the GDPR, data processing must be ‘fair and legal’, with a data collection purpose being clearly defined, transparent, and legitimate. By including this provision into the personal data audit scope, companies will achieve GDPR compliance for their data processing processes much faster.
Step 3. Develop a personal data processing and protection policy
Personal data processing policy is an organization’s internal document that establishes underlying principles, on which such data must be processed and protected. Such policy must be updated on a regular basis, including when a company undergoes changes that may affect its data processing practices.
Step 4. Assign personal data protection officers
Companies must assign employees responsible for personal data protection. Moreover, companies that process personal data on a regular basis (such as mobile operators or behavioral ad providers), or process special personal data types (primarily, healthcare and insurance companies) should assign a Data Protection Officer (DPO) to be in charge of such processing, which is a mandatory requirement for government agencies.
A company located outside the EU must appoint a representative in a European country where personal data are processed, who in the event of a data breach shall act on behalf of the controller or processor and shall be fully liable for any violations to the supervisory authority.
Step 5. Assess information security risks, including Data Protection Impact Assessment (DPIA)
To effectively protect personal data, organizations need to assess their information security risks. Once it detects and records such risks, an organization should start implementing risk mitigation and elimination measures (for example, pass a resolution not to engage in any activity that may lead to risks or try to avoid such risks). However, a company may accept such risks and do its business accordingly.
A controller must assess its exposure to the risk of personal data breach if it employs innovative technology or if a personal data application field and processing purposes may pose a high risk to rights and freedoms of individuals.
Step 6. Secure data subject’s rights
The GDPR sets forth a number of data subject’s rights, such as the right to obtain, access, amend data, limit data processing, have their data erased and so on, with a focus being on transparency and accountability. Every such right requires the adoption of specific enterprise-wide processes to manage requests from individuals within the set timeframes. Some companies may need to make system-wide changes to implement necessary procedures.
Step 7. Deploy data subject request processing system
Individuals should be free to exercise their rights to amend personal data, limit processing thereof, have their data erased, etc., while an organization that receives a relevant request from a data subject must respond within one or two months (depending on request complexity and quantity). The GDPR does not specify any specific request processing tools, but requires that organizations provide e-request tools (in particular, when data are processed electronically). Therefore, both Russian and EU companies shall decide at their own discretion how data subjects will be able to request their personal data (e.g., via a special form on a website or a dedicated e-mail address). In any event, this tool should be efficient enough to enable a company to promptly process these requests. Moreover, Russian companies must give data subjects an opportunity to select a request language.
It should be noted that a company may charge a fee for or refuse to respond to unreasonable or excessive requests. In the event of a refusal, a company must justify it in writing (with a refusal reason specified).
Step 8. Implement necessary personal data protection measures
All organizations falling under the GDPR must adopt relevant measures to protect personal data processed by them, in particular:
• pseudonymize and encrypt personal data
• ensure confidentiality, integrity, accessibility, and resilience of data processing systems
• timely restore personal data access of both authorized persons and data subjects themselves in the event of any incidents (e.g., hacker attack or server damage by a flood)
• regularly test and evaluate technical and organizational measures for secure personal data processing
Step 9. Secure cross-border personal data transfer
The GDPR clearly differentiates between countries that ensure adequate personal data protection level recognized by the European Commission and all other countries. The former group includes Andorra, Argentina, Canada, the Faroe Islands, the island of Guernsey, Israel, the Isle of Man, the island of Jersey, New Zealand, Switzerland, Uruguay, and the USA. Pursuant to the GDPR, personal data may be legally transferred to these countries without a prior consent of the European supervisory authority, while receiving organizations located in any other country must give proper personal data protection guarantees.
Step 10. Develop and adopt incident response process
Businesses must develop and implement personal data breach response and investigation procedures, as well as report any such incident within 72 hours after becoming aware of it so as not to face a harsh punishment.
“Technical personal data protection tools include a wide range of systems, such as Data Loss Prevention (DLP), network security, encryption, Security Information and Event Monitoring (SIEM), enterprise perimeter security, pseudonymization, end user protection, Mobile Device Management (MDM) and Identity Management (IdM) systems, and anti-viruses,” said Maria Voronova, Consulting Team Leader, InfoWatch. “According to Osterman Research, Inc., when selecting necessary technical protection tools to ensure GDPR compliance, businesses will mainly opt for DLP systems that guarantee personal data confidentiality and thus should be implemented to meet various GDPR requirements.”
About
InfoWatch Group is a Russian vendor of end-to-end enterprise cybersecurity solutions that effectively protect businesses against the most pressing internal and external threats. InfoWatch annually boosts its product and solution sales and leads the DLP markets in Russia and the CIS, with the company’s products being also commercially available in Western Europe, the Middle East, India and Southeast Asia.
For the full text, click here: https://www.infowatch.ru/analytics/leaks_monitoring/20384