FireLight IT Solutions

View Original

GDPR Overview

General Data Protection Regulation (GDPR)

 

What is it?

GDPR is a regulation passed by the European Union (EU) that protects the personal data of EU citizens (also known as data subjects). GDPR defines personal data as any information relating to a data subject.

 

Who does it apply to?

A data subject is defined as: 

“an identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

In short, a data subject is any EU citizen who has data about them collected by an organisation.

GDPR requires both the protection of personal data and evidence of the protection measures a business has in place for any location—physical or digital—where personal data is collected, processed, stored, or transmitted.

Under GDPR, organisations must be able to identify when personal data becomes exposed or compromised.

The regulation applies to organisations regardless of whether they’re located in the EU or not. To summarise Article 3 on Territorial Scope, GDPR applies to:

  • Any organisation in the EU, even if the processing occurs outside the EU

  • An organisation processing EU citizens’ data in the context of selling goods or services or monitoring data subjects’ behaviour in the EU. This applies even if the organisation is located outside of the EU

  • Data controllers (defined as the entities that determine the purposes, conditions, and means of the processing of personal data) that are located outside of the EU, but where the EU law applies due to international law

Additionally, GDPR keeps the rules around data transfers that were put in place for previous laws. Data transfers can typically occur only with nations that have adequate security protections. However, GDPR does also allow for codes of conduct and certifications that, when approved, allow for exceptions.

 

How to achieve it?

GDPR offers little prescriptive direction on achieving and maintaining compliance. However, it does demand compliance—and attaches significant penalties for non-compliance. It claims that technological measures for protecting personal or sensitive personal data include:

  • Data classification

  • Data loss prevention

  • Encryption

  • Managing consent more explicitly

  • Data transfer limitations

  • Technologies that enable data subjects to exercise their rights to access, rectify, and erase personal data held by data controllers.

Based on this, it will be helpful for businesses to employ IT security best practices and control frameworks such as Cyber Security Essentials (UK), ISO 27001, NIST 800, COBIT, and the CIS 20 critical controls.

 

Some GDPR Terms

A full list of the terms used by GDPR can be found here: https://www.eugdpr.org/glossary-of-terms.html.

Below are some of the terms you may have heard in relation to GDPR:

DATA CONTROLLER
- the entity that determines the purposes, conditions and means of the processing of personal data

DATA PROCESSOR
- the entity that processes data on behalf of the Data Controller

DATA PROTECTION OFFICER
- an expert on data privacy who works independently to ensure that an entity is adhering to the policies and procedures set forth in the GDPR

ENTERPRISE
- any entity engaged in economic activity, regardless of legal form, including persons, partnerships, associations, etc.

PERSONAL DATA
- any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person

PERSONAL DATA BREACH
- a breach of security leading to the accidental or unlawful access to, destruction, misuse, etc. of personal data

 

The Rights of Data Subjects Under GDPR

Data Subjects also have additional rights under GDPR. The Right to be Forgotten, also know as The Right to Erasure allows data subjects to demand that enterprises delete their personal data. When an enterprise receives one of these requests they should confirm why the data is being collected and whether it may be deleted - this may not be possible in some cases due to other regulations for example.

The Right to Access, also known as Subject Access Right allows a data subject to have access to any personal information held by an enterprise. The data must be sent to the data subject in an electronic format, this is Data Portability.

The official descriptions of these rights are given below.

RIGHT TO BE FORGOTTEN
- also known as Data Erasure, it entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties cease processing of the data

RIGHT TO ACCESS
- also known as Subject Access Right, it entitles the data subject to have access to and information about the personal data that a controller has concerning them

SUBJECT ACCESS RIGHT
- also known as the Right to Access, it entitles the data subject to have access to and information about the personal data that a controller has concerning them

DATA PORTABILITY
- the requirement for controllers to provide the data subject with a copy of his or her data in a format that allows for easy use with another controller

 

Some of the Requirements for Enterprises

GDPR requires that enterprises obtain explicit consent for the collection, processing, storage, and transmission of data subjects’ personal data data, and that consent must be freely given, specific, and informed. A data subject must review a statement and signify via an explicit action their agreement to the collection, processing, storage or transmission of that subject’s personal data.

Both data controllers and processors share joint liability for personal data protection under GDPR.

Some enterprises may be required to have a data protection officer (DPO). A DPO reviews an enterprise’s operations to build programs and processes to help an organisation comply with its GDPR obligations. A key responsibility of the DPO is to conduct a privacy impact assessment (PIA) on various processing activities. During a PIA, the DPO will oversee an analysis of the personal data held by an enterprise as well as their security policies.

The notification requirement says that in the event of a data breach, the SA and any impacted data subjects should be notified within 72 hours of discovery.

 

Do I need a Data Protection Officer (DPO)?

You are required to appoint a DPO for your business if the core activities of your company consist of personal data processing which:

  • requires regular and systematic monitoring of individuals on a large scale; or

  • is about special categories of data on a large scale and data relating to criminal convictions and offences. ‘Special categories of data’ is the type of data which reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership; genetic data, biometric data or data concerning health or sex life and sexual orientation.

However, the current draft Data Protection Bill requires all data controllers to appoint a DPO (unless the controller is a court, or other judicial authority, acting in its judicial capacity). You should therefore look to appoint a suitably qualified person to take on the role of DPO. The Data Protection Officer should have no conflict of interest with their other duties. In particular, you should not assign this role to any person who holds the following positions:

  • Chief Executive Officers, Directors, Corporate Administrators or any other managerial position that is legally or statutorily compulsory.

  • Heads of IT or IT Administrators.

  • Head of HR.

  • Head of Marketing.

  • Head of Sales.

  • Head of Legal.

  • Executives of any corporate unit processing large volumes of personal data.

  • Executives of any corporate unit processing sensitive personal data.

 

IT Data Security best practices

GDPR Article 28 requires ‘appropriate technical and organisational measures to ensure a level of security appropriate to the risk’. The ICO has not yet written or approved any standards against which an organisation can be assessed, so it is up to organisations to identify suitable frameworks themselves.

Cyber Essentials is a cyber security standard that uses independent assessment to identify the IT security controls that an organisation needs to have in place to have confidence that they are addressing cyber security effectively and mitigating the risk from internet-borne threats.

A very high level overview of the five areas that are tested are as follows:

PATCH MANAGEMENT
- Ensure that all software (Operating System + applications) are kept patched and up to date - automatic updates or at the most within 14 days. Vulnerability scans should be regularly performed.

MALWARE PROTECTION
- Ensure you have a robust Anti-malware solution installed on all PCs and servers and that it is kept up to date.

SECURE CONFIGURATION
Encrypt all workstations (laptops + desktops) with full disk encryption. USB memory sticks should also be encrypted - consider purchasing hardware lockable memory sticks. A strong password policy should be in place.

ACCESS CONTROL
Disable admin level rights on all user computers.

FIREWALL
Ensure that the firewall configuration is secure and reviewed regularly.

You may decide that full certification is not required but given that it’s mentioned as a recommended standard under GDPR it’s safe to say that you should be adhering to its principles at the very least.

 

Further Information

If your organisation would like help getting your IT security up to scratch or further information about GDPR please get in touch.

 

GDPR readiness is achieved by companies, not a single product. Organisations are ultimately responsible for their own GDPR compliance.

This article is provided for informational purposes only and should not be relied upon as legal advice or to determine how GDPR may apply to you and your organisation. We encourage you to work with a legally qualified professional to discuss GDPR, how it applies specifically to your organisation, and how best to ensure compliance. FireLight IT Solutions makes no warranty, express or implied, or assumes any legal liability or responsibility for the information contained herein, including the accuracy, completeness, or usefulness of any information.