Modern IT has created an electronic world to meet a variety of needs from simply providing information, to wide ranging and far reaching products and services. They are all available on the web. The individual communication and consumption has created a footprint of information and transaction history which is commercially useful.
Unfortunately this data can become exposed to unscrupulous groups online. Cyber criminals have become extremely adept at exploiting vulnerabilities or leveraging patterns to decipher hidden details from individual data. There are also several cases where data has been used in ways customers have not expected or agreed when they gave their information. Some of which can only be described as abuse of the original purpose or consent for which the data was provided.
The General Data Protection Regulation (GDPR), covers the capture, control, and consent for the use of personal identifiable information (PII). The focus of the legislation is to protect the data of individuals and as a consequence the individuals themselves.
The GDPR is the first comprehensive overhaul of Data Protection rules in 20 years, it is a European legislation and affects all business holding data on EU citizens. Regardless of our position within the Union (i.e. a la Brexit) it is mandatory in its application.
The regulation’s legal requirements require businesses in possession of European citizens’ personal data to be honest, open and transparent about their digital practices, more so than ever before, thereby protecting the rights of people.
GDPR addresses the unregulated practices or processes organisations can use to exploit personally identifiable information (PII). It strengthens available protection by requiring an ‘opt in’ action before personal data can be collected. This removes the collection by default presumption leveraged when customers forget to tick the box to 'opt out'. It makes the concept of consent very clear, specific and unambiguous, and states that organisations cannot use data without clear consent and after such consent only for the named purpose.
The regulation kicks in on 25-05-2018 and its purpose is to;
- Safeguard - personal data across borders;
- Unify data protection rules and introduce common standards and process to management of individual data, which in itself is not bound by national borders;
It should not be forgotten that the ultimate purpose is to protect the individual whom the data is about.
GDPR applies to PII that resides anywhere within an organization. It applies to any company, inside or outside the E.U. holding data for the purpose of sale of goods or services to European citizens.
The regulation focuses on three main areas of application, which are;
- Accountability, and
Transparency requires processes and procedures which specify how privacy issues and data breaches will be managed to reach a suitable resolution. There is a mandatory framework, covering;
- Provision of clear rules on the use of personal data (i.e. marketing use, etc);
- Better consent rules requiring specific consent on use of data;
- Better rights for customers, the regulation empowers them with the ability to request views of their data, and view the data repository. Customers can also request data to be ported (moved) elsewhere;
- Mandatory disclosure of any breach to customers;
As part of the accountability responses organisations must design and implement a new compliance journey which includes;
- Privacy by design and default by including privacy requirements in the system design every time.
- Privacy impact assessments which are risks assessments based on the mandated framework.
- Accountability includes accurate record keeping and;
- Accountability of data use, the data must only be used for the original purpose which it was collected. It cannot be used for any other purpose on any occasion.
- Data portability and right to be forgotten, the customer owns the data and can ask to be forgotten. The customer can also ask for their data to be moved to a different location.
- Enhanced rights of inspection and audit for the supervisory authority. Authorities like the ICO can use these powers to inspect and audit data management/governance practices.
- Use of a Data Protection Officer (DPO) by organisations holding a lot of data, or carrying out high risk activities on PII. Such organisations need to have DPOs controlling their data. The DPOs will interface with supervisory bodies like the ICO.
- Accountability also includes a new punishment regime under which we have;
- Better enforcement powers for the regulator
- Financial penalties of up to 4% of global turnover or 20m euros which is higher
- Suspension of the right or ability to process data
Control is mainly exercised through a data controller. The data controller is a person who, acting alone or as part of a team, specifies the purposes for which personal data will be used and how data will be processed. A data processor is a third-party person, not employed by the data controller, who organises, adapts, retrieves, discloses or shares the data on behalf of the data controller.
Cysquad Solutions can partner with client organisations to deliver solutions for compliance with the GDPR regulation. We can run GDPR projects to enable compliance by the May 2018 deadline.
Controllers are to maintain records which include, name and contact details of the Controllers and DPOs, the purpose of the processing categories of the customers, categories of personal data, categories of recipients of data; recipient countries; and safeguards in place (if outside EU); Time limits for erasure of different categories; description of security measures in place
There are some exceptions where the right to erasure/(to be forgotten) can be refused by the controller, mostly to do with freedom of expression, legal claims and research in the public interest, but GDPR generally mandates that data controllers must comply with the right to erasure and make best efforts to share notification of erasure processes with relevant third-parties.
It is important to note that a “data breach” according to the GDPR also includes “accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed”, and so preventing unauthorized use or access must also be considered as a key element of GDPR compliance. The deadline for being compliant with GDPR is rapidly approaching, and the transitionary period between the earlier Directive and the new Regulation is on now. Once the Regulation goes into force on May 25, 2018, organizations will be expected to comply immediately from that date.