Rights, Security, Notifications and Transfers
General Data Protection Regulation (GDPR) has become a hot topic, discussed by lawyers, IT and security professionals, marketers and HR leaders across the globe. A great deal of activity and indeed anxiety is occurring as enterprises prepare themselves to become ready before May 25, 2018.
With critical data everywhere within organisations today, and all too often in parallel with personal data on employee devices, it’s challenging for businesses to see how and where data is used. A data breach, be it a malicious or unintentional act, ultimately inflicts the most damage at the points in which people interact with critical business data and intellectual property. These ‘human points’ of interaction have the potential to undermine even the most comprehensively-designed systems, and could derail an organization’s preparation for GDPR readiness.
It is important that activity around the regulation is focused on meeting the fundamental principles and requirements of the GDPR, rather than seeing adherence to the regulation as a check-box exercise.
There has been an urgent need to update the existing Data Protection Directive (DPD), which was passed in 1995. The first meeting, assessment and proposal to update the Directive was made in January 2012, and the reasons were clear: it was woefully outdated and no longer fit for purpose due to rapid technological development by both private companies and public authorities to pursue efficient and valuable data processing activities. Understanding the 2012 assessment, proposal and its findings remain important to the success of the GDPR.
Aside from the requirement to update from a technological point of view, because the DPD was open to interpretation by each EU member state, each could apply their own variation of the law. My experiences as an information security professional operating both inside and outside of the DACH region reflected this: in the late 90s, the Acts that followed the DPD were at first universal, but in the 00s the acts were amended meaning organizations needed to regularly review systems and processes, giving rise to high levels of uncertainty and concern on rights, security, notifications and transfer agreements.
The European Commission sought to address the failings of the DPD with their “Better Regulation” policy, and following an impact assessment it became clear that an update would be required. This update eventually became the GDPR.
GDPR at its core has a large problem to solve. Remember, private and public organizations want to process personal data and many of them want to do this lawfully. International businesses who are processing or indeed storing European data subjects’ data are impacted, so the implications are truly global.
The following four areas were concerns identified in the 2012 assessment that are addressed by the GDPR:
Right to Erasure and other Data Subject Rights (Articles 15-21)
Security of Processing (Article 32)
Accountability – Security Breach Notification (Articles 33 & 34)
Data Transfers (Articles 44-50)
It is critical that both information security and privacy professionals are aware of these changes and new articles, not simply from a regulatory perspective but also from a practical perspective. Putting aside for the moment the discussions, hype and media concern around potential fines and sanctions, Forcepoint has co-produced a practical whitepaper to focus on the four imminent areas of change.
We have engaged with Hunton & Williams and Rosemary Jay, Senior Attorney at Hunton & Williams and former Head of the Legal Office at the Information Commissioner to produce a whitepaper exclusively on these four areas and to include key action items to help organizations become prepared before the enforcement day.
Action items include:
- Undertake review of organization’s risk dynamic for all forms of processing
- Establish/update detailed information security policies and procedures covering both organizational and technical measures
- Develop templates for notifications to Supervisory Authorities (SAs) and data subjects
- Create a system for logging detailed records of data breaches
- Perform a complete analysis of all data flows from the EEA and establish in which non-EEA countries processing will be undertaken
- Review cloud service agreements for location of data storage and any data transfer mechanism, as relevant
Forcepoint can guide organizations towards GDPR preparedness with products that can help companies identify, protect, detect, respond and recover in case of a data breach. We have three core areas of expertise where we can help:
- Provide organizations with deep visibility into how critical data is processed across their infrastructure, whether on-premises, in the cloud or in use by a remote workforce.
- Enable organizations to monitor, manage and control data (at rest, in use and in motion).
- Utilize behavioral analytics and machine learning to discover broken business processes and identify employees that elevate risk to critical data.
Download the whitepaper here.