Countdown To GDPR
After years of preparation, the enforcement date for European Union General Data Protection Regulation (GDPR) is almost here. On May 25, 2018, organizations will have to comply with the new rules, or they could face severe penalties.
GDPR applies to all entities located in the European Union as well as those outside the EU that handle the data of EU citizens, so the impacts of the changes are wide-reaching. The EU GDPR aims to create uniformity in Europe’s data privacy regulations, protect the privacy of EU citizens regarding their data and guard against data breaches. It will replace the Data Protection Directive 95/46/EC of 1995. While the directive had similar goals, a lot has changed since 1995, especially concerning data privacy issues.
GDPR keeps many of the same tenets as the directive but also includes a range of updates, which means that businesses will have to revise their approaches to data privacy accordingly.
As an accredited certification body, NQA has been watching the development of GDPR closely. Our auditing services can play a central role in enabling your organization to achieve compliance with the new rules, as well in helping you to improve your organization's overall operations.
Here’s what you need to know to prepare for the new regulations as we count down to the compliance date for the European Union General Data Protection Regulation.
Key Events In GDPR Timeline
In January of 2012, the European Commission first proposed updating the data privacy regulation from 1995. In March 2014, the European Parliament approved its version of the new data privacy regulation. In June of 2015, the Council of the European Union approved its version.
The regulations then moved on to the trilogue step of the legislative process, which served to reconcile the two versions. This process includes the parliament, the council and the commission, which serves as the mediator. It lasted from June to December 2015 and included 10 meetings.
On December 15, 2015, the Parliament and Council came to an agreement, which became final at the official signing in January 2016. On April 8, the Council of the European Union adopted GDPR. On April 16, the European Parliament did the same. It entered into force in May 2016, 20 days after publication in the EU Official Journal.
A two-year grace period followed publication so that organizations could revise their policies and operations to comply with the new rules. On May 25, 2018, that two-year period will come to an end, and GDPR will be fully enforceable.
How To Prepare For GDPR
It's essential that all organizations that handle the data of EU citizens take steps to comply with GDPR before it becomes fully enforceable. Not doing so could result in severe financial penalties. A crucial initial step is ensuring that everyone within your company who deals with data knows about GDPR. They should be informed about when it becomes fully enforceable and other important dates as well as what requirements GDPR includes.
Assess And Audit
To prepare for GDPR and ensure that your organization complies, you'll need to take stock of your existing processes regarding data. Conducting internal audits as well as bringing in outside auditors to review your procedures can help you get a clear picture of where you are and where you need to be. You might also need to work with a cybersecurity expert if you need to improve your understanding of these technological issues.
Identify And Locate Personal Data
Make sure you can identify all the personal data you have. Document where it is located, who it belongs to, with whom you share it and other relevant information. GDPR requires you to record all data processing activities, so make documentation a priority. If you don't have sufficient knowledge about all of your data, conduct an audit to find that information. Personal data can come from customers, employees, volunteers and many other groups.
Review Your Processes
You’ll also have to make sure you have a clear picture of all your policies and processes for how you handle personal data so that you can determine if they comply with GDPR. Under the new rules, you can only process personal data if certain conditions are met and for specific purposes such as fulfilling a contract, among other things.
You will need to review the processes you use for managing data, how you get consent to process data, the privacy notices you use and your cybersecurity procedures and protections. Again, document all of this work.
Next, you will need to set up new procedures that comply with GDPR. This process could take a substantial amount of time and effort, depending on the state of your existing data management policies. These tasks may include but are not limited to the following.
Updating Privacy Notices and Consent Management
You may need to adjust your privacy notices to comply with GDPR. You likely already use such notices, but if they do not contain all of the information the new rules require, you'll need to update them. GDPR requires that they inform the user about how long you will keep their data, the reason you are processing it and more.
GDPR regulation also makes changes to how organizations get consent to process data. GDPR lays out more stringent requirements and emphasizes that requests for consent must be clear and easy to understand.
Establishing Newly Required Processes
Data subjects, the people whose data you process, have certain rights under GDPR law and can make particular data-related requests with which organizations must comply. You might already have some of these processes in place. If you do, you should make sure that they meet all GDPR requirements. If not, you'll have to set up procedures for how to handle them.
The new rules give users various rights of access. They specify information that you must provide people with when you process their data.
Data subjects can also make various requests of data controllers under the new regulations.
Upon request from the data subject, the controller must also provide confirmation of whether their data has been processed. The subject can also request that you correct any inaccurate personal data, erase their data and give them a copy of their data. This last right, known as data portability, also allows them to transfer that data to another controller.
Creating A Plan For Data Breaches
GDPR includes various conditions to protect against data breaches and also lays out reporting requirements for if a data breach occurs. You should have a system in place to determine if data was comprised, which should include identifying vulnerabilities, monitoring access and detecting threats.
You also need to put a plan in place for informing the regulatory body as well as any affected EU citizens if a breach occurs. You must send out this notification within 72 hours of the event, which must include information such as the likely consequences of the incident and the measures taken to address it.
Setting Up Documented Information
GDPR requires all data-processing entities to track and record all of their data processing activities. Documentation is also crucial for demonstrating compliance. To record data processing activities, organizations often use a Security Information and Event Management (SIEM) tool, which organizes the logs from all systems into a central location, making monitoring easier.
You will also have to document your audits and other aspects of your compliance program, which will help you to prepare for assessments of your compliance.
Another critical step of preparing for GDPR is assigning responsibilities for data management and other GDPR-related tasks to ensure that they consistently get the necessary amount of attention. For organizations whose core business involves data processing or who handle sensitive information, assigning these responsibilities will be a formal process. GDPR directs them to appoint an official data protection officer, or DPO, who has expertise related to data privacy and security.
Monitor And Improve
Once you have your data protection processes in place, it's time to implement them. GDPR compliance, however, won't be something you can just "set and forget." You'll have to monitor your data systems and perform regular audits to ensure everything is working correctly and identify areas for improvement. You’ll have to:
Respond to requests from data subjects related to things such as data erasure and the right to access
Control and monitor who has access to data and how it is processed
Watch for cybersecurity vulnerabilities and threats
React to any data breaches or other security issues
Document all data processing and compliance activities
Key Concepts Of The Regulation
So what, exactly, does the law include? Let's start a GDPR overview by defining some of the key terms used within it.
Personal data: GDPR defines personal data as "any information that relates to an identified or identifiable living individual." If various separate pieces of information could be used to identify someone if collected together, that is also considered personal data. If data has been pseudonymized, encrypted or de-identified but could be used to re-identify someone, it's still personal data. GDPR applies to all personal data, regardless of the technology used to process it and whether it was handled manually or automatically. If data is irreversibly anonymized so that it couldn't be used to identify a person, it’s no longer considered personal data.
Data controller: A data controller is “the entity that determines the purposes, conditions and means of the processing of personal data."
Data processor: A data processor, on the other hand, is "an entity which processes personal data on behalf of the controller.”
Key Changes Within GDPR
GDPR has many of the same features of the 1995 data directive but does differ in several ways. The document contains 99 articles, so this is by no means an exhaustive list, but here are some of the most prominent changes GDPR includes:
Increased territorial scope: One of the most significant changes in GDPR is the fact that the rules apply to all companies that process the personal data of EU citizens, whether or not that company is located in the EU and regardless of where the processing takes place.
Penalties: GDPR uses a tiered approach to penalties. An organization that commits the most serious type of infringement could receive a maximum penalty of four percent of annual global turnover or €20 million, whichever is more.
Conditions for consent: GDPR strengthens the requirements for consent and says that companies must request permission using easy-to-understand terms. You must ask users to opt into data processing, rather than assuming consent or requiring users to opt out if they don’t want you to use their personal data.
Privacy by design: This rule requires organizations to make data protection a core component of their systems. It should be a consideration from the time you start designing a system rather than an addition. It also says that you should collect only the data that's necessary and limit access to these records much as possible.
Right to access: GDPR aims to increase transparency by requiring controllers to provide data subjects with confirmation of data processing and information such as the identity of the controller and how to contact them, where data processing is taking place and the purpose of the processing.
Right to be forgotten: Subjects can request that the controllers erase their personal data and stop distributing the data. They can potentially have third parties stop the processing of their data. Information is subject to data erasure if the subject withdraws consent or if the data is no longer relevant to the original purposes.
Data portability: Subjects have the right to receive their data in a “commonly used and machine-readable format” upon request and to transfer that data to another controller.
Data protection officers: GDPR requires some organizations to appoint data protection officers who will handle all data protection issues. If a primary purpose of a company is processing data, or it processes sensitive information, it must appoint a qualified person to this position. This person can either be an employee or someone from a third party.
Data breach notification: In the event of a data breach, the controller must notify the supervisory authorities and the data subjects affected within 72 hours “unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.” Data processors must also notify the controllers if they become aware of a data breach.
Other Key Concepts
Some other crucial concepts included in GDPR include:
Parental consent: Before an organization can process the personal data of children under the age of 16 for online services, it must obtain parental consent. Member states can designate a lower required age for consent, but this age cannot be below 13 years old.
Special categories of data: GDPR identifies several special categories of data, including data that reveals “racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.” These types of data have more stringent requirements for consent.
Third countries: GDPR also lays out specific rules regarding transferring data to third countries or international organizations.
Connection To ISO 27001
If you've already achieved certification to ISO 27001:2013, you may have noticed some similarities between that standard and GDPR. ISO 27001 is a standard from the International Organization for Standardization that provides a framework for an Information Security Management System (ISMS).
It’s designed to support the accessibility, confidentiality and integrity of your information and help you maintain legal compliance. It helps you to protect your data from cyber crimes, misuse, fire, theft and other threats. Having a certified ISMS in place will give your customers more confidence in your company as well as improve your relationships with other stakeholders and help you to mitigate risk.
While you may still have to make a few adjustments, you’ll have a much easier time adhering to GDPR if you’re already ISO 27001 compliant. GDPR doesn’t require you to be 27001 certified. It is useful for getting ready for GDPR, though, since the two have so much in common. Article 42 of the EU’s new rules even describes demonstrating compliance with “data protection certification processes.”
Similarities Between GDPR And ISO 27001
Many of the processes you have in place for ISO 27001 will directly help you achieve compliance with GDPR and may even satisfy some of its requirements. If you're not already ISO 27001 certified, becoming certified can go a long way toward helping you prepare for GDPR.
GDPR identifies personal data as information that organisations must protect. Implementing ISO 27001 provides you with means for protecting personal data when you apply it to that data. The way that ISO 27001 functions makes it easy to do so.
Both ISO 27001 and GDPR either require or recommend the following:
Confidentiality, integrity and availability of data: GDPR requires you to keep personal information secure and make sure people can access their personal data if need be. An ISMS helps you to manage and monitor your data in a way that enables you to do that.
Data encryption when possible: ISO 27001 recommends encrypting data as a way to reduce risk.
Risk assessments: Both GDPR and ISO 27001 requires companies to evaluate risks to data so that they can prevent them from occuring.
Breach notification: GDPR requires that companies report breaches to affected subjects. ISO 27001 helps you to set up communications processes that you can use in these instances. It also supports procedures that help you to identify breaches promptly, something that's crucial to GDPR compliance.
Access control: GDPR and ISO 27001 both recommend making data available only to those that need it and support enabling data subjects to maintain access to their personal data.
Differences Between GDPR And ISO 27001
ISO 27001 has a broader scope than GDPR in that it applies to a company's critical data as well as to personal data. The ISO standard can be used to protect personal data as well as other information.
GDPR also covers several areas that ISO 27001 doesn't, such as the right to be forgotten, data portability and the right to be informed about your personal data. ISO 27001 doesn't explicitly address these rights, but an ISMS can support you in meeting these requirements. Because ISO 27001 doesn't specifically include these rights, being certified to it doesn't necessarily ensure that you're also GDPR-compliant. It will certainly support you in your GDPR compliance goals and bring you closer to reaching them.
Because the two standards have some differences in what they cover, all ISO 27001-certified companies impacted by GDPR should conduct a gap analysis. This assessment, which NQA can perform, will provide you with information about where you are now and what you need to change to comply with GDPR. It identifies the gaps between your current systems and the ones you want to follow.
As an accredited certification body, NQA can conduct the audits and analyses you need to reach GDPR compliance. The information in our audits will help you conform to the relevant standards and improve your organization. We explain our findings in easily understandable language and emphasize technical knowledge, practical advice, continual improvement and legal compliance.
We can provide ISO 27001 training, gap analysis, audits and more. To learn more about the services we offer and how they can help you ensure legal compliance as well as aid you in growing your organization, contact us today.