Before I start on this blog piece, I have to make it clear that I'm not a lawyer and I have no legal training. The blog piece below does not constitute as law, but these are areas I have researched and may make some assumptions along the way, especially with the uncertainty in the UK and it's relationship with the EU.
Data Protection Directive
The EU Commision were looking at replacing the Data Protection Directive. So we are clear, an EU directive is a goal that the EU must achieve, but it's up to the individual countries to devise their own laws on how to reach the goal.
In January 2016, a draft form of the EU General Data Protection Regulation was released. The difference between a directive and a regulation, is that an EU regulation is a binding act, that is applied in its entirety across the EU.
Why GDPR important?
GDPR is there to strengthen and unify data protection for individuals in the EU. It addresses the export of personal data outside of the EU.
When will GDPR happen?
The regulation has now been released and enters into force on 25th May 2018
What is the impact of GDPR?
- A Data Protection Officer is needed if an organisation processes 5000+ EU data subjects; or employs more 250+ employees
- Mandatory disclosure of incidents within 72 hours to the national authority
- Maximum fines of up to €20 million or 4% of worldwide revenue
- “Right to be forgotten”: The data subject will have the right to retract consent, request data erasure or portability
- EU Referendum has no impact to organisations – If you hold personal data on an EU citizen, GDPR still applies
- Live May 2018 – Two budget cycles left
The Data Protection Officer
If the core activities of an organisation involves “systematic monitoring of data subjects on a larger scale”, or large scale processing of "special categories", such as racial/ethnic origin, political opinions, religious/philosophical beliefs, biometric data, heath/sex life or sexual orientation, then a Data Protection Officer is required.
The function is also there to advise on, and the monitoring of GDPR compliance, as well as representing the organisation when contacting supervising authorities.
Disclosure and Notification
The controllers are required to notify the appropriate supervisory authority of a personal data breach within 72 hours (at the latest) on learning about the exposure if it results in risk to the consumer. But even if the exposure is not serious, the company still has to keep the records internally.
According to the GDPR, accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data, the EU’s term for PII is considered a breach.
The GDRP notification is more than just reporting an incident, there is a need to include categories of data, records touched, and approximate number of data subjects affected. This will require detailed intelligence on what the hackers and insider were doing.
There is a term known as "Dwell time", which is the period of time that someone malicious is on your network and systems undiscovered. Most people are shocked to learn that this on average is 206 days (from Cost of a Data Breach Study: Global Analysis, Ponemon Institute, 2015)
The GDPR has a tiered fine structure, so a company can be fined up to 2% for not having their records in order, not notifying the supervising authority and data subject about a breach or not conducting impact assessments, while more serious infringements merit a 4% fine. This includes violation of basic principles related to data security and conditions for consumer consent.
The EU GDPR rules apply to both controllers and processors that are in “the cloud”. So cloud providers are not off the hook when it comes to GDPR enforcement.
"Right to be Forgotten"
Individuals can request the erasure of their personal data without undue delay by the data controller in certain situations.
Consent can be withdrawn and no other legal ground for processing applies. This topic has attracted a huge amount of interest, particularly following the CJEU decision in the Google vs. Spain case.
Alongside this obligation is one to take reasonable steps to inform third parties that the data subject has requested the erasure of any links to, or copies of, that data.
Outside of the EU
The law applies to your company, even if it markets goods or services in the EU zone. If you don’t have a formal presence in the EU zone but collect and store the personal data of EU citizens, GDPR still applies and the extra-territoriality requirement is especially relevant to ecommerce companies.
Is GDPR still required now that Brexit may happen?
If Article 50 is initiated in July 2016 & UK exits July 2018; GDPR will apply from May 2018. Also the UK were instrumental to writing and strengthening the GDPR. Receiving personal data from EU member states would need to demonstrate to the European Commission that the law provides an adequate level of protection through its domestic laws or international commitments.
Source: Absolute Strategy Research Ltd
As you can see from the chart above, with many of the options open to the UK, compliance with EU regulation is required in order to trade with Europe. In my opinion, GDPR will be relevant to the UK, and will need to be in place with UK organisations holding data of EU citizens.
I believe there are some steps that will need to be taken with all organisations that wish to comply with GDRP:
- Locate the critical data for GDPR
- Protect the data (and the applications that access it) through segmentation and/or encryption
- If encryption is used, ensure the encryption keys are secured
- Use strong Access Controls to servers holding the data, such as two factor authentication
- Use DLP/Insider Threat technology to prevent data exfiltration
- Monitor all exfiltration data channels, including web and email
- Collate logs from the network, so they can be analysed
- Secure domain and local administrator accounts
- Penetration test the environment
GDPR goes live in May 2018, which means there are two budget cycles left to get the education, processes, workflow and technology in place. One of those budget cycles are underway already, so if GDPR planning hasn't begun, start it now, so you'll be ready for next years budget.