Categories
Blog Data Erasure Device Control File Server Security USB Sescurity

[General Data Protection Regulation ②] Checklist for the Organizations to Comply with the GDPR

May 25, 2018, the deadline for GDPR compliance is approaching, and organizations around the world are gearing up to identify what to do and where to begin. More comprehensive and ambiguous than its predecessor, European Data Protection Directive, the GDPR promises to be difficult to comply with. Through its requirements, the GDPR not only places more obligations on the organizations but also gives more power to the EU citizens. If your organization falls within the GDPR’s territorial scope, it is responsible for organizational, operational, and technological requirements to ensure that personal data of the EU citizens are protected.

Some organizations might have a long way to go to meet the GDPR requirements, whereas others might be closer. However, for any organization, meeting these requirements will be unquestionably difficult. To help you prepare to comply with the GDPR, we have drawn up a checklist for you to follow, and ultimately identify what you need to do and where to begin.

Assess the Current Situation. The GDPR and its potential impact on data security and day-to-day operations must be acknowledged on an organization-wide basis, starting with the key decision makers. Initially, it is critical to identify the gaps that may cause non-compliance issues under the GDPR, and arrange the ways to make up those gaps. The next step is to know what the organizations are and will be dealing with, by asking the question “which data can be defined as personal data?” According to the Article 4 of the GDPR, “‘personal data’ means any information relating to an identified or identifiable natural person… directly or indirectly.” Forms of personal data for identification of natural person ranges from common forms like name and identification number, to more specific forms like physiological, economic, and social information. Then, how about when collecting new personal data? Since the Article 13 requires the organizations to communicate how and why the personal data is collected and used, and Article 12 requires the communications to be transparent, organizations must first review their current privacy notice or consent, and make necessary revisions to be GDPR-compliant.

Know the Rights of the Data Subjects. The GDPR gives more rights to the EU citizens; therefore, organizations must examine whether their procedures cover all these rights as declared. Considering these rights, organizations can potentially revise existing procedures and go further, by evaluating their capabilities when the data subjects exercise their rights as manifested in the Articles from 13 to 22.

  • The right to be informed
  • The right of access
  • The right to rectification
  • The right to erasure
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • The right not to be subject to automated decision-making including profiling

Data Protection by Design and by Default. The Article 25 explicitly articulates that organizations have a general obligation to implement technical and organizational measures to demonstrate that they have integrated data protection into everyday processing activities. This requirement can be considered as one of the key GDPR principles, as the legislators have recognized that privacy cannot be completely guaranteed only by laws, but that it must become a backbone in the design and maintenance of information systems and processing for each organization. In simpler terms, this requirement aims to guide the organizations to meet the GDPR requirements and protect the rights of data subjects through the means of technical and organizational measures. This requirement serves an equal purpose, but there is no one right answer; every organization must approach it differently by adhering to various data security principles and technologies. Specifically, where personal data processing could pose a risk to individuals, the Article 35 declares Data Protection Impact Assessments (DPIA) as mandatory in the situations. For example, if an organization is deploying new technology, such as artificial intelligence and profiling systems, or is processing personal data on a large scale, such as patient and medical data in health institutions, DPIA must be conducted.

Notify Data Breaches. According to the Article 33 and 34, organizations must ensure that appropriate procedures are in place to detect and investigate personal data breaches, and to notify the details to both supervising authorities and affected data subjects. Even though not all personal data breaches are subject to reporting, breaches that carry a risk to the rights and freedom of the affected data subjects, such as discrimination, damage to reputation, financial loss, loss of confidentiality, or other serious economic or social disadvantage, must be reported. However, the GDPR also provides exceptions to this requirement, if an organization has

  • implemented appropriate technical and organizational protection measures that render the personal data unintelligible to those without authorization for access;
  • taken actions to ensure that personal data breaches do not risk the rights and freedom of the affected data subjects; and
  • determined that notification to each affected data subject would “involve a disproportionate effort.”

Appoint A Data Protection Officer. As a core part of organizational requirements by the GDPR, organizations must appoint a data protection officer (DPO) in some cases. The Article 37 and 38 reveal the legal details on the designation and position of the DPOs. If your organization falls under the GDPR scope and satisfy the three conditions as below, you must appoint one or more DPOs.

  • Your organization is of public authority
  • Your organization conducts monitoring of individuals on a large scale
  • Your organization conducts processing of specific types of data such as criminal records

The Article 39 explains the minimum tasks of the DPOs as below:

  • inform and advise the organization and its employees for the purpose of GDPR compliance
  • monitor the processing of data to maintain GDPR compliance; and
  • act as the first point of contact for the supervisory authorities and for individuals whose data is processed.

However, who do they need to appoint as the DPOs? Not everyone can perform as a DPO, after all. While the GDPR does not specify the definite qualifications which the DPOs are expected to have, it requires that DPOs must be experienced and educated in the field of data protection law.

With organizational, operational, and technological requirements, this checklist may seem overwhelming. It is no doubt that getting started is the most difficult, yet the most significant step to take. However, how can we really get started for GDPR compliance? Among the requirements, we believe the organizations can start technologically. Head to our next blog and find out what the key technological requirements are for GDPR compliance.

Blog Posts in this Series:
① The GDPR Summary: The 5 Key Points
→ Checklist for the Organizations to Comply with the GDPR
③ Data Protection by Design and by Default: Technological Measures
④ How to Comply with GDPR

Categories
Blog Data Erasure Device Control File Server Security USB Sescurity

[General Data Protection Regulation ①] The GDPR Summary: The 5 Key Points

After four years of discussion and preparation by the European Parliament, the Council of the European Union, and the European Commission, the General Data Protection Regulation (GDPR) is now ready to become effective on May 25, 2018 to achieve more comprehensive enforcement of personal data protection laws for all EU citizens. The importance of protecting personal data with legitimacy has been a major talking point in the recent times, and the EU is taking its bold step to set the bar for the rest of the world to follow.

Leading up to the GDPR

Let’s roll back the years to 1995, when the European Data Protection Directive was imposed to regulate the processing of personal data in the EU. Back then, personal data was simply a component of vast information database in the private scope, and was protected solely under the notion of ‘right to confidentiality.’ Fast forward to now, personal data plays a key role in achieving prolonged growth and greater success for global enterprises, as collecting, processing, and exchanging personal data has become the cornerstone of any business activity. This transition has been apparent and rapid with the various technological and business innovations like social media, complex data analytics, and data storage to achieve superior customer relationships. To keep pace with this unstoppable transition, global enterprises required, and have been obtaining a much wider range of personal data from more people around the globe. Consequently, personal data protection laws had to be reformed to acknowledge the notion of ‘right to protection,’ rather than that of ‘right to confidentiality.’

Understanding the GDPR

Come May 25, 2018, all organizations, even outside the EU, that are currently processing or planning to process personal data of the EU citizens must be prepared to comply with the GDPR. Unfortunately, it does not seem to be an easy task; therefore, we have summarized the GDPR into five key points.

One Law for 28 EU Members. Superseding the former European Data Protection Directive, the GDPR is unified legislation that applies to all 28 member states of the EU. Under one set of laws, each EU member state will establish independent Supervisory Authorities (SA) that will receive and investigate complaints or data breaches, issue warnings or fines, and cooperate with other SAs if required. This change can be considered as welcoming, as the organizations are only required to comply with one set of laws, even if their activities are widespread across multiple EU member states.

More Power to the Data Subjects. The GDPR promises increased power for the data subjects. Data subjects are the natural persons whose personal data is processed by an organization. First and foremost, the organizations must provide clear and concise consent to the data subjects before collecting their personal data, signifying the end of long, illegible terms and conditions that are full of legalese. Furthermore, data subjects can lawfully request the organizations for the access, rectification, erasure, restriction of processing, portability, and objection of their personal data. Accordingly, the organizations must provide documentation that proves the completion of the data subjects’ request(s). Also, the GDPR provides the data subjects with the explicit right to lodge a complaint with the SAs, if any processing of their personal data infringes the GDPR requirements.

Strengthened Authority and Heavier Sanctions. The GDPR declares strengthened authority and heavier sanctions for non-compliance. Through the SAs, written warnings or periodic data protection audits will be imposed in cases of the first and unintentional infringement. Severe infringements may be punishable by a fine up to 20 million Euros or 4% of the annual worldwide turnover. Stricter sanctions dictated by the GDPR certainly put pressure on enterprises and organizations to invest substantial capital and resources to ensure that personal data remains protected and data subjects’ right and freedom are not harmed by non-compliance.

Data Protection by Design and by Default. It is the organizations’ legal responsibility to establish appropriate organizational and technological measures to meet the requirements of the GDPR and protect the rights of data subjects. Organizational measures pertain to appointing appropriate personnel, who can dedicate their expertise and responsibility for the GDPR compliance, while technological measures are associated with the integration of necessary security into the processing of personal data to ensure that rights of the data subjects are protected. This responsibility alludes to the GDPR’s new obligation of appointing Data Protection Officers (DPO) and establishing organization-wide data security.

Data Breach Notification. Unfortunately, data breaches can always occur. In this case, DPOs must take it seriously and notify it to the SAs immediately, or within 72 hours of discovery, by specifying the details such as the number of affected individuals. Furthermore, the affected individuals must be notified of the data breaches as soon as possible. Failure or refusal to notifying such data breaches to the SAs can result in sanctions.

Due to comprehensive and strengthened enforcement, complying with the GDPR will neither be an easy nor avoidable task for many organizations that wish to operate in the EU. As our commitment to data security stays true, we felt obliged to seriously approach and understand the GDPR, and share its implications to data security. The deadline to compliance, May 25, 2018 is approaching rapidly, and we hope that your journey to GDPR compliance will start off positively with Secudrive.

Blog Posts in this Series:
→ The GDPR Summary: The 5 Key Points
② Checklist for the Organizations to Comply with the GDPR
③ Data Protection by Design and by Default: Technological Measures
④ How to Comply with GDPR