November 2, 2016

387 Views

Fortifying Security - EU’s General Data Protection Regulation

Co-author:Abhishek Ramavat

What it means for You and Your Customers?

The European Union (EU) has been at the forefront of ensuring data security for the citizens of its member states, ensuring that the right to privacy is a highly evolved field of law in Europe.

Further consolidating the EU’s data-protection firepower is the recently issued Further consolidating the EU’s data-protection firepower is the recently issued General Data Protection Regulation (GDPR).The EU’s Data Protection Regulators released the regulation based on data protection directive No. 95/46/EC.

The EU has introduced several changes in the directive so as to curb cross-border data flows and safeguard the personal data of its citizens. It has retained most of the controls from the directives over the last 20 years.

This regulation is applicable to all organizations that handle information of EU data subjects (DS) as data controllers (DC) or data processors (DP). The new regulation will become effective from May 2018.

The fine print - the changes introduced

The following changes have been introduced as part of the GDPR:

  • Consent, privacy notice, and policies have to be made clear in a transparent and presentable format to the data subjects
  • Embrace data ‘privacy by design’ and accountability framework
  • Private Impact Assessment (PIA) and risk assessment are mandatory
  • Notification to supervisory authority within 72 hours of data breach
  • The right to be forgotten derived from the right to erasure
  • New obligations for both collectors and processors in the form of increased liabilities and penalties up to €20 million or 4% of global turnover, whichever is higher
  • Appointment of DPO is mandatory
  • Biometric and genetic data are also considered to be sensitive data
  • Formation of European Data Protection Board (EDPB) for governance of the GDPR
  • Children consent, the right to data portability and the right to object to automate decision-making also becomes more stringent

Challenge & Change - Impact of the GDPR on organizations

The GDPR is mandatory for organizations dealing with personal data in the EU as it has defined a set of stringent policies and high penalties that ensure privacy for user’s critical data. According to the GDPR, the existing data flow maps, personal data repository, and access rules must be checked and compared with the additional requirements.

Both processor and controller require thorough examination; member state law applies to their processing. Organizations must appoint data protection officers (DPOs) who may be part of the internal staffs or hired contractors. To ensure consistency with regard to the GDPR, timely review of data protection policies is necessary. Further, use of approved code of conduct, periodic training for employees, and certifications are essential.

Towards a secure future - HCL’s approach

The advent of digitization and analytics has pushed data to the forefront of creating new business opportunities. Data collected may be used in positive ways, though there is a possibility of it being misused.

The EU has emphasized data privacy through the GDPR to protect the personal data security of the citizens of its member states.Organizations dealing with EU data must get permission from the citizens if they are processing their information. The EU has given its citizens extended control by introducing various rights: Right to Portability, Rectification, Right to be Forgotten and Profiling.

Since GDPR insists on transparent policies, consent forms are created in a presentable, readable, and simple format so that people do not skip reading it.

The GDRP mandates that organizations introduce concepts of privacy by design and continuously assess their privacy program. Organizations must also embed privacy within their business processes and underlying technologies.

The regulation encourages high levels of encryption and tokenization of sensitive data to protect the identity of the citizens. EU also restricts the flow of private data with the introduction of strict cross-border data transfers while enabling safety enhancing business opportunities for companies with the EU.

Noncompliance to GDPR may lead to huge penalties to the organizations who ‘misuse’ the private data of EU citizens. In case there is a data breach, the organization concerned must inform the responsible authorities and the affected people by defined procedures.

Additionally, organizations dealing with sensitive personal data must have a Data Privacy Framework in place which is in sync with organizational policies and complies with the approved code of conduct and certifications. Organizations must also appoint a DPO who will be responsible for monitoring compliance with the GDPR and other data protection laws, internal activities such as audits and policy reviews that will be conducted periodically.

GDPR is set to strengthen the security of private data and promises to have an impact on the way data is collated, processed, and ultimately, disposed of. Organizations must take a comprehensive approach that should conform to the mandate and assist in the maintenance of a secure and robust data protection framework.

Summary

The GDPR introduces sweeping changes to how private data is handled for citizens in the European Union. The regulation, which is mandatory for organizations that handle private data, has provisions for penalties for errant companies.

GDPR mandate organizations to establish a framework that has robust systems in place to demonstrate compliance with requirements. Organizations need to establish a culture of monitoring, reviewing and assessing data processing procedures.

There is a need to include privacy impact assessment as part of the overall framework that needs to be conducted to review risks associated with the processing of personal data and controls in place to address GDPR requirements.

GDPR require controller and processor to implement appropriate technical and organizational measures, which may include

The GDPR introduces sweeping changes to how private data is handled for citizens in the European Union. The regulation, which is mandatory for organizations that handle private data, has provisions for penalties for errant companies.

  • Pseudonymization and encryption of personal data
  • Framework to ensure the ongoing confidentiality, integrity, availability and resilience of systems and process
  • Processes to restore the availability and access to data
  • Regularly review and assessment of effectiveness of technical and organizational measures
  • Requirements include various types of cyber security practices including eccryption, “hot” backup servers, defense against DDOS, disaster recovery, security governance, and assessment & testing including penetration tests