Rights, Security, Notifications and Transfers
The General Data Protection Regulation (GDPR) has become a widely discussed topic, focused on by lawyers, IT and security professionals, marketers and HR leaders across the globe as organisations prepare themselves to become ready before 25th May 2018.
With critical data everywhere within organisations today, and all too often in parallel with personal data on employee devices, it's challenging for businesses to see how and where data is used. A data breach, be it a malicious or unintentional act, ultimately inflicts the most damage at the points in which people interact with critical business data and intellectual property. These 'human points' of interaction have the potential to undermine even the most comprehensively-designed systems, and could derail an organisation's preparation for GDPR readiness.
It's important that activity around the regulation is focused on meeting the fundamental principles and requirements of the GDPR, rather than seeing adherence to the regulation as a check-box exercise.
The Data Protection Directive (DPD), which was passed in 1995, was woefully outdated and no longer fit for purpose due to rapid technological development by both private companies and public authorities to pursue efficient and valuable data processing activities.
The DPD was also open to interpretation by each EU member state. My experiences as an information security professional operating both inside and outside of the DACH region reflected this: in the late 90s, the Acts that followed the DPD were at first universal, but in the 00s the acts were amended meaning organisations needed to regularly review systems and processes, giving rise to high levels of uncertainty and concern on rights, security, notifications and transfer agreements.
The European Commission sought to address the failings of the DPD with their "Better Regulation" policy, and following an impact assessment it became clear that an update would be required. This update eventually became the GDPR.
GDPR at its core has a large problem to solve. Remember, private and public organisations want to process personal data and many of them want to do this lawfully. International businesses who are processing or indeed storing European data subjects' data are impacted, so the implications are truly global.
The following four areas were concerns that the DPD didn't address, that are now addressed by the GDPR:
Right to Erasure and other Data Subject Rights (Articles 15-21)
Security of Processing (Article 32)
Accountability – Security Breach Notification (Articles 33 & 34)
Data Transfers (Articles 44-50)
It's critical that both information security and privacy professionals are aware of these changes and new articles, not simply from a regulatory perspective but also from a practical perspective. Putting aside for the moment the discussions, hype and media concern around potential fines and sanctions, Forcepoint has co-produced a practical whitepaper to focus on the four imminent areas of change.
We have engaged with Hunton & Williams and Rosemary Jay, Senior Attorney at Hunton & Williams and former Head of the Legal Office at the Information Commissioner, to produce a whitepaper exclusively on these four areas and to include key action items to help organisations become prepared before the enforcement day.
Action items include:
• Undertake a review of your organisation's risk dynamic for all forms of processing
• Establish/update detailed information security policies and procedures covering both organisational and technical measures
• Develop templates for notifications to Supervisory Authorities (SAs) – the ICO in the UK - and data subjects
• Create a system for logging detailed records of data breaches
• Perform a complete analysis of all data flows from the EEA and establish in which non-EEA countries processing will be undertaken
• Review cloud service agreements for location of data storage and any data transfer mechanism, as relevant
Forcepoint and Softcat can guide organisations towards GDPR preparedness with products that can by helping organisations identify, protect, detect, respond and recover in case of a data breach.
To find out more about Forcepoint's products and Softcat's GDPR services, speak to your Softcat account manager or get in touch using the button below.
Download the whitepaper here.
We would love to hear any comments you have about this article!