General Data Protection Regulation (GDPR) – Time to review and act

Published on December 20, 2017 by Ramesh Tunga

Overview

The General Data Protection Regulation (GDPR) is a revised regulation that will apply to all European Union (EU) member states. The EU Data Protection Reform was adopted by the European Parliament and the European Council on April 27, 2016. The GDPR will be effective from May 25, 2018, replacing the Data Protection Directive. Although the UK will not be included due to Brexit, it plans to create equivalent legislation, thus not affecting GDPR rollout.

As mentioned above, the GDPR will supersede the Data Protection Directive implemented in the late 1990s and effect a major change in the industry. It provides increased privacy for individuals and grants extended powers to regulatory authorities to take action against data controllers and data processors who fail to comply. It also aims to completely change the way organizations manage client and customer data, increasingly enshrining in law the right to privacy (as the world becomes ever more interconnected due to technology advancements). The new regulation focuses on the following concepts:

1. Accountability: Weaving compliance into the fabric of an organization, i.e., the need to demonstrate compliance

2. Sanctions: Increasing maximum penalties for non-compliance (EUR 20million or up to 4% of total annual turnover globally)

3. Breaches: Providing a 72-hour window within which to report a breach once an organization is aware of it

4. Transparency: Imposing tighter limits on the use of personal data, e.g., clear statement of consent

5. Rights: Increasing personal rights against data use by organizations, .e.g., requiring parental/a guardian’s consent for gathering data on children

6. Extra-territorial reach: Pertaining to organizations based in the UK and to those that conduct business in the UK, even if based outside of it

The GDPR focuses on the six principles that organizations that process personal information need to adhere to:

1. Lawfulness, fairness and transparency

2. Purpose limitation

3. Data minimization

4. Accuracy

5. Retention

6. Integrity and confidentiality

The GDPR includes the following individual rights:

• The right to be informed: Includes the individual’s obligation to provide ‘fair processing information’, typically through a privacy notice.

• The right of access: The right to obtain confirmation that their data is being processed and to access their personal data and other supplementary information.

• The right to rectification: The right to have personal data rectified if it is inaccurate or incomplete.

• The right to erasure: The right to request the deletion or removal of personal data when there is no compelling reason for its continued processing.

• The right to restrict processing: This allows an organization to store personal data but not process it further.

• The right to data portability: The individual’s right to obtain and reuse their personal data for their own purposes across different services.

• The right to object: The right to object to processing based on legitimate interests or to object to processing for the purpose of performing certain tasks.

• The right not to be subject to automated decision-making, including profiling: Protection against the risk of a potentially damaging decision being taken without human intervention.

Key requirements

1. Data Protection Officer (DPO):

An organization can employ a DPO to help it comply with the accountability concept. The DPO’s responsibilities will include at least the following:

1. Informing and advising the controller or processor and employees engaged in processing data of their obligations under this regulation and under other union or member-state data protection provisions

2. Monitoring compliance with this regulation, other union or member-state data protection provisions, and policies of the controller or processor relating to personal data protection, including assigning responsibilities, raising awareness, training staff involved in processing operations, and conducting relevant audits

3. Providing advice, when requested, regarding data protection impact assessment and monitoring performance as per Article 35

4. Cooperating with the supervisory authority

5. Acting as the contact person for the supervisory authority on issues related to data processing, including performance, and as per Article 36, consulting the supervisory authority, where appropriate, on other related matters that would otherwise result in high risk in the absence of measures taken by the controller to mitigate risk

The DPO shall, in the performance of their duties, have due regard for the risk associated with data-processing operations, taking into account the nature, scope, context and purposes of processing.

2. Data Controllers/Processors:

The GDPR will apply directly to processors. This is a significant change, as processors currently have limited legal obligations relating to data protection. New obligations, together with the significant increase in sanctions under the GDPR, are likely to change the negotiating dynamic between data controllers and service providers (data processors). Data controllers would need to have written contracts with processors. This requirement greatly increases a processor’s obligations to include the following:

• Selecting sub-processors, with specific or general authorization of the data controller, and ensuring a contract with the sub-processor (containing minimum provisions) is in place

• Processing personal data only on instructions of the data controller

• Implementing appropriate security measures required for data protection

• Immediately notifying the data controller in the event of a personal data breach

• Appointing a DPO for certain cases

• Complying with all rules pertaining to the transfer of personal data outside of the European Economic Area (EEA)

Beyond these new contractual terms is the need for data controllers to carefully analyze and select data processors, to ensure compliance with all requirements of the GDPR.

3. Data Mapping:

Data mapping, sometimes referred to as recording processing activity, is the process of identifying, understanding and mapping an organization’s data flow. In general, it requires comprehensive information gathering from all business units and visualization of the information gathered. Understanding data flow is a prerequisite for any privacy compliance strategy. Without understanding what data an organization collects and processes, and where the data flows to and from, it is impossible to ensure that its data processing activities are compliant. Acuity Knowledge Partners has strong domain and technology expertise to implement data mapping.

Data mapping helps organizations to comply with the following:

• Maintaining detailed records of an organization's data processing activities and making these records available to data protection supervisory authorities, as requested

• Demonstrating that processing activities are performed in compliance with the GDPR

• Compliance with by-design and by-default requirements

The key objective of the data mapping process is for an organization to identify the following about client/customer data:

• What personal data they hold

• Where it is being held

• How it flows around the organization

• What controls relating to data movement and storage are in place

• Who owns the data

• Who can access the data

• Whom (if anyone) the information is shared with, both internally and externally

4. Data Privacy Impact Assessment

Data privacy impact assessment helps an organization to identify, assess and mitigate or minimize privacy risks related to data processing activities, for example, the launch of a new product or the adoption of a new practice, policy or system. Such an assessment is also relevant in decisions to outsource a service or function to a third party or to undertake internal reorganization, for example, the centralization of an HR function or IT systems in a multinational business. A data privacy impact assessment should set out the following:

• A description of the envisaged processing operations and the purpose of the processing

• An assessment of the necessity and proportionality of the processing

• An assessment of risks to the rights and freedoms of data subjects, and

• Measures to be taken to address these risks and demonstrate compliance with the GDPR

A data protection impact assessment should be carried out as early as possible for any new project, so that findings and recommendations could be incorporated into the design of the processing operation. Many of the top consulting firms provide such assessment services.

5. Transfer of Personal Information outside the EEA:

At present, all EU countries restrict the transfer of personal data to countries outside the EEA. While national restrictions may differ (for example, some states require prior notification or even authorization of such transfers, while others do not), transfer rules are largely the same across the EEA. An organization within the EEA may not transfer personal data outside of it. However, it may do so if the particular country outside the EEA ensures an adequate level of privacy protection or the particular organization outside the EEA has adequate safeguard measures in place for privacy and fundamental data protection.

How MA Knowledge Services can help

MA Knowledge Services has strong capability in terms of domain and technology expertise to help clients build strong systems to adhere to the new regulations. Our solid competencies in compliance, database management, data mapping, data visualization, data cataloguing, data encryption and secure data hosting will assist clients to be prepared for the policy change.

Recommended reading:

https://ico.org.uk/

Bibliography:

https://ec.europa.eu
https://www.cisi.org
https://ico.org.uk/

---

---