The General Data Protection Regulation (GDPR) was recently passed by the EU Parliament. And though it hasn’t come into force yet, affected companies should start preparing for the upcoming changes. Check out our guide to learn how to prepare for the General Data Protection Regulation?
The combined 2016/2017 statistics by the Information Commissioner’s Office (ICO) showed that there were more data breaches in the UK and more companies fined for unlawful data processing activities than in previous years. The ICO report reveals that data disclosure incidents rose to 18,354 in 2017 as of 31 March, which is approximately 2,000 more than in 2016. Some 2,565 self-reported incidents led to 16 financial penalties totaling about $2,138,000 for serious disclosures across a range of voluntary, private, and public sectors. Organizations sent more than 166,000 reports the ICO about nuisance texts and calls. The office fined 23 organizations in this regard for a total of about $2.5 million, and sent nine enforcement notices and started continuously monitoring 31 companies.
Next year, ICO specialists will intensify their work in the lead up to the General Data Protection Regulation coming into force.
What is the GDPR?
The General Data Protection Regulation is a legal document containing a set of requirements concerning retrieval, storage, processing, and sharing of personal data. Adopted by the European Parliament on 14 April 2016, this document will supersede the current EU Data Protection Directive on 25 May 2018.
What kinds of companies will the GDPR affect?
According to the official regulation text published on the European Council website, the GDPR applies to both personal data controllers and processors. If you are one of the following entities, you should definitely start preparing for the GDPR:
- A data controller in the EU
- A data processor in the EU
- A data subject in the EU (where data processing activities involve providing services or offering products to EU-based data subjects, or where these activities are related to monitoring data subject behavior within the EU)
If a data controller is not situated in the EU, the regulation applies to its data processing activities only if the law of a given Member State does not contradict with public international law.
Are there any exceptions?
The GDPR also contains several exceptions that limit its jurisdiction. If any of the following is applicable, then the GDPR doesn’t apply to your processing of personal data:
- Any point of the regulation contradicts EU law
- Your organization is a competent authority and any point of the regulation obstructs you from preventing any kind of fraud or crime
- You’re processing personal data within a household or as a purely personal activity
What are the key changes introduced by the GDPR?
Besides requirements for data processors and controllers, the new regulation also establishes enhanced rights for individuals regarding control over their personal and sensitive data. In terms of GDPR preparation, you should carefully study both the rights of individuals and your own responsibilities.
Rights of Individuals
The rights of individuals established by the regulation include:
- The right to be informed about personal data processing activities
- The right to access personal data processed by a company
- The right to request that data be modified
- The right to request that data be deleted
- The right to prohibit a company from processing personal data
- To right to copy or move personal data to other processors
- To right to object to the lawfulness of processing personal data
- Rights related to profiling and automatically generated decisions
Let’s cover each of these rights in detail.
The Right to Be Informed
The right to be informed says that when processing personal data, affected companies should provide data subjects with detailed information regarding the company’s processing activities. Depending on the source from which personal data is obtained, this information should include:
- Company contact details
- Data processing purposes and lawful basis
- Personal data categories
- Data recipients (including other countries if applicable)
- The source from which data was obtained
The Right of Access
Allowing data subjects to access their personal data ensures that individuals can verify the legitimacy of data processing activities conducted by a company. The GDPR obliges affected companies to provide a copy of stored data for free, removing the ability for companies to charge £10 for this as they can under the DPA. However, you can still charge a “reasonable fee” when the same data subject sends repeated requests.
The Right to Rectification
The right to rectification means that individuals have the right to get their personal data edited if it’s inaccurate or incomplete.
The Right to Erasure
Unlike the DPA, the GDPR states that data subjects may have their personal data deleted and may prohibit processing in specific circumstances. Individuals can submit one of the following arguments when requesting that their data be erased:
- The purpose of data collection is no longer relevant
- Consent has been canceled
- The data subject is no longer legitimately interested in further data processing
- A company has unlawfully collected and processed the data subject’s personal information
- Data removal is necessary to comply with a legal obligation
- A child has provided personal data
If your organization processes children’s personal data, you have to carefully monitor situations where children give consent and then later request to have their information deleted. Children may not be fully aware of all the risks of providing personal data for processing.
The Right to Restrict Processing
According to the DPA, data subjects also can prohibit processing of personal data. However, under the GDPR, you still may store personal data after you receive such a request, though you are not allowed to further process it. You can store data about an individual to ensure data subject’s prohibition in future.
The Right to Data Portability
Under the right to data portability, individuals may get and use their personal information for any purpose across various services. This means they may safely and securely copy or move personal data from one system to another without restrictions.
The Right to Object
Data subjects may object to:
- processing of their data for the purpose of ensuring legitimate interests or performing tasks in the public interest or under requirements of official authorities (including profiling);
- marketing activities (including profiling);
- processing in the interests of scientific research.
Rights in Relation to Automated Decision-Making and Profiling
The regulation establishes safeguards for data subjects against the risk of potential negative impact caused by automated decision-making. Affected companies should identify whether any of their processing activities constitute automated decision-making and should consider implementing possible updates for their procedures to comply with the GDPR.
Enhanced Accountability and Breach Notifications
The GDPR establishes additional obligations regarding accountability for organizations that process personal data. The new rules oblige such companies to put in place advanced data protection policies, perform GDPR impact assessments, and document data processing methods, technologies, and techniques.
In the event of unauthorized personal data disclosure, access, modification, or loss, an involved organization has to report to a national data protection regulator about the incident within 72 hours of learning about the case.
European data protection regulators include:
- The United Kingdom – Information Commissioner’s Office (ICO)
- Germany – Federal Data Protection Commissioner (FDPC)
- France – National Commission of Information and Freedoms (originally CNIL)
- Spain – Spanish Data Protection Agency (originally AEPD)
- Italy – Italian Data Protection Authority (IDPA)
The GDPR contains so-called one-stop-shop principles that affect companies that carry out cross-border processing. If data processors or controllers process data through different establishments in various Member States (or through one establishment that processes data of individuals in multiple Member States), the supervisory authority (SA) responsible will be the lead SA within the jurisdiction of the data processor’s or data controller’s main establishment. The main establishment is where an affected company has its central administration and where it focuses most of its data processing activities.
Organizations with more than 250 employees must create documentation explaining what kinds of personal data they collect and why, how long they’ve been collecting it, and what measures they apply to protect this data from unauthorized access and disclosure.
The information that affected companies have to document includes:
- Name and details of the company, its representatives, controllers, and data protection officers
- Purposes of data processing activities
- Categories of both data subjects and personal data
- Categories of all recipients of personal information
- Information about all data transfers to third countries, including documentation of how those transfers are conducted
- Retention schedules
- Detailed information on organizational and technical security measures taken
Data Protection Officer
The regulation also states that organizations that monitor data subject behavior on a regular basis or process large amounts of sensitive and personal data have to assign a competent person responsible for ensuring GDPR compliance. This data protection officer (DPO) must also report to chief managers about any data breach risks and be a point of contact between clients and employees.
Data Processing Consent
As the DPA did, the GDPR obliges companies to obtain consent for processing personal data in most cases. However, Directive 95/46/EC (Data Protection Directive) permits data controllers to use opt-out consent, whereas the new regulation requires individuals to consent with a clear, affirmative action or statement (opt-in). The GDPR includes the following additional requirements regarding obtaining consent:
- Individuals must be able to easily withdraw their consent at any time.
- Data controllers may not make their services conditional upon a data subject’s consent unless they cannot provide their service without data processing.
- Consent has to be specific for each data processing procedure.
- Consent has to be explicit when it comes to processing special personal data categories such as a political opinion, ethnic or racial origin, philosophical or religious beliefs, biometric data, information about health conditions, etc.
Consent is not always required to lawfully process personal data, however. The regulation allows businesses to use data without consent in the following circumstances:
- If personal data is needed to perform contractual duties
- If processing personal data is required to uphold obligations
- If a company cannot protect a data subject’s vital interests without processing personal data
- If processing is required to protect the public interest
- If processing is required to protect a data controller’s (or other involved company’s) legitimate interests, except in cases where doing so contradicts the data subject’s rights
Accessing and Transferring Data
In short, the GDPR provides data subjects with more control over their information. New rules allow any data subject to get a complete free report from a data controller or processor about the data these organizations hold about the requestor. Furthermore, data controllers and processors have to send this report within one calendar month of the request date.
The GDPR imposes restrictions on the transfer of personal data outside the European Union to third countries or international organizations in order to ensure that the level of protection of individuals afforded by the GDPR is not undermined.
One of the most discussed GDPR changes is the new financial penalties for violating the regulation’s principles and requirements. The GDPR includes fines for three types of violations, including:
- Incorrect data processing
- Absence of a data protection officer in a company with more than 250 employees
- Personal data disclosure incident
The new regulation sets much higher fines compared to the previous EU directive. According to The Register, GDPR fines will be 79 times higher in the UK. For the first non-intentional GDPR violation, a company can get off with a warning. However, if an organization has violated the requirements regarding the DPO, it can be charged up to €10 million or 2% of its annual global turnover. In the case where an organization unlawfully processes, shares, or discloses personal data, it would have to pay up to €20 million or 4% of its annual global turnover.
After studying the key changes introduced by GDPR, you can start developing your own GDPR compliance action plan.
How to Prepare for the Changes
Gartner forecasts that more than 50% of organizations affected by this regulation will be unprepared for the new changes. Gartner’s research director supposes that the key to ensuring GDPR compliance is to review corporate data processing activities to provide complete data privacy. Surveys by Brodies show that only 5% of businesses are now ready to meet GDPR requirements. Furthermore, 11% of businesses definitely won’t be compliant by 25 May 2018. Let’s consider the necessary steps to prepare for GDPR.
Determine Your Supervisory Authority
Taking into account the one-stop-shop principle of the GDPR, you should know what your supervisory authority will be starting from 25 May 2018. Determine where your main establishment is and be prepared for regular audits.
Review Your Data Protection Plan and Processing Activities
You should develop and implement a GDPR-compliant data protection plan or review your existing plan in order to ensure its compliance with the new regulation. Make sure that stored data is not accessible to more individuals than necessary. You should also make sure that your systems process only necessary categories of personal data for specific purposes.
Assign a Data Protection Officer
The regulation does not oblige you to hire the data protection officer (DPO) on a full-time basis. Depending on the company, the DPO can work on a part-time or full-time basis. You can also consider assigning a remote DPO. The regulation enables DPOs to work for different companies simultaneously, meaning that DPOs can work as consultants.
Educate Your Staff
All your employees must be aware of both the GDPR requirements and possible consequences of non-compliance. That’s why you should develop a training program that covers data protection in general and those areas which relate to your company in particular. Assign employees who are responsible for courses and create a training program.
Ensure Accountability for Your Data Processing Activities
You should implement a data protection policy that unites all related policies, including a privacy-by-design principle ensuring that all privacy settings are set at the highest level by default. This policy also should contain requirements regarding creating and managing a record of processing activities. Integrate this privacy compliance into your audit framework to demonstrate your compliance with the GDPR. Consider how you request consent and how to you can store a clear record of which categories of personal data individuals provide consent for.
Conduct a Regular Risk Assessment
You have to know precisely what kind of data you collect and process on citizens within the European Union and must realize all possible risks around your data processing activities.
Your risk assessment should describe all measures taken to reduce those risks. Uncover all IT solutions including SaaS products that collect and store personal or sensitive data and continually check whether you remain in compliance. This requires both constant monitoring and improvement.
Implement a Convenient Solution to Protect Data
No corporate policy can fully protect your organization from data breaches. But you should make sure you’ve taken all possible measures to make your company GDPR-compliant. One of these measures is implementing an effective user monitoring and threat detection tool that will help you ensure timely threat detection.
How Ekran System Can Help You Ensure GDPR Compliance
Ekran System is an insider threat detection solution that allows businesses to audit user activities while protecting them from data breaches. Here’s how you can prepare your business for GDPR using Ekran System.
Articles 5 and 24 of the GDPR oblige affected organizations to perform secure personal data processing. To be GDPR-compliant, companies should ensure transparency of all data processing activities and be ready for regular assessments by competent authorities. Ekran System conducts video recording of all user activity coupled with relevant metadata. These recordings provide a clear insight into how data is processed, serving as an audit trail that can be presented to regulators as an additional proof of compliance.
According to Articles 32 and 35 of the GDPR, affected organizations must implement both procedural and technical measures to protect personal data they collect. Ekrans System provides a set of predefined alerts that cover the most frequent cases of insider attacks and offers the ability to fully customize alerts to suit the needs of your organization. This allows you to easily detect suspicious incidents, which then can be quickly investigated by watching video recordings (or live sessions if the incident is ongoing). Any ongoing session can also be manually blocked if violations are detected.
Ekran System also provides access control features, including two-factor authentication.
All of this functionality helps companies protect their data from unauthorized access, theft, loss, and data leaks, enhancing data security.
Data Breach Case Investigation
In case of a data breach, Article 33 obliges you to inform affected data subjects and report to a competent authority about the incident. Ekran System provides a full tamper-proof audit trail of all user actions, allowing you to quickly detect and easily investigate data breaches. You will be able to tell exactly what data has been compromised, how, and by whom, while the forensic export functionality will allow you to transfer data to investigators while making sure that it hasn’t been tampered with.
To learn more about how Ekran System can help you get ready for the GDPR, follow this link.
Following our GDPR checklist will help you prepare for all the new requirements under this regulation. Applying the right measures and strategies will keep your organization protected from both data breaches and tremendous fines.