Contributed by Anil Chiplunkar
General Data Protection Regulation (GDPR) is the regulation established by the European Union with the main intention of protecting personal information of EU citizens. It empowers the citizens, ‘data subject’ as referred in GDPR, to decide who use the citizen’s personal information, how, for what purpose and how is kept secured.
In nutshell, the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679)
- Regulation by the European Parliament, the Council of the European Union and the European Commission
- To give control to citizens and residents of EU over their personal data
- To strengthen and unify data protection for all individuals within the EU
- Covers export / transfer of personal data outside the EU
- To simplify the regulatory environment for international business by unifying the regulation within the EU
- The regulation was adopted on 27 April 2016
- It is enforced on 25 May 2018
Penalties for Non-compliance
- Up to EUR 20 Million or 4% of Global turnover, whichever is higher
Considering multiple requirements within the GDPR and the fact that this rule is already enforced, business organizations have started working towards achieving compliance. A systematic approach is required for identification of data to be protected, privacy impact assessment and implementation of various operational, technical, procedural and human related controls.
In order to devise the approach, it is required that the key definitions and requirements within GDPR should be understood. Following are some key definitions: (These can be put in box / column / as a call-out text)
- Natural Person and Legal Person:
In jurisprudence, a natural person is a person (in legal meaning, i.e., one who has its own legal personality) that is an individual human being, where as a legal person, which may be a private (i.e., business entity or non-governmental organization) or public (i.e., government) organization
- Personal data:
“Personal data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
- Sensitive Personal Data:
“Sensitive Personal Data” are personal data, revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership; data concerning health or sex life and sexual orientation; genetic data or biometric data. Data relating to criminal offences and convictions are addressed separately (as criminal law lies outside the EU’s legislative competence).
“Processing” means any operation or set of operations performed upon personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Controller” means the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by EU or Member State laws, the controller (or the criteria for nominating the controller) may be designated by those laws.
“Processor” means a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller.
Means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person
“The consent of the data subject” means any freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed.
- Personal Data breach:
“Personal Data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.
- Binding corporate rules:
Means personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity.
- Data concerning health:
“Data concerning health” means personal data relating to the physical or mental health of an individual, including the provision of health care services, which reveal information about his or her health status. It expressly covers both physical and mental health.
- Genetic Data:
Personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question
- Biometric Data:
Personal data resulting from specific technical processing relating to the physical, physiological or behavioral characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data
Key principles for data processing
- Processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimization’);
- accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures (‘integrity and confidentiality’)
The controller shall be responsible for, and be able to demonstrate compliance with the above principles (‘accountability’)
High-level approach for achieving compliance
The organizations should identify what kind of personal data is collected as part of business operations and then perform an assessment to identify ‘as-is’ conditions related to the GDPR compliance requirements. This will enable to prepare the plan for establishing and implementing processes, technical and other controls to achieve the GDPR compliance.
The organization should look at following areas for the ‘as-is’ or current state assessment and planning for next steps towards compliance:
- Data Privacy Impact Assessment (DPIA)
- Technical and Operational Measures to protect the data including
- Privacy by design
- Policies and procedures
- Awareness at all levels across the organization
- Management of data subject consent including withdrawal of consent
- Data transfer processes
- Data retention policies
- Adherence to rights of data subjects
- Data subject access request
- Data subject correction request
- Data subject ‘rights to be forgotten’ request
- Data subject objection to automatic processing of data
- Management of data breach (privacy breach)
- Agreements with third parties, if any, to ensure similar controls are covered as part of the agreements
- Periodic verification / assessment post implementation of GDPR related policies, procedures, controls etc. to ensure the continuance of compliance
1 Year post GDPR enforcement
Quite a few organizations have devised processes and implemented controls to achieve the compliance to GDPR and the major reason seems to be the consequences the organization might face due to non-compliance. There are few organizations who got penalized under GDPR or similar EU country specific data privacy regulations. A €50m fine for Google from the French data protection authority as reported by ZDNet; Facebook was under the scanner for possible GDPR violence by UK Information commission office (ICO); Microsoft Telemetry was reported to be having GDPR concerns by the Dutch authorities etc. So the effect or impact of GDPR is getting visible and organizations need to look at this seriously.
As reported by Alpin.io, following are some of the fines issued under GDPR non-compliance:
- March, 2019 – Poland – A Data Processor – €220,000
- March, 2019 – Denmark – Taxa 4X35 (Taxi Company) – 1.2M DKK
- January, 2019 – France – Google – €50,000,000
- December, 2018 – Portugal – Hospital near Lisbon – €400,000
- November, 2018 – Germany – Knuddels.de (social media / chat platform) – €20,000
- October, 2018 – Austria – small, local business – €4,800
Impact in APAC
Since GDPR is applicable across the globe, any organization dealing / handling EU residents’ personal data (personally identifiable data or personal health information) or offering services within EU are subject to GDPR regulations. So the organizations within APAC also are no exceptions to this. According to my knowledge, there are no non-compliances to GDPR reported as of date from an APAC based organization. However, the organizations in APAC should not overlook the compliance. In some of the recent conferences few views were expressed such that for the APAC organizations, the enforcement or compulsion to meet GDPR requirements would be mainly from the EU counterparts rather than directly the regulators. So, it would become prudent for the APAC organizations to implement necessary processes, controls to achieve the GDPR related compliances.
Although the impact is not yet visible as part of ‘penalties for non-compliance’, but the organizations need to invest in people, processes, technology and time to ensure they achieve the required level of compliance to GDPR.
Following are few areas where the organizations will need to invest:
- Get GDPR related competencies
- Organizations need to have personnel with required competencies to implement GDPR requirements. These personnel can be hired from outside or people can be trained within the organization. In either of the options, the organizations need to invest time and costs to acquire these competencies.
- Identification of ‘data to be protected’ and implementing controls
- Organization will need to set up process to identify the ‘data’ which needs protection under GDPR
- It may need to invest in tools to automate certain part of the process and provide protection based on the identification of the required data
- Tools required for encryption, pseudonymisation etc. for protecting data privacy (as advised in GDPR)
- Training across the organization
- All the stakeholders including senior management and employees needs to be trained on GDPR so organization will need to invest in imparting this training either through internal resources or can outsource this training
- Organization will also need to periodically conduct refresher program to ensure all are up-to-date with the requirements of GDPR and related privacy rules
- Third party contracts
- It is important that the organization need to ensure all the third parties, contractors, consultants etc. who interact / handle the GDPR related data / processes are also in compliance with the requirements. This would involve revising all related contracts to include the GDPR code of conduct
- To add GDPR terms in the contracts, organization will need to engage internal or external legal expertise that would require investment of time and money
- Organization would also require to ensure that the third parties, sub-contractors, consultants are adhering to the revised requirements / terms and for this organizations will need to conduct periodic compliance assessments either through internal mechanism or through external agencies
- Data subject rights
- Mechanism need to be established for obtaining consent from the data subject which will involve privacy notices / disclaimers etc.
- Processes need to be implemented for full-filling the requests from data subjects (Refer to ‘rights of data subjects’)
- Data privacy breach notification and investigation
- The timeline for notification of breach are comparatively stringent such as 72 hrs from the incident getting noticed so organizations need to set-up processes, tools etc. for identification, notification and responding to data privacy breach
- People will need to be trained and responsibilities assigned for the same (including dealing with EU authorities)
- Mechanism should also be established for communicating the information about the breach to the stakeholders including the data subjects who are impacted due to the breach
- Communication channels and responsibilities need to be assigned to ensure all relevant entities get the required information about the breach / incident and the action plan, as required
- Assigning a role of Data Protection Officer (DPO)
- Organization will need to assign the role of DPO to an individual within the organization or can engage with a third-party provider to shoulder the DPO responsibilities
- One of the essential requirements for DPO is that the DPO should have competencies in data privacy rules and practices; so essentially the legal competencies in this area
- Having a representative in EU who will be able to communicate with the EU regulators / authorities
- Organizations within APAC will need to have an EU representative who would be co-ordinating with local EU authorities for all the GDPR related compliance requirements
Considering the above areas, it can be noted that although the ‘direct impact’ of GDPR is not yet visible within APAC organizations, but the investment in all of the above-mentioned areas will need the organizations to sanction separate budget for the same. Some of the surveys / studies done for APAC organizations, who have their data centres or have hired data centre services, indicate that only 12% of the organizations have implemented reasonable level of compliance to GDPR. Looking at the global scope of GDPR, it is essential for organizations outside EU, to ensure the necessary compliance is achieved. Number of countries within APAC, like Philippines, Singapore, South Korea, Malaysia etc., have country specific data privacy / data protection laws so for the APAC organizations it is required to meet the compliance to ‘law of the land’ and also to align the practices to meet GDPR compliance if the organizations are handling data of EU residents.
To summarize, APAC organizations need to move quickly to achieve the GDPR compliance because cost of non-compliance could be far greater than achieving compliance.
The opinions expressed within this article are the personal opinions of the author. The facts and opinions appearing in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.