GDPR - Global Data Protection Regulation
The ISACA NY Chapter invited me to participate in their Executive Roundtable on the EU GDPR (Global Data Privacy Regulation). Following are important data points form the event.
GDPR was adopted on April 27, 2016. Enforcement is set to start in May 2018 leaving only a short time for organizations to become compliant and avoid the potentially devastating fines - $10M Euro or 2% annual world turnover for infringement of obligations. Infringement of basic principles can incur fines as high as $20M Euro or 4% of the annual world turnover, whichever is greater. Note the fines go to the regulatory bodies.While GDPR is a EU regulation, the impacts go beyond the borders of the EU. It protects the privacy of EU citizens information throughout the world. “any information relating to an identified or identifiable natural person (“data subject”)” is defined as “Personal Data”. It includes information relating to an individual – private, professional or public life. Examples of Personal Data includes name, home address, photo, email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.
The main provisions of GDPR include:
Consent - Explicit consent for use of personal data must be obtained from EU citizen. The consent must require an active action, pre-filled check boxes are considered non-compliant. The data controller must be able to prove consent has been provided. Additionally, at any point in the process the EU citizen must be able to revoke consent and be removed – exercising the right to be erased.
Right to Erasure – “free of charge … access to and rectification or erasure of personal data and the exercise of the right to object”. Responses to requests must be completed within a 1 month timeframe. Additionally, “ time limits should be established …for erasure or for a periodic review. Every reasonable step should be taken to ensure that personal data which are inaccurate are rectified or deleted”.
Right to Object – “rights to rectification, to erasure, to be forgotten, to restriction of processing, to data portability, and to object when processing personal data”
Governance – Each organization must have a Data Protection Officer (DPO). This person must be qualified for the role, can be full or part time, contract or staff. The DPO shall act independently of the controller or processor, reporting directly to the highest management level.
One-stop-shop – defines the provision for the regulatory body's lead and supervisory authorities and appeal process.
Breach Notification - “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.” Is identified as a “Personal Data Breach” and must be reported to the supervisory authority “without undue delay and, where feasible, not later than 72 hours after having become aware of it.” If notification is not made within 72 hours, the controller must provide a “reasoned justification” for the delay.
Organizations impacted by GDPR include those that store, process or transmit EU citizen’s information including staff, customers, clients… and those doing trans-border data transfers. Organizations storing, processing or transmitting US personal data in EU facilities must comply – this will probably be a low priority for regulators initially. Organizations' marketing, data analytics and cybersecurity departments will be directly impacted by GDPR. Processing and analysis of information on EU citizens must be compliant. Organization must be able to prove they have EU citizens and have the ability for identities to be removed or erased upon request.
Excellent resources for more detail on GDPR include the regulation, IAPP – International Association of Privacy Professionals, the GDPR regulation and the European Commission.