GDPR Compliance Solutions | HelpSystems
GDPR in 2020

GDPR Compliance

What is GDPR? How is it Different than the EU Data Protection Directive?

GDPR (General Data Protection Regulation) is the legal framework in the EU and the UK that replaced the previous EU Data Protection Directive in 2018. The most significant difference between the two is the difference between a regulation and a directive.

A regulation is law and is legally binding, whereas a directive is a recommendation and is not legally binding. This means that GDPR is a law that must be followed by all European member states.

Alternatively, this distinction can be explained as a regulation being a single set of rules that must be obeyed, while a directive is a set of rules that leaves room for interpretation.

While the previous EU Data Protection Directive did not define data breaches, GDPR includes this very broad definition, stating a data breach is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to, personal data transmitted, stored or otherwise processed.”

The definitions of a data breach and personal data matter, as they mean many different events or activities could qualify as violations of GDPR. Personal data is defined as “any information relating to an identified or identifiable person – not just data that could be used for fraud or identity theft.”

What is the purpose of GDPR?

GDPR Solutions for Information Security

What is the purpose of GDPR?

GDPR is intended to protect personal data and how organizations process, store, and ultimately destroy it when the data is no longer required. The law gives individuals control of how companies can use information that is directly relatable to them personally and provides eight specific rights.

It also lays down very strict rules governing what happens if access to personal data is breached and the consequences (fines) organizations will suffer.

How Does the GDPR Define “Personal Data”?

How Does the GDPR Define “Personal Data”?

When it comes to data protection, the GDPR regulations are the strictest in the world and cover the term “personal data” with a very broad brush to encompass virtually any information that can possibly identify an individual. GDPR can be applied in many ways, including examples such as the following and more:

compliance-et-audit-reporting Created with Sketch.

Direct/Indirect Indentification

If the subject can be directly/indirectly identified by name, identification number, address, online profile, or any unique physical, genetic, mental, commercial, or cultural characteristic

compliance-et-audit-reporting Created with Sketch.

Assigned Data

By any data assigned to an individual such as a phone number, license plate number, customer ID, credit card number, etc.

compliance-et-audit-reporting Created with Sketch.

IP Address

IP addresses if turned over by an organization’s controller by request

Who Does GDPR Apply to?

Reporting software simplifies IT security audits

Who Does GDPR Apply to?

The personal data covered by GDPR starts with any data assigned to a natural person at birth, covers all identifiable data for that person throughout their lifetime, and ends at that individual’s death. It does not, however, apply to organizations, businesses, or institutions, etc.

Organizations that store or process personal information about EU residents are obligated to comply with the GDPR, even if located outside the EU.

Remember, the regulation defines personal data as “any information relating to an identified or identifiable natural person/individual.”

GDPR’s impact on IT staff can’t be minimized. Controllers, data protection officers, processors, and others all play a role in facilitating and enforcing GDPR compliance. As a refresher on roles associated with GDPR compliance:

Controller

A controller alone, or jointly with others, determines how and why personal data is processed. This role is similar to but expanded from the previous data controller role under the old EU Data Protection Directives. Legally the controller has ultimate responsibility to ensure processors follow the rules.

Processor

A processor is defined as any person who processes data on behalf of the data controller. Examples include third-party companies, such as marketing firms and cloud hosting companies.

Data Protection Officer

A data protection officer (DPO) may need to be designated as the leading authority on GDPR compliance within the organization. Briefly, a DPO is required when processing of data is carried out by a public authority or body, or where data is processed in a regular and systematic method on a large scale, or when large scale processing of specialized data such as criminal convictions is undertaken.

Controllers, Processors or Organizations Outside the EU

Controllers, processors or organizations outside the EU but offering services or goods in the EU or processing identifying data of EU citizens will also need to be compliant with GDPR

The 8 Rights of GDPR

Right to Be Informed

Before data is collected, a data subject has the right to know how it will be collected, processed, and stored, and for what purposes.

Right to Access

After data is collected, a data subject has the right to know how it has been collected, processed, and stored, what data exists, and for what purposes.

Right to Correction (Rectification)

A data subject has the right to have incorrect or incomplete data corrected.

Right to Erasure (Right to Be Forgotten)

A data subject has the right to have personal data permanently deleted.

Right to Restriction of Processing

A data subject has the right to block or suppress personal data being processed or used.

Right to Data Portability

A data subject has the right to move, copy, or transfer personal data from one data controller to another, in a safe and secure way, in a commonly used and machine-readable format. Wherever technically possible, this also includes the right to have the data transferred directly from one controller to another without the data subject having to handle the data

Right to Object to Processing

A data subject has the right to object to being subject to public authorities or companies processing their data without explicit consent. They also have the right to stop personal data from being included in direct marketing databases.

Right to Not Be Subject to Automated Decision Making

A data subject has the right to demand human intervention, rather than having important decisions made solely by algorithm.

GDPR Compliance Checklist

GDPR is a heavy lift indeed. Using this checklist can get you started in terms of what you need for compliance. Note: The information below is general in scope and is not considered legal advice. You should connect with an attorney specializing in GDPR compliance for your organization’s situation.

Assess Your Data

  • Start with an audit of information you currently process, including details on who can access it.
  • Be sure you have legal justification for gathering this data
  • Detail your processing and legal justification in your data privacy policy

Secure Your Data

  • Employ encryption protocols and other methods of ensuring anonymity of personal data where possible
  • Craft a data security policy and ensure employees are trained on it. Review your policy regularly and enforce the specifics contained within it.
  • Ensure you have an incident response plan in place to report breaches, mitigate issues, and remediate to avoid future similar incidents

Oversee Your Data

  • Select an individual to be responsible for ensuring GDPR compliance is carried out enterprise-wide
  • Be sure to draft and sign an agreement for data processing with any third parties processing data for your organization
  • If you operate outside the EU, a representative should be appointed from within the EU
  • If necessary, you may wish to appoint a Data Protection Officer

Data Privacy Considerations

  • Be sure it’s easy to have personal data deleted if requested by individuals
  • Make it easy for customers to stop processing data, if asked to do so
  • Ensure customers can get personal data you have on them in a format that’s easy to be transferred
  • Allow for an easy objection process if asked to stop processing data
  • If your automated processes include decision making, be sure you have procedures in place to protect data privacy rights

Challenges for GDPR Compliance

Complying with the stringent GDPR is not without its challenges. But countries around the world recognize that the strict guidelines designed to protect personal data are in an organization’s best interest, as well as for individuals, and many countries are developing compliance regulations modeled after the GDPR as a result. A few of note: the California Consumer Privacy Act (CCPA), Canada’s proposed Digital Charter Implementation Act, and Brazil’s Lei Geral de Protecao de Dados (LGPD).

To comply, organizations need to do the hard work of protecting the rights of their data subjects and of conducting impact assessments, reporting incidents like breaches, and ensuring they have auditing processes in place. In addition, while GDPR is an EU edict, its impact is global as organizations who have employees or customers outside the EU or who use data processed outside the EU must also comply.

IT staff may have used manual processes or even temporary controls when the GDPR was first enacted to help meet the requirements, but this approach is not sustainable. Instead, robust data protection technology that is automated and streamlined better meets the strict regulatory requirements for limiting access to personal data and securing data at rest and in motion. Three areas are of particular concern to IT teams:

compliance-et-audit-reporting Created with Sketch.

Security

With data breaches costing millions and with far-reaching PR costs, ensuring the security of data that falls under GDPR is essential. Best practice for IT teams is to invest in security solutions such as encryption, secure file transfer, and identity and access management.

compliance-et-audit-reporting Created with Sketch.

Data management

As the GDPR gives individuals the right to request data be accessed, transferred, deleted, or otherwise processed, IT teams are challenged with securing efficient and transparent technical solutions to manage these requests. In addition, IT needs to ensure any solution selected is auditable to meet the requirements. And to meet the needs following a data breach, IT needs to ensure they are adequately staffed and trained to both report and mitigate any incidents.

compliance-et-audit-reporting Created with Sketch.

Automation

Determining how to securely store and manage the consent status of data subjects across the organization is another concern. GDPR’s Article 30 is the requirement for processing activities of personal data to be recorded. Initially, many companies did so manually, but as these records need regular updating, automating helps streamline this requirement and allows the IT to focus on higher level tasks. Collaboration platforms and tools, as well as setting up workflows and business rules can help keep Article 30 records up to date more easily.

We Can Help with GDPR Compliance

Contact the professionals at HelpSystems for a free 30-minute consultation on what solutions are best for your organization. We’ll help you determine what you need to do next to be in compliance with GDPR.