GDPR 101 Part 2: What are the Requirements of GDPR?
Learn the basics about the EU’s General Data Protection Regulation.
VP of Assessments
CISSP, CISA, QSA, PA-QSA
GDPR 101 Part 1: Should I Be Worried? helped set up a framework for your approach to GDPR compliance. Our 3rd installment in this blog series will offer practical tips to get you started on your own GDPR compliance journey.
Terms and Definitions in the GDPRFirst up, the difference between data controllers and data processors.
Not all organizations involved in the processing of personal data have the same roles or levels of responsibility.
- Data Controllers: Entities or individuals that need to process personal data in order to do business. They determine the purposes for which and the manner in which the personal data is processed. The data controller must exercise control over the data processing and ultimately carries the responsibility for its security.
- Data Processors: Processors take and/or process personal data on behalf of the Controller.
Other important GDPR terms to know:
- Supervisory Authority: An independent public authority established by a member state to represent the people and oversee/monitor businesses.
- Personally Identifiable Data (PII)/Personal Data: any information relating to a data subject, which could identify them directly or indirectly. Besides names, addresses, etc., personal data can refer to identification numbers, or even to one or more factors specific to physical, physiological, mental, economic, cultural or social identity.
- Pseudonymisation: amending data so that it is no longer identifiable except with a key. Sometimes takes the form of a coded data set and works a bit like encryption. Does not apply to data that is rendered anonymous. Pseudonymisation may not always put data out of scope for GDPR, but it can allow the relaxing of some provisions for using data for secondary purposes, like historical or research purposes.
- PII/Personal Data Breach: A security breach leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
What are the requirements of the GDPR?
Data Mapping and Tracking
The first step in GDPR compliance is to discover and clearly document all of the PII/personal data that flows into and out of your organization. To do this, you will need to understand the processes that use PII and conduct internal interviews. Once you know where and what you’re looking for, a good data discovery tool can help. The next step is to document what the personal data is, where it comes from, and where it flows. Documentation includes data flow and network diagrams, as well as process descriptions.
INFOGRAPHIC: How to Find and Secure Unencrypted PII
Communicating Privacy Information
GDPR has core principles about communicating with those you get personal data from. This communication could occur between you and the data subject themselves, or you and an entity providing you with previously collected personal data.
Privacy notices must be more transparent, using clear and plain language, and be easily accessible and easy to understand for any of your customers. This communication will need to explain things such as your lawful basis for getting their data, how long it will be kept, and what their rights are regarding the data you are processing or storing.
Subject Access Requests
The time limit to comply with data subject access requests (DSAR) has been reduced from 40 days to one month. If you handle a large number of access requests, consider how to deal with requests more quickly.
In most cases, you’ll not be able to charge the customer for the time you use to complete the request. You can refuse or charge for requests that are manifestly unfounded or excessive. If you do refuse a request, you must tell the individual why and that they have the right to complain to the supervisory authority and to a judicial remedy. You must do this without undue delay and at the latest, within one month
Processing Data Lawfully
You will need to explain your company’s need to obtain the personal data, including the lawful basis for gathering and processing it. Document this information and update your privacy notice to explain it.
Consent to Process Data
Gathering data needs to include a clear “opt-in” step from data subjects. You will not be able to inform customers through an automatic pop up or “fine print” only. Consent must be obtained. Review how you seek, record, and manage consent, and maintain clear privacy notice documentation.
Consent for Children
Organizations must have processes in place to verify data subjects’ ages. For children, your privacy notice must be written in simple language the child can understand. At present, the GDPR states that you must obtain parental or guardian consent for any data processing activity of a subject younger than 16 in the EU.
Establish policies and procedures to detect, report, and investigate a personal data breach (e.g., Incident Response Plan.) You must report personal data breaches to your SA within 72 hours after awareness of the breach. If individuals face an adverse impact, contact individuals directly. Failure to report a breach when required to do so could result in a fine in addition to the fine for the breach itself.
Data Protection Officers
You will need to designate a Data Protection Officer (DPO) to be responsible for data protection compliance if your organization is:
- A public authority or body (except for courts acting in their judicial capacity)
- An organization carrying out regular and systematic monitoring of data subjects on a large scale
- An organization processing a large scale of special data categories—health records—(as detailed in Article 9) and personal data relating to criminal convictions and offenses (as detailed in Article 10)
But even if you don’t fall into one of these categories, we highly recommend designating a DPO. Your DPO will need knowledge, support, and authority to carry out their role effectively.
SEE ALSO: GDPR Frequently Asked Questions
Data Protection by Design
GDPR makes “data protection by design and default” an express legal requirement. This one statement itself can create a myriad of data protection and security requirements that are not specifically defined by the GDPR but are well known in the data security industry.
You may already be familiar with many of them if you undergo PCI DSS, ISO 27000, SOC, or other security assessments.
Data Protection Impact Assessments
Data Protection Impact Assessments (DPIAs) are essentially a formal Risk Assessment process like that defined in NIST 800-30. You will need to conduct DPIAs when specific risks might affect the rights and freedoms of data subjects. For example, when a new technology is deployed, a profiling operation will impact individuals significantly, or when there’s a large-scale processing of special categories of data.
This impact assessment will use information gathered from your data mapping exercise as well as information about all the systems and networks used to process data. This process is critical to implementing the “data protection by design and default” philosophy.
The concept of “data protection by design and by default” leads to the need for a lot of security controls to be applied to your systems, processes and people involved in dealing with sensitive personal data.
Based on our experience in the security industry, here are a few of the major areas that will need attention. Each of these bullets could be expanded into more system or process requirements, but we will not go into that here. If you want to be GDPR compliant, you will need to have documented evidence that your systems embody the principle of “data protection by design and by default.”
- Remote Access Security
- Web Application Security
- Edge Firewall Security
- Wireless Network Security
- Password Policies
- Malware Prevention
- Physical Security
What rights does GDPR name and protect?
Right to erasure: Individuals may request to have personal data erased. This right is also sometimes called “the right to be forgotten.” Other data security standards (such as HIPAA) may overrule the right to erasure in certain circumstances; it’s best to consult with a legal advisor regarding these possible scenarios.
Right to be informed: Keeping data subjects informed is key to transparency under the GDPR. You must let them know your purposes for processing their personal data, your retention periods for that personal data, and who the data will be shared with. This is known in the GDPR as “privacy information.”
Right of access: Data subjects have the right to access their personal data and supplementary information. The right of access also states that individuals should be aware of and verify the lawfulness of the processing.
Right to rectification: The GDPR includes a right for individuals to have inaccurate personal data rectified or completed if it is incomplete.
Right to restrict processing: In certain circumstances, individuals have the right to request the restriction or suppression of their personal data. Restricted processing means the data can be stored, but not used.
Right to data portability: You may be required to provide the personal data in a structured, commonly used and machine-readable format. This right only applies to personal data an individual has provided to a controller, where the processing is based on the individual’s consent or for the performance of a contract, and when processing is carried out by automated means.
Right to object: Individuals may object “on grounds relating to their particular situation” to data processing—even if it’s based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling). They have a right to object to direct marketing (including profiling), as well as to processing of their data for purposes of scientific/historical research and statistics.
Rights related to automated decision making including profiling: this right includes additional rules to protect individuals if a data controller is carrying out solely automated decision-making that has legal or similarly significant effects on them. You can only carry out this type of decision-making where the decision is: necessary for the entry into or performance of a contract; or authorized by Union or Member state law applicable to the controller; or based on the individual’s explicit consent.
SEE ALSO: What's the Difference Between GDPR and PCI?
Who enforces GDPR?There are general supervisory authorities (SA), for example the Information Commissioner’s Office in the UK, but it’s a good idea to start finding out who your specific SA is. The SAs are responsible for issuing fines.
GDPR 101 blog series
Watch for our third and final installment of our GDPR 101 blog series. In it, we will cover the “how” of GDPR: the important steps you’ll need to take and the resources to help you take them.
Also check out our “GDPR 101 Part 1: Should I Be Worried” blog post. It’s an important introduction that will helps set the stage for how you should think about and approach GDPR compliance.
Gary Glover (CISSP, CISA, QSA, PA-QSA) is Director of Security Assessment at SecurityMetrics with over 10 years of PCI audit experience and 25 years of Star Wars quoting skills. May the Force be with you as you visit his other blog posts.