EU GDPR Compliance - Where Do We Start?

How Do We Operationalize Both Security & Privacy Principles?

Within the European Union Regulation 2016/279 (General Data Protection Regulation (EU GDPR)), Articles 5, 25 and 35 have shared responsibilities between cybersecurity and privacy teams. Before you can jump in and just start "doing privacy and security," your company needs to first address some fundamental building blocks that are often overlooked:

  • Step 1 - Make sure your company's policies and standards are "audit ready" for GDPR. This means that they are aligned with an industry-recognized leading framework, which shows that you are aligned with reasonable expectations for your industry.
  • Step 2 - Eliminate "tribal knowledge" by documenting how processes actually work and ensure that key stakeholders are aware of what "right" looks like. If you have written processes, audit them to make sure what is published is actually what is being done.
  • Step 3 - Establish governance / oversight of processes to ensure your company's processes are actually working as they are supposed to. If not, make fixes and keep verifying. 

2017-eu-gdpr-compliance-policies-standards-example.jpg

 

 

Understanding "Security By Design" As It Pertains To EU GDPR 

In terms of the EU GDPR, the regulation is expecting your company  to define “adequate level of data protection” and “appropriate technical or organizational measures” in terms of its alignment with leading security practices. Therefore, your company is not only expected to adopt a “best in class” approach to implementing a single framework or even a hybrid model, but your company needs to have evidence that it has done so. Every framework is unique and has its own strengths and weaknesses, but these are several common sources for "security principles" that a company should leverage:

  • International Organization for Standardization (ISO) 27000-series guidance;
  • National Institute of Standards and Technology (NIST) 800-series guidance;
  • NIST Cybersecurity Framework;
  • Open Web Application Security Project (OWASP) Application Security Verification Standard (ASVS);
  • Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM); and
  • Center for Internet Security (CIS). 

The following sections are the key articles from the EU GDPR that pertain to cybersecurity:

  • Article 5 - Principles relating to processing of personal data.
    • Your company must protect personal data in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.
  • Article 25 – Data protection by design and by default.
    • Your company must implement "appropriate technical and organizational measures" to implement data-protection principles and ensure that, by default, only personal data which are necessary for each specific purpose of the processing are processed. 
  • Article 28 - Processor.
    • Your company must only use processors providing sufficient guarantees to implement appropriate technical and organizational security and privacy measures.
  • Article 32 - Security of processing.
    • Your company must implement “appropriate technical and organizational measures” to ensure a level of security appropriate to the risk of data being processed.
  • Article 33 - Notification of a personal data breach to the supervisory authority.
    • Without undue delay and, where feasible, not later than 72 hours after having become aware of it, Your company must notify the personal data breach to the supervisory authority
  • Article 35 - Data protection impact assessment.
    • In an effort to assess the impact of envisioned processing operations, Your company must perform a Data Protection Impact Assessment (DPIA) prior to the processing of data.
  • Article 45 - Transfers on the basis of an adequacy decision.
    • Your company must limit the transfer of personal data to third countries or international organizations that the Commission has decided ensures an adequate level of protection.
  • Article 46 - Transfers subject to appropriate safeguards.
    • In the absence of a decision for Article 45, Your company must have at least one (1) of the following in place:
      • A legally binding and enforceable instrument between public authorities or bodies; 
      • Binding corporate rules in accordance with Article 47; 
      • Standard data protection clauses adopted by the Commission in accordance with the examination procedure referred to in Article 93(2); 
      • Standard data protection clauses adopted by a supervisory authority and approved by the Commission pursuant to the examination procedure referred to in Article 93(2); 
      • An approved code of conduct pursuant to Article 40 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects' rights; or 
      • An approved certification mechanism pursuant to Article 42 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects' rights.

 

Understanding "Privacy By Design" As It Pertains To EU GDPR 

In terms of the EU GDPR, the regulation is expecting your company  to define “adequate level of data protection” and “appropriate technical or organizational measures” in terms of its alignment with leading privacy practices. Therefore, your company is not only expected to adopt a “best in class” approach to implementing privacy frameworks, but your company needs to have evidence that it has done so. Every framework is unique and has its own strengths and weaknesses, but these are the two most common sources for "privacy principles" that a company should leverage:

  • Generally Accepted Privacy Principles (GAPP); and
  • Fair Information Practice Principles (FIPP).

The following sections are the key articles from the EU GDPR that pertain to privacy:

  • Article 5 - Principles relating to processing of personal data.
    • Your company must protect personal data in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.
  • Article 6: Lawfulness of processing.
    • Your company must ensure the processing of personal data is for lawful purposes. 
  • Article 9: Processing of special categories of personal data.
    • Your company is prohibited from processing personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation. 
  • Article 10: Processing of personal data relating to criminal convictions and offences.
    • Similar to Article 9, Your company is prohibited from processing personal data relating to criminal convictions and offences.
  • Article 17: Right to erasure.
    • This is the “right to be forgotten” requirement.
    • Without undue delay, Your company must erase personal data of a data subject, upon notification by the data subject.
  • Article 20: Right to data portability.
    • This is the “data portability” requirement.
    • Your company must be capable of providing a data subject with personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from your company.
  • Article 25 – Data protection by design and by default.
    • Your company must implement "appropriate technical and organizational measures" to implement data-protection principles and ensure that, by default, only personal data which are necessary for each specific purpose of the processing are processed. 
  • Article 35 - Data protection impact assessment.
    • Your company must perform a Data Protection Impact Assessment (DPIA) prior to the processing of data, in an effort to assess the impact of proposed processing operations.
  • Article 46 - Transfers subject to appropriate safeguards.
    • In the absence of a decision for Article 45, Your company must have at least one (1) of the following in place:
      • A legally binding and enforceable instrument between public authorities or bodies; 
      • Binding corporate rules in accordance with Article 47; 
      • Standard data protection clauses adopted by the Commission in accordance with the examination procedure referred to in Article 93(2); 
      • Standard data protection clauses adopted by a supervisory authority and approved by the Commission pursuant to the examination procedure referred to in Article 93(2); 
      • An approved code of conduct pursuant to Article 40 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects' rights; or 
      • An approved certification mechanism pursuant to Article 42 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects' rights.
  • Article 49: Derogations for specific situations.
    • Your company may transfer personal data to a third country or an international organization only if the Your company or its or vendors have provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.

 

Sort by:

Sign up for our Newsletter!

×
×