The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) was enacted on April 27, 2016, with the enforcement date being May 25, 2018. It replaces the European Data Protection Directive (DPD) (Directive 95/46/EC), which was the previous privacy and data protection scheme for the European Union.
GDPR is intended to strengthen and unify data protection for all individuals who are citizens of the European Union (EU). One of the primary objectives of the regulation is to give control back to citizens and residents (called “data subjects”) over their personal data. Another objective is to simplify the regulatory environment for international business by basically unifying the regulation within the EU. Under the old regulatory framework, the Data Protection Directive directed each member state to enact its own enabling data protection laws, but there were pretty substantial differences in those laws across all the member states. This made compliance to all of the member country laws somewhat complicated, so one of the goals now is to have one European-wide regulation that is the same across all member states.
A important thing for CISOs to know is that GDPR is primarily a privacy oriented regulation, not an information security oriented regulation. Most of the requirements are focused on fundamental privacy principles; security is just a small subset of that.
Who has to comply?
The scope of the law extends to all domestic and foreign companies (called “data controllers”) that collect, process or store data that is about EU residents. The penalties for noncompliance are quite onerous. A company can be assessed a fine of up to 20 million euros or 4% of turnover, whichever is higher. Turnover is defined as revenues minus taxes, so the potential penalty can be about 4% of your revenues minus whatever your tax bill is, which can be pretty substantial.
An important thing to know in order to determine whether or not GDPR even applies to you is the regulation’s definition of personal data. It’s basically any information related to an individual, whether it relates to his or her private, professional, or public life. It could be anything such as the name, home address, a photo, an email address, bank account details, their posts on social networking sites, their medical information, or even the device or IP address of the computer they use. The regulation is quite broad in terms of what it considers personal data to be. For instance, if you combine the person’s name with the IP address of the computer they’re working on, that’s considered personal data. Frankly, it’s pretty sweeping.
GDPR doesn’t necessarily apply just to global companies that openly do business in Europe or with European citizens. It also could encompass companies that are domestic to a non-EU country (like the US or Canada) whose business is primarily in their home country, but which happen to have data from European citizens. Consider, for example, a property insurance company in Texas that sells policies for renter’s insurance. The business is focused totally on properties that are in the state of Texas—clearly not part of the EU. However, some of the people who purchase policies could be European ex-pats who are currently living in Texas apartments. Just having the personal and financial data on those EU citizens who are now living in Texas is enough to put the insurance company’s data policies under the purview of GDPR.
GDPR was designed with social media companies in mind, but the regulation doesn’t actually limit itself to those kinds of businesses. It pulls in a lot of requirements, like the Right to be Forgotten. That was designed for the Facebooks and Googles of the world, so that an EU citizen could say, “You know what, Facebook? I want the history of everything I’ve done and posted on Facebook completely deleted off of your application.” But there’s no requirement that it be applied only to social media companies, so if you do anything electronically for an EU citizen, you could be asked the same thing: “I want you to delete everything, every trace of me in your system.”
What the regulation requires
I’ll provide an overview here of what the law requires, but I recommend you read the regulation for yourself. It’s relatively short and it’s written in fairly plain English (as well as other languages). Reading the document will help you separate reality from hype when vendors try to sell you something based on this regulation becoming effective in 2018. For key terminology that may be mentioned below, refer to Chapter 1, Article 4 of the regulation.
- Notice requirements – Data controllers must notify data subjects on how their personal data is processed. These requirements have been expanded from the old Data Privacy Directive to include retention time for personal data and contact information for the Data Protection Officer (DPO).
- Rights to access, rectification and erasure – The right of the data subject to access his information, have that information revised if incorrect, and deleted under certain circumstances (i.e., the right to be forgotten).
- Right to explanation – Automated individual decision making, including profiling, is contestable. Citizens now have the right to question and fight decisions that affect them that have been made on a purely algorithmic basis; for example, the denial of a loan application based purely on automated decision making.
- “Privacy by Design and by Default” – Requires that data protection measures are designed into the development of business processes for products and services. Privacy settings must be set at a high level by default.
- Third party oversight – Data controllers are responsible for demonstrating compliance even if they outsource to a third party data processor.
- DPIAs – Data Protection Impact Assessments have to be conducted when specific risks occur to the rights of data subjects. Risk assessment and mitigation is required and prior approval of the Data Protection Authorities (DPA) is required for high risks.
- Data Protection Officers – DPOs must be appointed to ensure compliance within certain types of organizations (those who process large amounts of personal data or certain types of data).
- Consent – Valid consent must be explicit for data collected and the purposes data is used for. Data controllers must be able to prove “consent” (opt-in) and that consent may be withdrawn at any time.
- Encryption – Pseudonymisation is a process that transforms personal data in such a way that the resulting data cannot be attributed to a specific data subject without the use of additional information. Encryption is a form of pseudonymisation. Pseudonymisation is recommended (but not required) to reduce the risks to personal data. The encryption key must be kept separate from the pseudonymised data. Encryption keys and data must remain in the power of the data owner. With cloud based storage, the data controller must hold the keys.
- Data breach notification – Data breaches must be reported to the Supervisory Authority within 72 hours of discovery. There is a safe harbor for that notice. Data subjects have to be notified of a data breach, but only if the personal data is not encrypted. The data subject has the right to request erasure of personal data related to them on any one of a number of grounds, e.g., unlawfulness of collection, fundamental rights of data subject outweigh interests of data controller, etc.
- Data portability – A person shall be able to transfer their personal data from one electronic processing system to and into another, without being prevented from doing so by the data controller. Both data that has been ‘provided’ by the data subject, and data that has been ‘observed’ – such as about their behavior – is within scope. The data must be provided by the controller in a structured and commonly used open standard electronic format.
- Audit trail – Records of processing activities must be maintained that include purposes of the processing, categories involved, and envisaged time limits. This is subject to review by regulators.
- Transfers out of EU – Processor must be in a country deemed to have adequate privacy protection, use binding corporate rules, or use contract with model clauses – Privacy Shield membership helpful.
- Marketing profiling – A data subject can object to user profiling for marketing purposes.
- Subprocessors – Use of a subprocessor by processor must be approved by controller and they must be subject to same requirements as the processor.
- Privacy principles – As with the DPD, GDPR mandates key privacy principles such as data minimalization, data accuracy, and storage limitation.
Things most organizations already do:
- Audit trail, data breach notification protocol, encryption, privacy notices, third party oversight program, and security leader (DPO).
Things that most organizations will struggle with:
- Data portability, consent, right to explanation, data subject access, privacy by design, right to be forgotten, data rectification, and Data Protection Impact Assessments (DPIAs).
Potential challenges of complying with the GDPR
Multi-national companies could find that the new EU regulation conflicts with other non-European laws, regulations and practices. The United States, among other countries, has laws that cover the rights of law enforcement officials to access data pertaining to individuals and to have third parties disclose this information to law enforcement officials. Corporations under the constraints of both laws will be between a rock and a hard place. The European Data Protection Authorities will have the ability to fine them for turning things over to the U.S. Government, and they have no choice but to do so here. It’s still a question mark how this can be resolved. It could take international treaties to work out the specifies of what companies in this position should do.
Another big challenge is that companies that have not previously had to implement a comparable level of privacy may require significant changes to their business practices. For example, consider the issue of data portability. Basically, the regulation states that a person should be able to transfer their personal data from one electronic processing system into another without being prevented from doing so by the data controller. Both data that’s been provided by the data subject, as well as data that has been observed about them, such as their behavior, are kind of within the scope of this. That data must be provided by the controller (i.e., the company holding it) in a structured and commonly used open electronic standard. So basically, a European citizen, can say, “I want all the electronic data that you have about me, and I want it turned over to me so that I can turn it over to somebody else.” And if the data controller isn’t prepared or hasn’t come up with a process or technological solution to be able to provide that to that European Union citizen, then the company is going to have to implement something, which will probably take time and effort.
good resource for additional information is the SANS Institute document: Preparing for Compliance with the General Data Protection Regulation (GDPR), A Technology Guide for Security Practitioners
Schaufenbuel holds a Juris Doctor degree and a Master of Laws degree from the John Marshall Law School in Chicago. He has a special interest in data privacy issues.