In April 2016 the European parliament passed the General Data Protection Regulation (GDPR), the most important reform in the European legislation on the protection of personal data for the last twenty years. As of 25th May 2018, the same rules will be enforced on all EU member states. Importantly, both EU and non EU companies and organisations will be directly concerned by the new law, from the moment they collect, process, or store personal data belonging to European citizens.
“In case of non-compliance with the GDPR, companies risk facing penalties of up to €20 million or 4% of total global turnover, whichever is greater.”
As a result of digital transformation, personal data leaks are reaching record levels. According to the results from the “2016 Data Breach Investigations Report”, more than 90% of “stolen” data is of a personal nature. Over the past few months, scandals have been hitting the headlines over data breaches that compromise the safety and privacy of customers from targeted companies. In September 2016, Yahoo! reached an all-time record when personal data from 500 million accounts was leaked.
Confronted with these issues, businesses concerned by the new regulation now have less than a year to comply with the GDPR requirements. As well as the high penalties incurred, this new legislation will introduce several new obligations with regard to cybersecurity for IT systems that process personal data.
It will be necessary to make businesses and organisations aware of the regulation, as well as studying the specific impacts of the GDPR with regard to securing their IT systems. Offering an expert opinion on the matter will illustrate the law’s principal rulings.
Ensuring security for processing personal data
A global security obligation
Responsible for processing personal data, businesses will have to implement the “appropriate technical and organisational measures to ensure a level of security appropriate to the risk”, taking into consideration the risks for the individuals concerned which may result in the “destruction, loss, alteration and unauthorised disclosure of, or access to personal data”. For practical guidance, the text focuses on pseudonymisation, the encryption of the data during its entire lifecycle, and the regular assessment of security measures such as audits for instance.
Notification of security breaches
Businesses will have to flag up any personal data security violations to the relevant national authority within 72 hours. The authority is then responsible for informing individuals whose personal data has been compromised if the violation jeopardizes their rights and freedom. This may have important impacts on their reputations, for example, and may have long-lasting consequences for the company’s reputation.
Shared responsibility for providers
Given the rising development of outsourced services and the emergence of the SaaS model, the law introduces the notion of shared responsibility between the data processor and sub-contractor. The latter is responsible for providing sufficient guarantee with regard to the security of the data entrusted, and for notifying the client of any personal data violations.
Ensuring security before data processing
Analysing processing risks
The Privacy Impact Assessment (PIA), is a tool for analysing IT system security risks and the consequences of security breaches for individuals concerned.
Integrating data protection into IT projects
With accountability in mind, the law foresees two main points:
- “Privacy by Design”, meaning that protecting personal data through technical and organisational measures will have to be accounted for in the initial development stage of any product or service. Quick execution of PIAs will help to minimise security failure risks when launching new projects.
- “Privacy by default”, implying that the Processor must implement, by default, all necessary measures for protecting data with regard to its end purpose.
Necessary steps for becoming GDPR compliant
To assist organisations with compliancy and helping them to prove it, the CNIL (French National Authority for Data Protection) has published a 6 step method for securing IT systems and protecting data:
- Adapting internal management processes to GDPR requirements by appointing a Data Protection Officer (DPO). Businesses must ensure that the IT Director and DPO work efficiently together, by including personal data protection in the company security policy and the company’s data classification
- Mapping personal data processing and detecting transmission outside the EU
- Adopting a risk-based approach through integrating data protection, in particular PIA, Privacy by design, and Privacy by default, into the lifecycle and methodology of IT projects
- Controlling IT outsourcing and externalisation operations to ensure that security requirements are fully adopted by service providers
- Implementing suitable internal procedures for the management and notification of security breaches where personal data is compromised
- Keeping documentation up to date to ensure traceability of data and security measures that have been implemented (processing register, PIA, etc.).
The new regulation highlights the European legislator’s intention to standardise, or even increase, the level of data security within the European Union, and to adapt it to advances in new technologies as well as digital transformation.