Data protection and privacy regulations are now familiar in Europe, given the wide range of organisations and individuals that they apply to. And even if you’re not in Europe it makes sense to understand GDPR, as similar laws apply in California (CCPA), with other countries (e.g. Brazil – General Data Privacy Law) tending to use GDPR as a model for their own upcoming privacy regulations. On top of this, the EU requires companies in non-EU locations to observe GDPR regulations if they handle EU citizens data.
The entire document is composed of 99 articles, but the most relevant ones are as follows:
- Article 5: Personal data should only be collected for good reason, in a transparent fashion, and for no longer than necessary. The data should be protected against “unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures”. The controller must be able to demonstrate compliance with Article 5.
- Article 6: Goes into detail about how or whether the data processing in question is considered lawful.
- Articles 15-17: This regarding the rights of subjects to access, rectify or erase the data (the ‘right to be forgotten’)
- Articles 25,32: The Data Controller should “implement appropriate technical and organisational measures” to protect the data – sometimes described as ‘privacy by design’.
- Article 30: Explains about the records that must be maintained about processing activities.
- Article 33: The Data Controller must notify any personal data breach to the relevant regulatory authority (in the UK this is the ICO) within 72 hours of becoming aware of it.
- Article 34: The subject(s) of the breach must be notified ‘without undue delay’. One way that this can be avoided is if it can be shown that the breached data was encrypted.
- Article 35: This refers to the DPIA (Data protection impact assessment). You don’t necessarily have to do a DPIA – there’s a checklist that you can use to help decide whether you need to do one on the ICO website.
- Article 44: Covers data transfers to third party countries.
- Article 83: The potential fines are set out here, and they are significant: There are two levels of fine, depending on the type of failure. Level 1 is the greater of €10M or 2% of turnover during the previous year; Level 2 is the greater of €20M or 4% of annual turnover. British Airways has been threatened with a fine of £183M – which is actually reasonably generous of the ICO, given that this represents ‘just’ 1.5% of their turnover.
GDPR implies a range of responsibilities for data controllers and processors in terms of information security, legal paperwork, training, assessments and so on. There are some great vendor solutions that help organisations to manage the GDPR compliance process, such as TrustArc and KnowBe4. Most aspects of information security are, almost by definition, relevant to the technical requirements, but particularly relevant are data discovery, DLP, and if the worst comes to the worst, and malware infiltrates the network with intent to steal data – network segmentation and encryption.