Step up Your GDPR Compliance Program
Published 01/12/2022
This blog was originally published by CAS Assurance here.
Overview
The General Data Protection Regulation (GDPR) lays down rules relating to the protection of natural persons regarding the processing of personal data and rules relating to the free movement of personal data. The GDPR protects fundamental rights and freedoms of natural persons and, in particular, their right to the protection of personal data. This Regulation applies to:
- the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.
- the processing of personal data in the context of the activities of an establishment of a controller or a processor in the European Union (EU), regardless of whether the processing takes place in the Union or not.
- the processing of personal data of data subjects who are in the EU by a controller or processor not established in the EU, where the processing activities are related to:
- the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the EU; or
- the monitoring of their behavior as far as their behavior takes place within the EU.
The GDPR is considered an extraterritorial regulation and is inclusive of data stored offshore from the EU. Potential fines for violation are up to four percent of organization’s worldwide gross sales based upon last year’s financial statements, with a limit of €20 million.
Classifications of Data:
Under the GDPR, data is classified into:
- Personal Data – any information relating to an identified or identifiable natural person (data subject).
- Sensitive Data – This is also called special categories of personal data, the processing of which could create significant risks to data subject’s fundamental rights and freedoms. GDPR prohibits (with certain exceptions) the processing of sensitive data revealing race or ethnic origin, political opinions, religion or beliefs, trade-union membership, the processing of genetic data; or data concerning health or sex life, or criminal convictions and offenses or related security measures.
What Does Processing Mean?
As defined by the regulation, processing is any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
Protecting Personal Data is a Big Deal.
A survey coordinated by the European Commission, Directorate-General for Communication in 2016 reveals how much people care about the protection of personal data. Survey result from over 26,000 respondents showed that:
- 92% wants the confidentiality of their emails and online instant messaging to be guaranteed
- 90% wants the encryption of their messages and calls to assure confidentiality
- 89% wants the default settings of their browser to stop the sharing of their information
- 82% wants online activities monitoring tools (e.g., cookies) to be used in monitoring their activities only with their permission.
Together, the expectation of data subject, far reaching regulation such as the GDPR, and the emerging best practices create a compelling driver for organizations to take personal data protection seriously. The GDPR secures a broad range of specific rights for data subject, which include:
- Right of access
- Right of rectification
- Right of erasure (right to be forgotten)
- Right to restriction of processing
- Right to notification regarding rectification, erasure, or restriction of processing of personal data
- Right to data portability
- Right to object
- Right not to be subject to a decision based solely on automated processing, including profiling
- Right to lodge a complaint with a supervisory authority
- Right to an effective judicial remedy against a supervisory authority
- Right to an effective judicial remedy against a controller or processor
- Right to compensation for the damage suffered
Pathway to Compliance
Supporting most of the data subject rights under the GDPR requires a combination of technical functions and well-defined organizational measures and processes. Achieving GDPR compliance is a journey that needs to be well-planned in terms of approach, strategy, and resources. The compliance journey will have to be carried out in phases: Preliminary phase and Implementation phase.
1. Preliminary Phase:
In this phase of the journey, you will need to:
- Secure senior management support, identify and involve key stakeholders in each affected business unit, assign responsibilities, and appoint a Data Protection Officer if required based on the nature and scale of your processing.
- Identify, analyze, classify, and inventory personal data held across the organization.
- Document current processing activities to cover relevant details in Article 30 of the GDPR, including purpose of processing, types of processing, categories of data subject, and categories of personal data.
- Identify and document existing process and controls for:
- Communicating privacy policy, data protection policies, and data subject rights
- Assuring that personal data is processed lawfully (lawful basis), including obtaining data subject consent
- Assuring that personal data is adequate, accurate, limited to what is necessary for the intended purpose, and only stored for as long as necessary for the purpose
- Protecting personal data against unauthorized or unlawful processing, accidental loss, destruction, or damage throughout data lifecycle
- Data subject access, rectification, erasure, restriction, and transfer requests
- International data transfers
- Data breach detection, investigation, and reporting, including sending notifications to Supervisory Authority and data subjects
- Governance practices
- Perform Data Protection Impact Assessment (DPIA)
- Determine compliance approach (whether it would be fully compliant, targeted enclave, reduced functionality, or hybrid approach). Here are the differences in the approaches:
- Fully Compliant Approach (FCA): The goal of this approach is to ensure the IT infrastructure and associated processes across the organization are fully compliant with GDPR protection requirements and allows for cost-effective execution of data subject rights upon demand.
- Targeted Enclave Approach (TEA): This approach involves the creation of GDPR compliant enclaves or bounded areas within the larger organizational IT infrastructure. Access to the GDPR enclaves is restricted to a subset of staff with explicit need to access the data, and information systems within the enclaves are designed to easily implement functions to support exercise of data subject rights.
- Reduced Functionality Approach (RFA): This approach involves reducing data with GDPR requirements in the organization’s environment or stopping to perform operations that require the use of data covered by the GDPR. For this approach, the value of processing GDPR-covered data would be weighed against the costs of GDPR compliance.
- Hybrid Approach (HA): In most realistic circumstances, a fully compliant approach may be too impractical or too expensive to employ across the entire IT infrastructure. A combination of the TEA and RFA may therefore become the most expedient strategy.
Your will need to assess your organization's unique data scenario to determine the most cost-effective and lowest-risk approach to employ for GDPR compliance. Upon the selection of the most expedient approach, you move on to the Implementation phase.
2. Implementation Phase:
This phase focuses largely on identifying and closing gaps between the current status and the target GDPR compliant state. You will need to:
- Identify and close gaps related to documentation requirements for:
- Communicating privacy policy and data subject’s rights
- Data subject consent
- Purposes (basis) of collection and processing
- Procedures related to processing activities
- Implemented technical and organization measures for protecting personal data and for ensuring compliance with the regulation
- Identify and close gaps related to implementation of safeguards for protecting personal data
- Identify training gaps and implement employee training programs to close identified gaps
- Identify and close gaps related to governance practices to maintain ongoing GDPR compliant status
Helpful Resources
Without leveraging available relevant resources, to determine, implement, and document technical and organization measures for protecting personal data in compliance with the GDPR requirements may be daunting. Articles 40 and 42 of the GDPR allow a Controller or Processor to leverage adherence to an approved Code of Conduct and data protection certification administered by an approved authority to facilitate and demonstrate compliance with the GDPR.
The Cloud Security Alliance (CSA) has developed a Code of Conduct (CoC) and Code of Practice (CoP) Template (awaiting necessary approval) for privacy and data protection transparency, assurance, and compliance. The CSA CoC identifies all relevant GDPR provisions which Cloud Service Providers (CSPs) must comply with when handling personal data. The CoC goes beyond the GDPR’s requirements and provides a higher standard for adhering CSPs’ data protection practices. Combining adherence to the CSA CoC for GDPR Compliance with the CSA Cloud Control Matrix (CCM) and ISO 27001 or SOC 2 STAR certification (or attestation) should provide the needed help envisioned by article 40 and 42 for GDPR compliance.
About the Author
CAS Assurance LLC is a CPA firm that, among other services, provides professional assistance in navigating and achieving self-assessment or third party attestation for listing in the CSA STAR Registry.
Related Articles:
Establishing an Always-Ready State with Continuous Controls Monitoring
Published: 11/21/2024
5 Big Cybersecurity Laws You Need to Know About Ahead of 2025
Published: 11/20/2024
Managing AI Risk: Three Essential Frameworks to Secure Your AI Systems
Published: 11/19/2024