The European Union's General Data Protection Regulation comes into full force in May 2018. As such, anyone doing business with an individual within the EU needs to comply with the rules of the regulation.
Although most countries have had data protection rules for many years, GDPR personal data requirements introduce new protections that focus on the rights of the person and address the changes in technology used to identify the individual.
Why are the changes needed?
Since original data protection legislation was introduced, many more individuals conduct their daily business online. When the U.K. Data Protection Act launched in July 1998, for example, Google hadn't been founded. There was no Facebook or Twitter, and most people didn't own mobile phones. Today, businesses can track someone using techniques that don't have to include the most obvious identifiable data, such as name, address or a photograph.
With much of the world's business conducted digitally, the risk to an individual caused by the leak of personal data, either accidentally or through negligence, is much more significant than it has ever been. As a result, the new GDPR legislation focuses more on the rights of the person than the organization holding the data.
What new rules have been introduced?
GDPR implementation extends the definition of the type of information that can be classified as usable for personal identification. Now, biometric data, International Mobile Equipment Identity, SIM card IDs and IP addresses all count toward personally identifiable information. With so much data being collected, many organizations use algorithms to automatically make business decisions affecting the individual. In the future, under Article 22 of GDPR, the individual will have the right to challenge the decisions made in automated processing. As a result, businesses will have to focus on explaining how data will be processed as well as obtaining consent to store the information.
Article 17 further strengthens the hand of the individual, with the idea of the "right to be forgotten." Unless a business can show good reason why data on an individual should be retained, then the customer can request the erasure of that information. Noncompliance with GDPR personal data rules will result in greater penalties in the future. Failure to report a data breach to the local GDPR supervisory authority within 72 hours can result in a fine of up to 10 million Euros or 2% of global turnover. Negligent or intentional violation of GDPR may result in fines of up to 20 million Euros or 4% of turnover. So the stakes are high. Businesses simply can't afford to think they can avoid legislation and pay a small fine.
What do I need to do?
Doing nothing is not an option; however, be aware that there is no official GDPR personal data compliance certification. This means businesses need to show that they are working to meet the terms of GDPR, but there's no magic process or software that will do the work for you. The following steps should form part of your GDPR personal data planning.
Know your data. This may seem obvious, but having a view of where information exists with an organization is harder than it ever used to be. Data can exist across multiple centers, on mobile devices or in the public cloud. The first step is being able to demonstrate that all personal data is identifiable, backed up and properly secured. From a data protection and archiving perspective, this means having rules in place for data retention that are defined and agreed upon with business owners.
Identify the individual. This is where things may become more complex. In large organizations, data on a single individual could exist in multiple systems, databases and applications. Here, working with the business is essential to understand exactly what is being used and where.
- Is data encrypted in flight and at rest?
- Media handling. Are physical disk drives under a destruction policy? For media that leaves the site, can I track and audit the movement to an off-site location? If the media were lost, could I easily identify what was on it?
- Are my backups sufficient to counter attacks from ransomware and malware?
- Could I easily identify when a ransomware attack has occurred, for example, by seeing a higher rate of change in backup data?
- Do I have the ability to audit data access, including provisioning and when data restores are performed?
One recurring issue is how to implement the right to be forgotten. If data is stored within backups and a user is deleted, restoring from an old backup risks bringing that user back into the application. Consequently, the business owner needs to be aware of which point in time data restores are occurring in case post processing of the restore is needed. Deleting individual records from a backup is simply impractical and unlikely to be enforced by the GDPR authorities.
In summary, GDPR is a strengthening of existing legislation. The focus changes to the individual, with more data being included under regulation and more rights to have data deleted if requested. GDPR implementation is about people and process more than technology. Review how you manage data and be prepared to demonstrate your processes are robust and stand up to scrutiny.