0% found this document useful (0 votes)
168 views10 pages

Getting Ready For GDPR Compliance

An overview of the key changes presented by the Regulation, and the critical areas to be aware of when preparing for compliance.

Uploaded by

Chavdar
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
168 views10 pages

Getting Ready For GDPR Compliance

An overview of the key changes presented by the Regulation, and the critical areas to be aware of when preparing for compliance.

Uploaded by

Chavdar
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 10

EU General Data

Protection Regulation
A Compliance Guide

December 2016

Protect ● Comply ● Thrive


IT Governance Green Paper

Getting ready for GDPR compliance


The introduction of the European processors’ contracts. In other member
General Data Protection Regulation states, these obligations will be very new.
(GDPR) heralds the most significant
change to data protection law in the
EU, and globally, in recent years. In A matter of urgency
this green paper, we give an overview
Every organisation that processes or shares
of the key changes presented by the
personal data now has less than 18 months
Regulation, and the critical areas to be
to comply with the new Regulation. This
aware of when preparing for
involves organisations understanding what
compliance.
personal data they currently hold or process
and the risks to that data, adapting their
business processes and infrastructure,
Introduction
implementing tools and compliance
The EU General Data Protection Regulation processes, and changing the way they
(GDPR) was adopted in April 2016 and will collaborate with suppliers. In some
take effect across the European Union (EU) instances, those changes could be
on 25 May 2018, when it supersedes the 28 significant and work will need to start as a
current national data protection laws based matter of urgency. Bear in mind that every
on the 1995 Data Protection Directive organisation in the EU is simultaneously
(DPD). faced with the same timetable, and that
Introduced to keep pace with the modern skilled compliance resources are already in
digital landscape, the purpose of the new short supply.
Regulation is twofold: Regulatory compliance may be viewed by
1. to improve consumer confidence in many as an administrative burden.
organisations that hold and process However, ignoring the GDPR or getting it
their personal data by reinforcing their wrong could have costly repercussions:
privacy and security rights consistently organisations found to be in breach of the
across the EU, and Regulation face administrative fines of
up to 4% of their annual global
2. to simplify the free flow of personal data turnover or €20 million – whichever is
in the EU through a coherent and greater.
consistent data protection framework
across the member states. Organisations that take the time to properly
prepare for and comply with the new
The new Regulation does not fundamentally Regulation will not only avoid significant
change any of the core rules in the DPD; it fines and reputational damage, but will also
instead extends the Directive’s find that their data handling, information
requirements significantly by introducing a security, compliance processes and
range of new obligations to support those contractual relationships are more robust
core rules. These additional obligations will and reliable.
be familiar in some member states. For
example, Germany already imposes an
obligation to appoint data protection
officers, has the concept of pseudonymised
data and has extensive requirements for

© IT Governance Ltd 2016 2 EU GDPR – A Compliance Guide


IT Governance Green Paper

Key changes:  National security – member states can


pass laws to limit rights under the
Regulation in areas such as national
GLOSSARY security, crime and judicial proceedings.
Data controller (organisation) means Although the Regulation has been
“the natural or legal person, public published, there is still uncertainty about
authority, agency or other body which, what some of the provisions mean or how
alone or jointly with others, determines the they should be applied. Different social and
purposes and means of the processing of cultural attitudes to data protection will
personal data”. influence their interpretation, and what is
Data subject (individual) means an regarded as “high risk” in Berlin may not
identifiable natural person “who can be also be regarded as “high risk” in Rome.
identified, directly or indirectly, in particular Finally, differences in the resources and
by reference to an identifier such as a attitudes of supervisory authorities may
name, an identification number, location result in wide variations in enforcement.
data, or an online identifier. There is a wide discrepancy between the
Personal data means “any information theoretical powers open to national
relating to an identified or identifiable regulatory authorities and the application of
natural person (‘data subject’)”. The those powers in practice.
Regulation states this also includes online Issues of this sort will be resolved in the
identifiers such as IP addresses and cookies. normal course of regulatory business.
Data processor (service providers) Organisations still face the 25 May 2018
means “a person, public authority, agency compliance deadline.
or other body which processes personal data Expanded territorial reach
on behalf of the controller”. An example is a
The GDPR applies to all EU organisations –
Cloud provider that offers data storage.
whether commercial business or public
authority – that collect, store or process the
personal data of EU individuals.
1. Scope of the new law
Organisations based outside the EU that
Harmonisation – only one law monitor or offer goods and services to
There are currently 28 different sets of data individuals in the EU will have to observe
protection laws across the European Union. the new European rules and adhere to the
The GDPR will replace these with a pan- same level of protection of personal data.
European regulatory framework effective The Regulation also requires such
from 25 May 2018. As a Regulation, it is organisations – controllers and processors –
directly effective in all member states to appoint an EU representative based in
without the need for further national one of the member states in which the
legislation. relevant individuals are based. This is
For organisations that operate across unless the processing is occasional and
multiple member states, this harmonisation does not include large-scale processing of
is welcome. However, some national special categories of data or processing of
divergences are likely to remain and further data relating to criminal convictions and
divergences may arise because member offences.
states have limited rights to amend some of Single scheme “one-stop shop”
the obligations under the Regulation:
A new one-stop shop provision means that
 Employment – member states can organisations will only have to deal with a
introduce further restrictions on the single supervisory authority, not one for
processing of employee data. each of the EU’s 28 member states, making
it simpler and cheaper for companies to do

© IT Governance Ltd 2016 3 EU GDPR – A Compliance Guide


IT Governance Green Paper

business in the EU. An organisation that Consent


carries out cross-border processing should
The Regulation imposes stricter
be primarily regulated by the supervisory
requirements on obtaining valid consent
authority in which it has its main
from individuals to justify the processing of
establishment (the lead supervisory
their personal data. Consent must be a
authority).
“freely given, specific, informed and
Obligations on processors unambiguous indication of the individual’s
wishes”. Silence, pre-ticked boxes or
The Regulation also introduces obligations
inactivity do not count as consent. The
on data processors. These are service
organisation must also keep records so it
providers that process personal data on
can demonstrate that consent has been
behalf of organisations but do not
given by the relevant individual. Finally,
determine the purpose or means of the
consent must be explicit when processing
processing, such as call centres.
sensitive personal data, or transferring
Where a controller contracts a processor to personal data outside the EU.
process personal data, that processor must
Additional protection for children
be able to provide “sufficient guarantees to
implement appropriate technical and Consent from a child in relation to online
organisational measures” to ensure that services is, under the new Regulation, only
processing will comply with the GDPR and valid if authorised by a parent. A child is
that data subjects’ rights are protected. someone below the age of 16, though
This requirement flows down the supply member states can reduce this age to 13.
chain, so a processor cannot subcontract
New data access rights
work to a second processor without the
controller’s explicit authorisation. One of the key aims of the Regulation is to
empower individuals and give them control
Contractual arrangements will need to be
over their personal data. While the
updated, and stipulating responsibilities and
Regulation largely preserves the existing
liabilities between the controller and
rights of individuals to access their own
processor will be imperative in future
personal data, require rectification of
agreements. Parties will need to document
inaccurate data, object to direct marketing,
their data responsibilities even more clearly
and challenge automated decisions about
and the increased risk levels may impact
them, it also confers significant additional
service costs.
new rights for individuals.
 Right to be forgotten
2. Individuals’ data rights Individuals have a new right to require
the data controller to erase all personal
Core rules remain the same
data held about them in certain
Many of the core definitions from the DPD circumstances, such as where the data
remain largely unchanged. In particular, the is no longer necessary for the purposes
Regulation retains the very broad definition for which it was collected. There are a
of personal data and processing, and number of exemptions to this right, for
organisations must comply with all six example in relation to freedom of
general principles when processing personal expression and compliance with legal
data. Some important new concepts are obligations. It is likely that the limits of
“high risk to individuals”, “large scale this right will be fought over in EU law
processing” and “pseudonymised data” courts for many years.
(data from which no individuals can be  Right to data portability
identified without the use of additional This is a new concept under the
information). Regulation. Individuals will have the
right to transfer personal data from one
data controller to another where

© IT Governance Ltd 2016 4 EU GDPR – A Compliance Guide


IT Governance Green Paper

processing is based on consent or pseudonymisation. A DPIA shall “in


necessity for the performance of a particular” be required where there is
contract, or where processing is carried automatic processing (including filing) and
out by automated means. processing of special categories of data on
a large scale.
Profiling
Data controllers must inform data subjects
of the existence and consequences of any Compliance standards
profiling activities that they carry out The GDPR encourages the adoption of
(including online tracking and behavioural certification schemes as a means to
advertising). demonstrate compliance. Compliance with
Organisations that collect and use personal the international information security
data will need to put in place more robust standard ISO 27001 – the only
privacy notices than have previously been independent, internationally recognised
required, providing more information in a data security standard – will help
more prescribed manner. This will involve a organisations demonstrate that they have
large-scale review of all privacy notices. endeavoured to comply with the data
security requirements of the GDPR.
Implementing ISO 27001 involves building
3. Data protection a holistic framework of processes, people
and technologies in order to secure
Data protection by design
information.
The Regulation cannot be satisfied with
Records of data processing
‘tick-box’ compliance; compliance must
become part of ‘business as usual’. The key The Regulation now places the onus on
to accountability is to embed compliance organisations and data processors to keep
into the fabric of your organisation. This their own records of data processing
includes not just developing appropriate activities and make these available to the
polices but also applying the principles of supervisory authority on request. This
data protection by design and by record needs to contain a specific set of
default. information so that it is clear what, where,
how and why data is processed. Small
Specifically, organisations must take
businesses employing fewer than 250
appropriate technical and organisational
employees are exempt from these record-
measures before data processing begins to
keeping requirements unless their
ensure that it meets the requirements of
processing activities involve a risk to the
the Regulation. Data privacy risks must be
rights and freedoms of data subjects, are
properly assessed, and controllers may use
not occasional, or include special categories
adherence to approved codes of conduct or
of personal data or data relating to criminal
management system certifications, such as
convictions or offences.
ISO 27001, to demonstrate their
compliance.
Data protection impact assessment 4. Accountability
(DPIA) Data protection officer
Data protection must now be designed into Many organisations will be required to
processing systems by default and a DPIA appoint a data protection officer (DPO) to
is now mandatory in certain circumstances. be responsible for monitoring compliance
Good practice for new technologies and with the Regulation, providing information
processes is to assess whether processing and advice, and liaising with the
has a “high risk” of prejudicing data supervisory authority. They are an existing
subjects’ rights, and whether this risk can feature of some member states’ data
be reduced or avoided, for example by protection laws, such as Germany.

© IT Governance Ltd 2016 5 EU GDPR – A Compliance Guide


IT Governance Green Paper

A DPO must be appointed where: Data breach notification and penalties


 the processing is carried out by a public The increase in high-profile cyber attacks is
authority; reflected in the enhanced data security
 the organisation’s core activities require obligations in the Regulation and the
regular and systematic monitoring of parallel obligations in the Network and
data subjects on a large scale; or Information Security Directive.
 the organisation’s core activities consist
It will be mandatory for an organisation to
of the large-scale processing of special
report any data breach to its supervisory
categories of data and data relating to
authority within 72 hours of becoming
criminal convictions and offences.
aware of it. If that requirement is not met,
In most organisations, it will be good the eventual report must be accompanied
practice to appoint a DPO anyway. The by an explanation for the delay. The
GDPR obligations are such that having notification must include specific
readily available advice and support from a information, including a description of the
data protection specialist will be an measures being taken to address the
essential risk management step, in the breach and mitigate its possible side
same way that organisations now appoint effects.
HR or health and safety managers.
Where the breach may result in a high risk
The DPO, where appointed, must be to the rights and freedoms of individuals,
independent. This does not mean you have the individuals themselves must be
to appoint an external person; the DPO role contacted “without undue delay”. This
can be fulfilled by an employee. The post contact will not be necessary if appropriate
can be a part-time role or combined with protective measures – essentially
other duties, but, in performing the role, encryption – are in place to eliminate
the DPO must have an independent danger to data subjects.
reporting line and be empowered to report
Any infringements of the new Regulation
directly to the board without interference.
are subject to a tiered financial penalty
What is important is that the appointed
regime with fines of up to 4% of annual
person must be a data protection
global turnover or €20 million,
professional with “expert knowledge of data
whichever is the greater. In determining
protection law and practices” to perform
the level of the fine, the supervisory
their duties.
authority must consider a range of factors
 What qualification does the data including the gravity of the breach, whether
protection officer need? the breach was intentional or the result of
negligence, and any steps taken to mitigate
The data protection officer must have
the breach. Additionally, individuals can sue
the right professional qualities and
organisations for compensation to cover
knowledge of data protection law. There
both material and non-material damage
is currently no express requirement to
(e.g. distress).
hold any particular qualification or
certification. However, obtaining Given the magnitude of potential fines, the
training and qualifications in GDPR rights of individuals to bring cases and
compliance would be an effective way to claim compensation, and the prevalence
demonstrate expert knowledge. The and effectiveness of cyber crime, the risk of
IBITGQ ISO 17024-accredited EU GDPR a data breach should go straight onto the
Practitioner (EU GDPR P) is one such board’s risk register, with compliance high
qualification. on senior management’s agenda.

© IT Governance Ltd 2016 6 EU GDPR – A Compliance Guide


IT Governance Green Paper

5. Data transfers outside the EU  Where personal data is transferred


outside the organisation (including third
The Regulation prohibits the transfer of
parties and cross-border)
personal data outside the EU to a third
 How personal data is secured
country that does not have adequate data
throughout its lifecycle
protection. The European Commission has
the power to approve particular countries With an understanding of the compliance
as providing an adequate level of data gaps, organisations will be in a position to
protection, taking into consideration the assess their personal data risks and develop
data protection laws in force in that country an appropriate remediation plan.
and its international commitments. At
present this list is Andorra, Argentina, The time to start planning for GDPR
Canada, Faroe Islands, Guernsey, Israel, compliance is now.
Isle of Man, Jersey, New Zealand,
Switzerland and Uruguay.
How we can help
For data transfers to any country not on the
A leading global authority on data
list, there must be a legal contract that
protection, IT Governance helps
stipulates that the non-EU recipient agrees
organisations address the challenges of
to the data protection safeguards required.
GDPR compliance with a comprehensive
The Regulation explicitly recognises and
suite of information resources, solutions
promotes the use of binding corporate rules
and advisory services.
as a valid data transfer mechanism within
groups of companies. Approved codes of
conduct also can be used for data transfers.
GDPR compliance solutions and services

GDPR bookshop
Preparing for GDPR compliance Information EU GDPR EU GDPR – An
resources – A Pocket Implementation and
There are clearly a number of key critical
areas to observe in your approach to Guide Compliance Guide
ensure GDPR compliance. Plenty of
GDPR training courses
obligations can be resolved fairly simply
and quickly. Others, particularly in large or  Certified EU General Data
complex organisations, could have Protection Regulation
Education Foundation
significant budgetary, IT, personnel,
 Certified EU General Data
governance and communications Protection Regulation
implications. Ensuring buy-in from senior Practitioner
management and key stakeholders in your Classroom Live Distance
Online learning
organisation will be critical to meeting your
obligations. Productivity GDPR toolkits
An important next step will, for most tools EU GDPR Documentation Toolkit
organisations, be to gain clarity on their
personal data processing, and includes GDPR transition services
identifying: Advice and Data Flow GDPR GDPR
consultancy Audit Gap Transition
 What personal data is held across the Analysis
organisation
 What permissions have been obtained Information security
for that data Certification management system
ISO 27001 certification
 What processes and systems are in
place for handling personal data

© IT Governance Ltd 2016 7 EU GDPR – A Compliance Guide


IT Governance Green Paper

About the author


Alan Calder is an acknowledged international cyber security guru and a leading author on
information security and IT governance issues. He is also chief executive of IT Governance
Limited, the single-source provider for products and services in the IT governance, risk
management and compliance sector.
Alan wrote the definitive compliance guide, IT Governance: An International Guide to Data
Security and ISO 27001/ISO 27002 (co-written with Steve Watkins), which is the basis for the
UK Open University’s postgraduate course on information security. This work draws on his
experience of leading the world’s first successful implementation of BS 7799 (now ISO 27001).
Alan is a frequent media commentator on information security and IT governance issues, and
has contributed articles and expert comment to a wide range of trade, national and online
news outlets.

GDPR compliance products and services


Books
 EU GDPR: A Pocket Guide
The perfect introduction to the principles of data privacy and the GDPR, this concise
guide is essential reading for anyone wanting an overview on the new compliance
obligations for handling the personal data of EU residents. The guide is also available in
French, German, Italian and Spanish.
Click for further information and to purchase the book >>

 EU General Data Protection Regulation (GDPR) – An Implementation and


Compliance Guide
This clear and comprehensive guide provides detailed commentary on the GDPR and
practical implementation advice on the compliancy measures needed for your data
protection and information security regimes.
Click for further information and to purchase the book >>

Training courses
 Certified EU GDPR Foundation training course
This one-day course will offer a solid introduction to the European General Data
Protection Regulation and provide a practical understanding of the implications and
legal requirements of the Regulation, culminating in an official certification from the
International Board of IT Governance Qualifications (IBITGQ).
Click for further information and to book a course >>

© IT Governance Ltd 2016 8 EU GDPR – A Compliance Guide


IT Governance Green Paper

 Certified EU GDPR Practitioner training course


This comprehensive training course prepares individuals who are seeking to embed
their knowledge of the EU GDPR in order to serve as their organisation’s data protection
officer (DPO). The course will cover aspects of the Regulation in depth, including
implementation requirements, the necessary policies and processes, as well as
recognised data security risk analysis methods.
Click for further information and to book a course >>

Documentation toolkits
 EU GDPR Documentation Toolkit
A full set of policies and procedures enabling your organisation to comply with the EU
GDPR. These digital templates are fully customisable and significantly reduce the
burden of developing the necessary documents to achieve legal compliance.
Click for further information and to download a free trial version >>

Advice and consultancy


 GDPR data flow audit
For this essential first step in the preparation process, our privacy experts provide a
data inventory and flow map of the personal data held and shared by your organisation.
This forms the basis for assessing the information privacy and security risks in your
organisation.
GDPR Gap Analysis
Delivering a targeted assessment of your compliance with the GDPR, our privacy
experts provide a detailed assessment of your readiness, key gaps and risks, and a
remediation roadmap.
Click for further information and to contact IT Governance for assistance >>

Certification
 Information security management system: ISO 27001
Internationally recognised as an effective way to demonstrate that “appropriate
technical and organisational measures have been implemented” to meet GDPR
requirements, our leading ISO 27001 implementation specialists will help your
organisation achieve certification.
Contact IT Governance for assistance at [email protected] >>

© IT Governance Ltd 2016 9 EU GDPR – A Compliance Guide


IT Governance Green Paper

IT Governance Solutions
IT Governance sources, creates and delivers products and services to meet the evolving IT
governance needs of today's organisations, directors, managers and practitioners.
IT Governance is your one-stop shop for corporate and IT governance information, books,
tools, training and consultancy. Our products and services are unique in that all elements are
designed to work harmoniously together so you can either benefit from them individually or
combine different elements to build something bigger and better.
Our Protect - Comply - Thrive approach is aimed at helping your organisation achieve
resilience in the face of constant change.

Our areas of expertise:

Contact us: + 44 (0)845 070 1750


www.itgovernance.eu [email protected]

© IT Governance Ltd 2016 10 EU GDPR – A Compliance Guide

You might also like