What is GDPR?
How is it Different than the EU Data Protection Directive?
GDPR (General Data Protection Regulation) is the legal framework in the EU and the UK that replaced the previous EU Data Protection Directive in 2018. The most significant difference between the two is the difference between a regulation and a directive.
A regulation is law and is legally binding, whereas a directive is a recommendation and is not legally binding. This means that GDPR is a law that must be followed by all European member states.
Alternatively, this distinction can be explained as a regulation being a single set of rules that must be obeyed, while a directive is a set of rules that leaves room for interpretation.
While the previous EU Data Protection Directive did not define data breaches, GDPR includes this very broad definition, stating a data breach is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to, personal data transmitted, stored or otherwise processed.”
The definitions of a data breach and personal data matter, as they mean many different events or activities could qualify as violations of GDPR. Personal data is defined as “any information relating to an identified or identifiable person – not just data that could be used for fraud or identity theft.”
What is the purpose of GDPR?
GDPR is intended to protect personal data and how organizations process, store, and ultimately destroy it when the data is no longer required. The law gives individuals control of how companies can use information that is directly relatable to them personally and provides eight specific rights.
It also lays down very strict rules governing what happens if access to personal data is breached and the consequences (fines) organizations will suffer.
How Does the GDPR Define “Personal Data”?
When it comes to data protection, the GDPR regulations are the strictest in the world and cover the term “personal data” with a very broad brush to encompass virtually any information that can possibly identify an individual. GDPR can be applied in many ways, including examples such as the following and more:
Direct/Indirect Indentification
If the subject can be directly/indirectly identified by name, identification number, address, online profile, or any unique physical, genetic, mental, commercial, or cultural characteristic
Assigned Data
By any data assigned to an individual such as a phone number, license plate number, customer ID, credit card number, etc.
IP Address
IP addresses if turned over by an organization’s controller by request
For GDPR compliance it is best to keep the phrase “any information” top of mind. Assume and act as if personal data is an identifying factor in how you deal with and protect any of it in your possession. As an example of how broadly the GDPR can be interpreted, the European Court of Justice even includes less obvious information in its interpretation. If an individual could even be identified by recorded information on such things as start and stop times for work, or answers to a test and remarks from a test examiner, this too can fall under the GDPR umbrella.
GDPR also includes subjective information in its definition of personal data. So that can include situations such as work performance reviews, estimations of creditworthiness by a lender, and other judgements.
GDPR also applies levels of protection, subjecting sensitive personal data such as genetic, health, racial, ethnic origins, political opinions and religious affiliations, trade union memberships, etc., to an even higher standard of protection.
Who Does GDPR Apply to?
The personal data covered by GDPR starts with any data assigned to a natural person at birth, covers all identifiable data for that person throughout their lifetime, and ends at that individual’s death. It does not, however, apply to organizations, businesses, or institutions, etc.
Organizations that store or process personal information about EU residents are obligated to comply with the GDPR, even if located outside the EU.
Remember, the regulation defines personal data as “any information relating to an identified or identifiable natural person/individual.”
GDPR’s impact on IT staff can’t be minimized. Controllers, data protection officers, processors, and others all play a role in facilitating and enforcing GDPR compliance. As a refresher on roles associated with GDPR compliance:
Controller
A controller alone, or jointly with others, determines how and why personal data is processed. This role is similar to but expanded from the previous data controller role under the old EU Data Protection Directives. Legally the controller has ultimate responsibility to ensure processors follow the rules.
Processor
A processor is defined as any person who processes data on behalf of the data controller. Examples include third-party companies, such as marketing firms and cloud hosting companies.
Data Protection Officer
A data protection officer (DPO) may need to be designated as the leading authority on GDPR compliance within the organization. Briefly, a DPO is required when processing of data is carried out by a public authority or body, or where data is processed in a regular and systematic method on a large scale, or when large scale processing of specialized data such as criminal convictions is undertaken.
Controllers, Processors or Organizations Outside the EU
Controllers, processors or organizations outside the EU but offering services or goods in the EU or processing identifying data of EU citizens will also need to be compliant with GDPR
The 8 Rights of GDPR
Right to Be Informed
Before data is collected, a data subject has the right to know how it will be collected, processed, and stored, and for what purposes.
Right to Access
After data is collected, a data subject has the right to know how it has been collected, processed, and stored, what data exists, and for what purposes.
Right to Correction (Rectification)
A data subject has the right to have incorrect or incomplete data corrected.
Right to Erasure (Right to Be Forgotten)
A data subject has the right to have personal data permanently deleted.
Right to Restriction of Processing
A data subject has the right to block or suppress personal data being processed or used.
Right to Data Portability
A data subject has the right to move, copy, or transfer personal data from one data controller to another, in a safe and secure way, in a commonly used and machine-readable format. Wherever technically possible, this also includes the right to have the data transferred directly from one controller to another without the data subject having to handle the data
Right to Object to Processing
A data subject has the right to object to being subject to public authorities or companies processing their data without explicit consent. They also have the right to stop personal data from being included in direct marketing databases.
Right to Not Be Subject to Automated Decision Making
A data subject has the right to demand human intervention, rather than having important decisions made solely by algorithm.
GDPR Compliance Checklist
GDPR is a heavy lift indeed. Using this checklist can get you started in terms of what you need for compliance. Note: The information below is general in scope and is not considered legal advice. You should connect with an attorney specializing in GDPR compliance for your organization’s situation.
Assess Your Data
- Start with an audit of information you currently process, including details on who can access it.
- Be sure you have legal justification for gathering this data
- Detail your processing and legal justification in your data privacy policy
Secure Your Data
- Employ encryption protocols and other methods of ensuring anonymity of personal data where possible
- Craft a data security policy and ensure employees are trained on it. Review your policy regularly and enforce the specifics contained within it.
- Ensure you have an incident response plan in place to report breaches, mitigate issues, and remediate to avoid future similar incidents
Oversee Your Data
- Select an individual to be responsible for ensuring GDPR compliance is carried out enterprise-wide
- Be sure to draft and sign an agreement for data processing with any third parties processing data for your organization
- If you operate outside the EU, a representative should be appointed from within the EU
- If necessary, you may wish to appoint a Data Protection Officer
Data Privacy Considerations
- Be sure it’s easy to have personal data deleted if requested by individuals
- Make it easy for customers to stop processing data, if asked to do so
- Ensure customers can get personal data you have on them in a format that’s easy to be transferred
- Allow for an easy objection process if asked to stop processing data
- If your automated processes include decision making, be sure you have procedures in place to protect data privacy rights
Challenges for GDPR Compliance
Complying with the stringent GDPR is not without its challenges. But countries around the world recognize that the strict guidelines designed to protect personal data are in an organization’s best interest, as well as for individuals, and many countries are developing compliance regulations modeled after the GDPR as a result. A few of note: the California Consumer Privacy Act (CCPA), Canada’s proposed Digital Charter Implementation Act, and Brazil’s Lei Geral de Protecao de Dados (LGPD).
To comply, organizations need to do the hard work of protecting the rights of their data subjects and of conducting impact assessments, reporting incidents like breaches, and ensuring they have auditing processes in place. In addition, while GDPR is an EU edict, its impact is global as organizations who have employees or customers outside the EU or who use data processed outside the EU must also comply.
IT staff may have used manual processes or even temporary controls when the GDPR was first enacted to help meet the requirements, but this approach is not sustainable. Instead, robust data protection technology that is automated and streamlined better meets the strict regulatory requirements for limiting access to personal data and securing data at rest and in motion. Three areas are of particular concern to IT teams:
Security
With data breaches costing millions and with far-reaching PR costs, ensuring the security of data that falls under GDPR is essential. Best practice for IT teams is to invest in security solutions such as encryption, secure file transfer, and identity and access management.
Data management
As the GDPR gives individuals the right to request data be accessed, transferred, deleted, or otherwise processed, IT teams are challenged with securing efficient and transparent technical solutions to manage these requests. In addition, IT needs to ensure any solution selected is auditable to meet the requirements. And to meet the needs following a data breach, IT needs to ensure they are adequately staffed and trained to both report and mitigate any incidents.
Automation
Determining how to securely store and manage the consent status of data subjects across the organization is another concern. GDPR’s Article 30 is the requirement for processing activities of personal data to be recorded. Initially, many companies did so manually, but as these records need regular updating, automating helps streamline this requirement and allows the IT to focus on higher level tasks. Collaboration platforms and tools, as well as setting up workflows and business rules can help keep Article 30 records up to date more easily.
Meet GDPR Requirements with a Suite of Security Solutions
Complying with GDPR requires a layered approach best met with a suite of security solutions that can be seamlessly integrated across your enterprise to enforce the policies set in place. Fortra's security suite offers a variety of security-focused solutions to help you meet your GDPR obligations.
Email Security
Before personal data is ever exchanged through email, Clearswift applies the optimal security treatment based on your data’s content and GDPR privacy policies. It delivers real-time sanitation/redaction, encryption, and blocking or deleting of sensitive data based on the business rules you define to meet GDPR regulations.
Data Classification
Fortra's data classification solutions help meet GDPR by applying both visual labels and labelling to a file’s metadata to protect and control its use. By adding classification, users can better determine how a given piece of data should be treated, handled, stored, and eventually deleted. Classification adds streamlined functionality as well as enhanced data security and compliance.
Vulnerability Assessments and Intrusion Protection
Proving GDPR compliance is easier with the security solutions delivered by Powertech. Organizations can automatically identify and quantify their system security vulnerabilities as well as harden their system to intrusion. In addition, robust audit functionality of users and system functions helps meet the audit requirements under GDPR.
Secure Managed File Transfer (MFT)
Comprehensive MFT solutions can help meet several key GDPR principles, namely securely transmitting personal data through encryption, performing integrity checks of transfers to protect accuracy, and providing detailed audit trails and reporting of all transfers. Personal data is protected in transit and at rest with granular user access roles adding additional security around data.
Infrastructure Protection
Fortra's infrastructure protection suite includes tools for vulnerability management, penetration testing services and software, adversary simulation, and intrusion detection. These solutions secure sensitive data and ensure compliance by monitoring and assessing your infrastructure to identify and prioritize any risks. With comprehensive reporting capabilities, these solutions can also easily demonstrate compliance to external auditors.
Data Loss Prevention
GDPR states that processors must ensure that personal data is not used for any other purpose outside the services it was intended for. Data Loss Prevention from Digital Guardian aids GDPR compliance by enabling organizations to effectively discover, monitor and control personal data transmitted on the network, in use on workstations, or at rest in workstations, network servers, and cloud storage. Data is appropriately protected against unauthorized transmission, dissemination, use, and storage, while the analytics and reporting functionality can provide key documentation to demonstrate GDPR compliance.
We Can Help with GDPR Compliance
Contact the professionals at Fortra for a free 30-minute consultation on what solutions are best for your organization. We’ll help you determine what you need to do next to be in compliance with GDPR.