Marshall Toburen

Doing Business with European Citizens? The time has come to Prepare for the EU General Data Protection Regulation (GDPR)

Blog Post created by Marshall Toburen Employee on Feb 8, 2016

The European Union General Data Protection Regulation (GDPR) will bring big changes for organizations that handle information of European citizens.  The scope of the GDPR not only encompasses European businesses but includes all businesses that control or process personal data related to the delivery of goods and services to individuals in the EU or are designed to monitor their behavior, whether those businesses are based in the European Union or elsewhere.  Although the regulation is not expected to be codified until this spring with implementation in 2018, the breadth and complexity of the GDPR warrants that organizations start planning their compliance strategy now.  Non-compliance with elements of the GDPR can bring fines up to 4% of annual world-wide revenue or 20,000,000 Euros, whichever is greater!


I have condensed and summarized here what I believe are the most onerous requirements of the GDPR but I encourage you to read the full regulation to make certain I haven’t omitted or misstated anything relevant to your organization.  Please take note of the highlighted words and phrases as they represent significant obligations your organization may have to fulfill:


Data Classification


Data covered by the regulation is classified in two ways:


Personal Data – any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity". Data is considered personal when it enables anyone to link information to a specific person, even if the person or entity holding that data cannot make that link. Examples of such data include address, bank statements, credit card numbers, and so forth. Processing is also broadly defined and involves any manual or automatic operation on personal data, including its collection, recording, organization, storage, modification, retrieval, use, transmission, dissemination or publication, and even blocking, erasure or destruction.


Processing operations that present specific risks – “(a) a systematic and extensive evaluation of personal aspects relating to a natural person or for analyzing or predicting in particular the natural person's economic situation, location, health, personal preferences, reliability or behavior, which is based on automated processing and on which measures are based that produce legal effects concerning the individual or significantly affect the individual; (b) information on sex life, health, race and ethnic origin or for the provision of health care, epidemiological researches, or surveys of mental or infectious diseases, where the data are processed for taking measures or decisions regarding specific individuals on a large scale; (c) monitoring publicly accessible areas, especially when using optic-electronic devices (video surveillance) on a large scale; and (d) personal data in large scale filing systems on children, genetic data or biometric data."


Implement Policies and Measures


1. Organizations must adopt policies and implement appropriate measures to ensure and be able to demonstrate that the processing of personal data is performed in compliance with the Regulation.


2. Appropriate measures are defined as:


     (a)     Maintaining documentation of all processing operations, including


              -  Name and contact details of the business

               - Name and contact of the data protection officer, if applicable

               - Purposes of processing the data

               - Description of categories of data subjects and categories of personal data

               - Recipients or categories of recipients of the personal data

               - Transfers of data to other countries or international organizations

               - Time limits for erasure of the data

               - Description of mechanisms used to ensure verification of compliance


     (b)     Implementing appropriate technical and organizational measures to ensure a level of security appropriate to the risk.

               - Appropriate technical and organizational measures are to be determined by an evaluation of the risks to protect personal data against accidental or unlawful destruction or accidental loss and to prevent any unlawful forms of processing, in particular any unauthorized disclosure, dissemination or access or alteration of personal data.


     (c)       Perform data protection impact assessments on planned processing that introduces specific risks (see above definition) and obtain prior approval of the Data  protection Authority before processing begins.


      (d)     Data protection officers must be appointed in those organizations that are public authorities or bodies, that process personal data and employ 250 or more persons, or process data that introduces specific risks (see above definition).

The Data Protection Officer’s obligations include:

               - Informing their organizations and their data processors of their obligations under the regulation

               - Monitoring the  implementation and application of policies, including training staff

               - Monitoring the  implementation and application of the regulation; and

               - That the required documentation is maintained to demonstrate compliance with the GDPR


3.  Organizations must implement mechanisms to verify the effectiveness of the technical and organizational measures it has implemented to ensure a level of security appropriate to the risk.  Where appropriate, this verification must be performed by independent internal or external auditors.


There are three key points of Contact with Individuals covered by the GDPR that must be addressed by organizations.


(1) When personal data are collected from a covered  individual,

     (a)     To be lawful, organizations must obtain explicit consent from individuals to process their data.  Parental consent is required for the processing of data for children under 16 years of age, except that EU member states may have a lower cutoff for parental consent so long as it is not lower than 13 years.

     (b)     At the time of data collection, the organization must provide the individual with at least the following information:

               - The identity and the contact details of the organization and, if any, the organization’s representative and their data protection officer, if applicable;

               - The purpose(s) of the processing of their personal data, including the contract terms and general conditions of a contract for processing, if applicable and the legitimate interests pursued by the organization;

               - Existence of the right of access, rectification of data, or erasure and the right to lodge a complaint;

               - The recipients or categories of recipients of the personal data;

               - where applicable, that the organization intends to transfer the data to a third country or international organization and the level of protection afforded by that third country or international organization by reference to an adequacy decision by the Commission;

               - How long the data will be stored; and the individual from whom information is being collected

               - Whether the individual is obliged to provide the information and the consequences, if any, should the individual not provide the information being collected.


(2) Covered individuals may contact an organization at any time on an ad-hoc basis requesting information about the processing of their personal data.  On request, organizations must supply:

               - Confirmation as to whether or not personal data relating to the individual are being processed. And if so,

               - the purposes of the processing;

               - the categories of personal data concerned;

               - the recipients or categories of recipients to whom the personal data are to be or have been disclosed, in particular to recipients in third countries;

               - the period for which the personal data will be stored; and

               - provide, free of charge,  a copy of the individual’s data undergoing processing and any available information as to the source(s) of the information;

               - the individual’s right to transmit personal data to another party

               - the individual’s right to request from the organization rectification or erasure of personal data;

               - the individual’s right to lodge a complaint to the supervisory authority and the contact details of the supervisory authority;


   Organizations that receive requests for rectification or erasure of personal data must do so in a timely manner.


(3) When a Data Breach Occurs (breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed), organizations must:

     • Notify individuals without undue delay when a breach occurs which is likely to affect the protection of personal data or privacy.  The breach notification must contain:

          - The identity and contact details of the organization’s Data Protection Officer or other contact point

          - Recommended measures to mitigate possible adverse effects of the breach

     • Within 24 hours of becoming aware of a breach, the organization must notify the supervisory authority.


A few other obligations of interest contained in the GDPR

  • Organizations and their data processors must have contracts that must state that the processor will:

          - Act only on instructions from the organization

          - Employ staff committed to confidentiality

          - Fulfill all security measures required by the regulation

  • Processors are prohibited from sub-contracting processing of personal data without the written consent of the organization.
  • Information cannot be transferred to a country that has not been approved by the European Union as having adequate levels of data protection


Summary – The Practical Considerations


This regulation ups the ante around privacy and information security compliance.  It expands the definition of personal information to include not just what is being collected but what can be derived about an individual when you put pieces of information together.


This regulation isn’t just about electronic information security.  It applies to the processing of personal information of individuals in the EU whether the information is physical or electronic.  It requires protection of information from unauthorized access and destruction from disasters, and it applies to third party relationships that organizations may have in place to collect, process, or store the information.  Lastly, it requires organizations to know exactly when and where they are collecting information from covered persons, processing the information, storing the information (and how long), and sending information to others, including across borders.  Moreover, all of this has to be sufficiently documented, risks assessed, and appropriate controls implemented to bring residual risk within tolerable levels.  Because of the required level of detailed documentation, it is highly unlikely that an organization can fulfill their obligations under the GDPR and demonstrate their compliance using spreadsheets and Word processing documents. Compliance has to be independently verified so adequate and complete documentation will be critical to keeping audit costs down and audit and regulatory engagements and findings as short as possible.


Finally, consider the complexities associated with collecting information from covered individuals and responding to ad-hoc requests from covered individuals.  When collecting information from covered individuals, among other things, you must obtain their explicit consent to collect and process the information.  How are you going to go about doing that and create the necessary audit trail to demonstrate explicit consent was received?  When you receive an ad-hoc request from a covered individual, are you prepared with the infrastructure and appropriate tools to determine if and where you are processing and storing all the elements of the individual’s information, so you can provide a copy of the information to the individual, and to collect, validate, and apply requested corrections to the data?  And, the big question, are you in a position administratively and technically to effectively erase an individual’s data upon request?


Listen to the recording of a recent RSA sponsored ISACA webinar on What the GDPR Will Mean to Global Businesses.  Most organizations are not ready for this regulation.  It’s a freight train barreling down the tracks.  If you would like to learn more about how we can help you get ready, click here.