Posted by Geraldine Hunt on Fri, Apr 7th, 2017
GDPR - or the General Data Protection Regulation - is a European law due to be enacted in May 2018. The law affects every organization within or outside the European Union that maintains the personal data of EU citizens. The implementation of GDPR will require significant changes to business practices for many organizations who do not have comparable privacy and security measures already in place.
Background to GDPR
Prior to the General Data Protection Regulation, the basis of data protection legislation in EU member states was the 1995 EU Data Protection Directive. EU Directives set general goals and requirements, but member states are free to interpret the general goals and requirements as they see fit when compiling their national laws. EU Regulations apply to all member states and are enforceable by law.
As well as standardizing data protection laws throughout the EU, GDPR gives individuals more control over what data is collected about them and how it is used. The new GDPR regulations give multinational organizations a clearer legal framework in which to operate, and address data protection issues that could note have been foreseen - such as cloud-based data processing - in the original 1995 Directive.
Key Points of the General Data Protection Regulation
The key points of GDPR are that organizations must have a lawful reason for collecting personal data, the amount of personal data collected must be limited to the minimum necessary to complete the lawful purpose, and that data must be deleted once the lawful purpose has been completed. These key points are subject to each organization obtaining the individual´s informed consent.
Informed consent is a big factor in compliance with the General Data Protection Regulation. Consent for the storage or processing of personal data must be given by an affirmative action, and only after the individual has been informed of the lawful purpose their data will be used for. The individual must also be told they can withdraw their consent, and be given instructions on how to do so.
Rights of Individuals under the New GDPR Regulations
The rights of individuals under the new GDPR regulations will place additional responsibilities on organizations in terms of data integrity, retention and retrieval. Taking into account the new requirements for obtaining informed consent, many organizations will have to review their data collection and storage mechanisms in every part of their operations. Individuals´ rights include:
- The right of information about how personal data will be used.
- The right to request the data source if informed consent was not given.
- The right of individuals to access their personal data.
- The right to know how long personal data will be stored.
- The right to rectify any errors in stored personal data.
- The right of data portability to a different processor.
- The right to restrict the processing of personal data.
- The right to know the identities of third parties with whom the data is shared.
- The right not to be evaluated on the basis of automated processing.
- The right “to be forgotten” and have personal data permanently erased.
In order to comply with the rights of individuals under the new GDPR regulations, many organizations will have to review their systems for storing and processing data to ensure individual personal data can be isolated, extracted and deleted as necessary. Privacy policies will have to be updated, and employees trained in how to respond to requests from individuals - and establish the validity of the request.
Definition of Personal Data in the Context of GDPR
The definition of personal data in the context of GDPR raises issues for practically every organization in the world that maintains an online presence. This is because the term “personal data” relates not only to identifiers such as name, address and age, but also to “online identifiers” such as cookies. The GDPR explicitly states that online identifiers, even if they are pseudonymous, will be considered personal data if there is the potential for an individual to be identified or singled out.
Even organizations that do not have an online presence may be affected by the definition of personal data in the context of GDPR. An employer with an electronic database of employees will have to comply with the General Data Protection Regulation if their database contains “sensitive personal data” such as racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, data concerning health or sex life and sexual orientation, genetic data or biometric data.
What Constitutes a Breach of the New GDPR Regulations?
There are many different scenarios that constitute a breach of the new GDPR regulations. Storing an individual´s personal data without their informed consent can result in a fine or sanction, while the failure to implement security measures to prevent unauthorized access to an employee database can have serious consequences. Even the accidental exposure of personal data will be considered a breach of the new GDPR regulations if an organization has not taken action to mitigate the risk of a breach.
In order to identify potential risks and implement security measures, organizations that store or process large volumes of personal data are required to appoint a Data Protection Officer. The Data Protection Officer has the responsibility to conduct risk assessments, implement security measures to protect personal data, and introduce policies to support the measures. He or she has to demonstrate the actions they have taken to mitigate the risk of a breach in the event of an audit or DPA investigation.
The High Cost of Non-Compliance with GDPR
Many member states within the EU already have Data Protection Authorities (DPAs) to implement and enforce national data protection laws. The DPAs will be given more powers under the General Data Protection Regulation to investigate reported breaches of the law and impose financial penalties on offenders. Depending on the nature of the breach, the measures implemented by the organization to comply with GDPR, and the number of individuals affected by the breach:
- A failure to comply with the GDPR security standards can attract a maximum fine of €10 million or 2% of global annual turnover - whichever is the higher.
- A failure to comply with the GDPR privacy standards can attract a maximum fine of €20 million or 4% of global annual turnover - whichever is the higher.
In addition, the individual(s) whose data has been unlawfully exposed can claim compensation against the organization responsible for the breach if it can be demonstrated they have suffered harm as a result. Depending on the national law of the EU member state in which the harmed individual resides, there may also be criminal sanctions for the offending organization. In some cases criminal sanctions may be applied simply for the unlawful possession of individual personal data.
Data Breach Notification Requirements
In addition to the fines and sanctions that can be imposed for non-compliance with GDPR, further fines can be imposed if an organization fails to follow the data breach notification requirements and report a data breach to its national DPA within 72 hours of the breach being discovered. Furthermore, the EU will be introducing a “name and shame” mechanism to advise the general public of organizations who have failed to maintain the integrity, confidentiality or security of personal data.
The breach also has to be notified to the individual(s) whose data has been compromised if the breach is likely to result in discrimination, identity theft or fraud, financial loss, damage to reputation or other significant economic or social disadvantage. An exception to the requirement to inform individuals exists if the breached data is undecipherable and unusable due to it having been encrypted. The encryption of data will likely mitigate or nullify any sanction imposed by the DPA.
Tools to Prevent Data Breaches from TitanHQ
There is no doubt the new GDPR regulations will change the ways in which organizations address data security - both within and outside the European Union. Many organizations have already taken measures to get ready for GDPR by implementing tools to prevent data breaches from TitanHQ. These tools consist of our industry-leading web content filter “WebTitan”, our anti-spam email solution “SpamTitan”, and our secure email archiving solution “ArcTitan”.
WebTitan Web Content Filtering Solution
One of the major threats to the integrity of personal data comes from malware. Malware threats are not necessarily targeted - as are the email phishing threats described below - but can be opportunist and downloaded inadvertently when a user visits a compromised website. In the worst case scenarios, malware downloads can install spyware that monitors the keystrokes used to access databases, or install ransomware that encrypts an organization´s computer network until a ransom is paid.
WebTitan is a robust web content filtering solution that prevents users from inadvertently visiting compromised websites through a three-tied filtering process. Easy to implement and maintain, WebTitan is available with a choice of deployment options. WebTitan protects both fixed and wireless networks with minimal latency and universal scalability, and is sufficiently versatile that Data Protection Officers can implement and enforce different web access policies for different environments.
SpamTitan Anti-Spam Email Solution
As Internet users have become more aware of the risks of compromised websites, spam email has become the number one delivery vehicle for malware. Phishing emails in particular pose a major threat, as these are often targeted at an individual by a scammer posing as a person of authority. Phishing emails can deliver a malicious payload by instructing their recipient to open an attachment or click on a link; or can carry an instruction to carry out an action that jeopardizes the integrity of personal data.
SpamTitan is an award winning, feature rich anti-spam email solution that detects 99.97% of spam email due to its advanced front-end tests. Again available with a choice of deployment options, SpamTitan mitigates the threat from phishing emails sent from compromised email accounts by blocking dangerous attachments and links to malicious websites. Additional protection against data breaches is provided by dual anti-virus engines to safeguard personal data stored on network systems.
ArcTitan Secure Email Archiving Solution
Potentially a bigger threat to the integrity of personal data is insider disclosure. According to recent research, internal actors were responsible for 43% of data breaches in 2015. Although half the recorded data breaches attributable to the actions of internal actors were accidental, protecting personal data against threats of this nature can be difficult. Data Protection Officers have to be aware of accidental and malicious insider disclosure when compiling risk assessments and implement appropriate measures.
One of the most effective ways of preventing insider disclosure is with an ArcTitan secure email archiving solution. ArcTitan copies each email as it enters or leaves the mail server, and stores it in encrypted format in a secure data center - providing an immutable copy of the original document that is protected against both insider and outsider theft. Fast search and retrieval engines accommodate the GDPR requirements that individual personal data can be isolated and extracted when required, and deleted when its lawful purpose has been completed.
Further Information about GDPR from TitanHQ
Next week we'll be publishing a comprehensive whitepaper on the security implications of GDPR for companies, if you'd like us to send you a pdf version of this paper please let us know here - contact us here. TitanHQ has been in the business of providing advanced Internet security solutions since 1999, and our team of Sales Engineers will be happy to assist you through the GDPR regulations and discuss how they apply in your individual situation.