In January 2012, the European Commission (EC) in Brussels proposed a reform of the European Union’s (EU’s) 1995 data protection rules to “make Europe fit for the digital age.” New technologies and globalization have had a profound impact on how information is collected, accessed, and used. Furthermore, the 27 EU member states interpreted and enforced the 1995 directive differently. The EC believed that having one law would eliminate this fragmentation. The result is the General Data Protection Regulation (GDPR). The overarching aim of the reform was to better protect the rights individuals have regarding their personal data.
The EC states that following a 2-year post-adoption grace period, GDPR will become fully enforceable throughout the EU on May 25, 2018.
The UK Information Commissioner’s Office (ICO) states that if an organization processes personal data of EU residents, it is obligated to instill comprehensive, yet commensurate, means of governing that data. Processing includes collecting, storing, altering, retrieving, transmitting, using, erasing, or otherwise performing any operation on data. Practices and tools championed by the ICO (e.g., privacy impact assessments and privacy by design) are now legally required by GDPR. Consequently, organizations whose activities fall within the scope of GDPR must implement new policies and procedures to comply with GDPR. The goal of these measures is to reduce the occurrence of breaches while safeguarding personal data.
Under GDPR, personal data includes any information relating to a resident of the EU, whether it regards his or her private, professional, or public life. Personal data can be anything from a name to a photo, an email address, bank details, posts on social networking websites, medical information, a computer IP address, and so on.
GDPR states, “A controller determines the purposes, conditions and means of the processing of personal data. A processor processes personal data on behalf of the controller.” So a data controller exercises overall control over why and how data are processed, and a data processor controls the more technical aspects of an operation, such as data storage, retrieval, or erasure. A processor might be a datacenter or document management company. Both organizations (controller and processor) are responsible for complying with GDPR in their processing of personal data.
Concrete examples of data controllers and processors:
There is a tiered approach to penalties, with a maximum fine for violating GDPR of up to 4% of annual global turnover or €20 million, whichever is greater. GDPR guidelines and penalties apply to any member of the supply chain who processes an EU resident’s data. This means that cloud providers will not be immune to GDPR enforcement.
Examples of noncompliance:
Security must be built into the software and systems that personal data passes through, from the start, with documented standards and practices to minimize the attack surface. Article 25 specifically calls for measures to ensure that personal data is not made accessible without the individual’s intervention (including during a breach).
The complex technologies involved in processing personal data present multiple potential points of entry for hackers. Article 32 expands on application security requirements with a keen focus on the ongoing confidentiality, integrity, availability, and resilience of processing systems and services. Thus, organizations must secure every piece of software that plays a role in processing personal data and regularly assess the effectiveness of the measures they’re taking to do so.
Awareness is a key component of data privacy, and GDPR asserts that before processing, an organization must conduct an impact assessment to measure the risk to data privacy and evaluate the measures and mechanisms in place to secure it. The organization must review this assessment carefully to determine whether its security standards can evolve as the risk landscape changes. And it must regularly assess its software security posture and the risks posed by third parties with access to data at any point in the process.