GDPR
While the United States’ cyber regulations paradigm is enacted in a piecemeal fashion, the European Union has established a much more comprehensive cyber compliance framework. The General Data Protection Regulation (GDPR) was implemented in 2018 to protect the personal data of EU citizens. The law requires data “controllers” to implement protective measures to keep personal data safe.
Below we break down what GDPR is and how it may affect you.
Who does it protect?
The EU has established fundamental rights for all natural persons living in the union and one of those fundamental rights is the right to protection of personal data. The stated scope of the GDPR broadly protects the processing and transfer of the personal data of EU citizens. If an EU entity is processing the personal data of any EU citizen, even if the data is being processed outside the EU, then they are subject to the GDPR. Non-EU establishments that control or process the data of EU citizens are subject if their processing activities are related to the offering of goods and services or the monitoring of EU citizen behavior that takes place in the Union.
There are a couple of nuances here to unpack. First ‘personal data’ and ‘natural person’ have very specific definitions under the regulation that are meant to be read together. An identifiable natural person is one who can be identified by reference to an identifier such as:
- Name
- Identification Number
- Location Data
- Online Identifier (e.g. screen name)
- Factors specific to: physical, physiological, genetic, mental, economic, cultural or social identity of the person
Personal data means “any information” relating to the natural person, even beyond the person’s identifiers. So, not only is a person’s name, location data, health data, cultural data, and economic data protected, but if a person can be identified by any of the above then all of their associated data is considered ‘personal’ and therefore protected.
There are, however, certain personal data processing activities that are explicitly excluded from the rules of the GDPR. The regulation does not apply in the following circumstances:
- In course of an activity not subject to Union Law
- Purely personal or household activity by a natural person
- By EU member states when carrying out activities related to common foreign and security policy pursuant to Chapter 2 of Title V of the Treaty on European Union
- By competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offenses or execution of criminal penalties. This includes safeguarding against threats to public security.
Who does it apply to?
There are two entity types that must abide by the data protection rules of the GDPR. The two data handlers that are subject are ‘processors’ and ‘controllers.’ A processor is simply defined as a person or entity that processes personal data on behalf of a controller. Controllers are defined as people or entities that determine the purposes and means of the processing of personal data.
For example, let’s say that an e-retail company contracts a marketing company to collect data on the online buying habits of its customers. The e-retail company would be the controller since it is deciding what to do with the information and the marketing company is the processor since it is processing data at the direction of the e-retail company.
But what does ‘processing’ mean?
Processing is any operation or set of operations performed on personal data such as collecting, recording, organizing, structuring, storing, altering, retrieving, consulting, using, disclosing by transmission, disseminating, combining, restricting, erasing or destroying said data.
What is required?
Previously, the regulations placed obligations on the controller but not so much on the processor. In its current form, the GDPR hold both controllers and processors liable for data breaches. First of all, controllers are directed to only use processers that provide sufficient guarantees that appropriate measures will be used in the processing of personal data that complies with the GDPR.
Controller Requirements
The GDPR holds controllers to strict standards of compliance. As the party that is deciding what to do with the data, controllers must take into account the rights and freedoms of the people whose data is being used. Controllers must implement both technical measures and organizational measures to ensure compliance with the GDPR. In deciding what measures to implement, controllers need to take into account the nature, scope, context, and purpose of the processing.
While those directives may seem broad and unclear there are specific conditions that must be followed. By default, measures must be put into place that ensure only personal data necessary for each specific purpose of the controller may be processed. The controller must also maintain records of data processing that includes the following:
- Contact details of the controller and any data protection officer or representative
- Legal purpose of the data processing
- Type, category, and subjects of data
- Whether data will be transferred to a third party or third party country
- Retention period for data
- The technical and organizational security measures of the controller
Processor Requirements
While controllers are requesting the data and making decisions on how the data is used, processors bear the largest portion of the burden in regards to securing data. As opposed to the relatively vague requirements of controllers in the GDPR, processors must follow very specific rules in the regulation. A large portion of the processor rules revolve around the terms of the mandatory contract between processor and controller.
The basic terms of the controller/processor contract must include the following:
- Subject matter and duration of processing;
- Nature and purpose of the processing;
- Type of personal data;
- Categories of data subjects; and
- Obligations and rights of the controller
The contract must also stipulate that the processor:
- Only processes personal data based on the documented instructions from the controller;
- Ensures persons authorized to process personal data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality;
- Takes all measures required pursuant to Article 32 of the GDPR;
- If engaging another processor, must have written authorization from the controller allowing for such engagement and must ensure the secondary processor abides by the same data standards of the primary processor;
- Taking into account the nature of the processing, assists the controller by appropriate technical and organization measures;
- Assists controller in ensuring compliance with Articles 32 and 36 of the GDPR;
- At the controller’s discretion, deletes or returns all personal data to the controller after the processing services ends, unless otherwise required by Union or Member state; and
- Makes available to controller all information necessary to demonstrate compliance with the GDPR.
Article 32 of the GDPR, referenced above, concerns the security of processing. As part of the “appropriate technical and organizational measures” requirement, processors must include, where appropriate, security measures such as:
- Pseudonymisation and encryption of personal data;
- Ability to ensure ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- Ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
- A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for the ensuring the security of the processing.
Alliant Cybersecurity
There is a lot that goes into making a business GDPR compliant. The vagueness of the regulation and the separate codes of conduct created by individual EU member states can make compliance confusing. Alliant Cybersecurity and our team of industry experts have helped countless companies comply with federal, state and international cybersecurity regulations including GDPR. If your company is collecting or using data from the EU, schedule time to speak with us today and hear about how we can make your company safer.