The UK’s Brexit transition period finally complete, but European organisations still face a period of uncertainty regarding data protection rules.
That’s where EU GDPR – An international guide to compliance can help. This guide, written by IT Governance’s founder and executive chairman, explains how to comply with the Regulation – including new content on the post-Brexit data protection landscape.
As Calder says: “This is an exciting time to be involved in data protection. Brexit and the deepening enforcement of GDPR across the EU, combined with privacy innovation around the globe, all bring new challenges, almost daily!”
In this blog, we provide an excerpt of Calder’s guide.
Excerpt from EU GDPR – An international guide to compliance
There are clearly a number of key points to observe in your approach to complying with the GDPR. Plenty of them will be resolved fairly simply and quickly, if only at the prompting of a third party or a DPO.
Some, however, will require a great deal of work or specific expertise. This section of the book will discuss those things that are critical to observe and offer advice for staying on the right side of the law.
It’s been mentioned several times already, but it’s worth reiterating that the GDPR can levy considerable fines. For certain breaches of the Regulation, you could be fined up to €20 million or four percent of global annual turnover, whichever is greater.
Note that the four percent is on turnover, not profit, and applies to the organisation’s global turnover, so for large organisations this could be considerably more than €20 million, and for a number of companies could be close to or exceed a billion euros.
It should also be noted that some organisations that are not involved in data processing can also face legal repercussions. Certification bodies involved in certification schemes in accordance with the Regulation, for instance, can face fines if they are found to be shirking their responsibilities.
As such, it’s possible for a single data breach to affect a large number of organisations – the data controller, any number of data processors involved in the data breach, and the certification body that approved the data processing.
Because these administrative penalties can be applied so broadly, it is very important to understand your own obligations and exposure. If you are concerned that you might not be in compliance with the law, you should consult a legal expert.
It is also important to remember that these penalties are in addition to any other fines or legal costs that you may incur following a data breach.
Although fines from other regulators are unlikely to match the costs meted out under the GDPR, the compounding effects of other punitive measures could be significant.
For instance, failure to meet the requirements of the Payment Card Industry Data Security Standard (PCI DSS) could result in losing the ability to take card payments, civil disputes in court could result in additional fines, and reputational damage could strip you of your customers, clients and suppliers.
Ensuring that your organisation supports compliance with the Regulation from the very top is critical to meeting your obligations – it is difficult to implement all of the necessary measures without it.
As such, anyone responsible for implementing and maintaining compliance will need to start by making this clear to their organisation’s top management and ensuring that it is understood.
Reiterating the severity of the punitive measures, potential compensation claims and reputational damage – especially when set against the relatively low cost of compliance – is likely to get their attention.
Understanding your data: where it is and how it is used
The GDPR deals with existing personal data as well as with how that data is to be processed, transmitted and stored in future.
For most organisations, the first step towards compliance is a data audit to identify the personal data the organisation holds, who it has been shared with and where it is now held. This will help determine what must be done with that data in order to comply with the GDPR.
The data audit process includes reviewing existing processes for gathering personal data, ensuring there are clearly identified business and legal grounds for that collection, and ensuring that all related processes comply with the Regulation.
Depending on the nature of your business, this could prove to be quite a broad exercise, showing points of egress and ingress where personal data goes out to a processor and the processed result returns (assuming that the results of processing include personal data).
You also need to be quite clear about the information assets that actually constitute personal data – photographs, for instance, can be used to identify an individual and so will almost always be regarded as personal data.
You should also consider where the data resides physically. If you use a Cloud solution, for instance, you will need to know where the Cloud supplier is based and, if it’s not in the EU, whether it is able to provide sufficient assurances that it meets the Regulation’s requirements (including, crucially, legal protections for data subjects and the presence of effective legal remedies).
Equally, you should be sure to note any physical records of personal data that you might keep, including HR records, historical records (assuming the subjects are still living) and so on.
Data audits should be repeated periodically to make sure that they are thorough and that any new or changed processing is taken into account.
It is sensible to carry out a DPIA in relation to information that you have already collected, in addition to any DPIAs necessary for future processing. This should highlight any weaknesses in your current operations.
The Regulation can require quite a bit of documentation. In addition to the explicit and implicit requirements for specific records (such as proof of consent from data subjects), you should also ensure that you have documented how you comply with the GDPR so that you have some evidence to support your claims if the supervisory authority has any cause to investigate.
If you suffer a data breach, for instance, being able to demonstrate that you have consistently applied best practice, that you have an audit trail showing that you notified them and any affected data subjects within the required timeframes, and that you have taken all the appropriate steps to mitigate the impacts of the data breach, will minimise the chance that you will be hit with a crippling fine.
There are different documentation requirements for data controllers and data processors, but the onus for the documentation being correct is generally on the controller because they’re likely to suffer the consequences regardless of who is at fault.
If you are a controller with a number of outsourced processing functions, it’s worth gaining assurances that these functions are appropriately documented by the data processors.
The following documentation is especially important, although it varies between data controllers and processors:
- Statements of the information you collect and process, and the purpose for processing.
- Records of consent from data subjects or their holder of parental responsibility.
- Records of processing activities under your responsibility.
- Documented processes for protecting personal data – an information security policy, cryptography policy and procedures, etc.
Appropriate technical and organisational measures; ISO/IEC 27001 and ISO/IEC 27701
Article 24 says that data controllers must implement “appropriate technical and organisational measures to ensure and to be able to demonstrate that the processing is performed in accordance with the Regulation”.
This Article makes it clear that these measures must include implementing appropriate data protection policies. Similarly, Article 32 also requires “appropriate technical and organisational measures” to ensure the security of personal data.
This clearly shows that the Regulation requires a double approach: measures that protect the rights and freedoms of data subjects, and measures that protect the security of the personal data itself.
Critically, both articles state that controllers can use adherence to approved codes of conduct or management system certifications “as an element by which to demonstrate compliance” with their obligations and the Regulation’s requirements.
While it’s likely that supervisory authorities will develop their own schemes and trust seals in the future, and that they’ll recognise certain standards as meeting the GDPR’s core requirements, achieving certification to a widely recognised information security standard will not only help to meet the requirements, it will also provide a good basis for attaining any necessary certifications or requirements that may arise in the future.
An ISO/IEC 27001 information security management system (ISMS) should be the starting point for organisations seeking to ensure they can demonstrate “appropriate technical and organisational measures” with respect to their GDPR obligations related to the security of personal data.
This can be bolstered by ISO 27701, which acts as an extension to ISO 27001 and supports data protection activities related to data subjects’ rights and freedoms.
The ISO 27001 risk-based approach to selecting information security controls is reflected in the GDPR requirement that controllers and processors should, on the basis of and proportionate to identified risk, implement appropriate technical and organisational controls to:
- Ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- Ensure the security of the personal data; and
- Ensure the ability to restore availability following an incident.
They should also have a process for regularly testing, assessing and reviewing the effectiveness of the selected measures.
As ISO/IEC 27001 is the only independent, internationally recognised data security standard that also has a widely accepted certification scheme, it seems logical that ISO 27001 – with in-built and appropriate business continuity arrangements, and supported by ISO 27701 – should be fundamental to organisational GDPR compliance strategies.
The fact that ISO 27001 is also the default management system for protecting organisations against cyber crime doubles its benefit.
Cyber crime is not directly addressed in the Regulation, but it is an increasingly common cause of data breaches, and is regularly associated with the largest and most damaging breaches. ISO 27001 can also support compliance with the NIS Directive.
Implementing an ISO 27001 and ISO 27701 system for managing information security and data protection involves building a holistic framework of processes, people and technologies.
It should address the organisation’s internal and external contexts – such as the requirements of the GDPR – and the needs of interested parties, which would naturally include data subjects and supervisory authorities.
Once established, the management system should systematically reduce information security risks on an ongoing and evolving basis through a process of self-examination and remediation.
Crucially, the measures that you implement to secure information are taken on the basis of a thorough risk assessment that identifies threats and vulnerabilities affecting the organisation’s information assets (which will certainly include any personal data or processing of personal data).
Want to know more?
Purchase EU GDPR – An international guide to compliance to find out more about this topic.
This pocket guide will help you understand the Regulation, the broader principles of data protection, and what the GDPR means for businesses in Europe and beyond. It explains:
- The terms and definitions used within the GDPR in simple terms;
- The key requirements; and
- How to comply with the Regulation.