Are you Ready for General Data Protection Regulation (GDPR)?
It's the most advanced and people centric cyber security regulation released so far. Here's how your organisation can comply with GDPR
The European Union (EU) General Data Protection Regulation (GDPR) imposes radical and tough Data Protection Regulation within Europe as well as wider world where European Citizen's Data is stored/processed. There has been broad conversations around the topic in member states as well as outside world, how is the applicability of this regulation is effected. Especially countries who has extensive EU citizen movement related to leisure/Tourism/Hospitality industries are quite unclear of the regulation jurisdictions and applicability. Every European Controller or Processor is regulated and any one based outside Europe who provides good/services, does profiling of people living in EU is included for the scope.
Controller : means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
Processor : means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
Key to the whole standard is clearly understanding the definition of processing. Although it is arguable that the extensive and complex lengths that the standard has gone through which questions the its very survival and practicability. Processing refers to initial collection of personal data right through to its final deletion or destruction is considered processing, as is creating personal data; storing; using; copying; aggregating; adapting; amending; sharing; transmitting; archiving; selling; losing; and erasing the data. This definition includes all e-mails that's communicated with EU citizens, transaction data, any forms that's filled by EU citizen, CCTV Footage, etc.
As Information Commissioners Office (ICO) UK briefly summaries the key 12 steps to provide foundation to be GDPR compliant.
Awareness : You should make sure that decision makers and key people in your organisation are aware that the law is changing to the GDPR. Complying can be quite complex depending on the compliance culture and Data Governance and structures within an organisation.
Information you hold : This requires you to understand the sources of the data, storing and processing of it, who you share it with and what are destruction processes. Conducting analysis on this would provide the exposure of the organisation too.
Communicating Privacy Information : This is your privacy notice and you should clearly state the purpose of processing and the legal office to contact in case of a breach. And the notice shall be clear, easy to understand and concise.
Individual Rights : You should check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.
Subject Access Request : If your organisation handles a large number of access requests, consider the logistical implications of having to deal with requests more quickly. You could consider whether it is feasible or desirable to develop systems that allow individuals to access their information easily online.
Lawful Basis for Processing personal Data : You will have to explain your lawful basis for processing personal data in your privacy notice and when you answer a subject access request
Consent : There must be a positive opt-in – consent cannot be inferred from silence, pre-ticked boxes or inactivity. It must also be separate from other terms and conditions, and you will need to have simple ways for people to withdraw consent.
Children : If your organisation offers online services (‘information society services’) to children and relies on consent to collect information about them, then you may need a parent or guardian’s consent in order to process their personal data lawfully
Data Breaches : Where a breach is likely to result in a high risk to the rights and freedoms of individuals, you will also have to notify those concerned directly in most cases. Failure to report a breach when required to do so could result in a fine, as well as a fine for the breach itself.
Data Protection by Design and Data Protection Impact Assessment : It has always been good practice to adopt a privacy by design approach and to carry out a Privacy Impact Assessment (PIA) as part of this. However, the GDPR makes privacy by design an express legal requirement, under the term ‘data protection by design and by default’. It also makes PIAs – referred to as ‘Data Protection Impact Assessments’ or DPIAs – mandatory in certain circumstances.
Data Protection Officers : You should designate someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements.
International : If your organisation operates in more than one EU member state, you should determine your lead data protection supervisory authority and document this
Although this is a good guide by ICO this or currently published articles provide little guidance with outer world countries processing units. As per GDPR Third Countries are covered as they are "processor" for a "controller" which can be understood and this can be clearly communicated with an outsourcing agreement. But how about hotels, resorts, travel agents, telecommunication providers, online training providers etc who are actual processors which are out side of member countries.
Tricky part is under the regulation it speaks and gives applicability to a very wide range of audience.
This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law
It is required that countries out side EU provide adequate guidance at a state level how organisations shall adopt GDPR and derive a road map for compliance. E.g., For some countries Data Protection Acts, Single entity to report data breaches are still on development and the countries infrastructure, systems, processes and most importantly awareness may not support such a radical standard.
It is required that deep conversation shall arise for the applicability and compliance to the standard as the standard provides quite comprehensive guidance related to protection of privacy.