How to protect your personal data
Updated: Sep 20, 2018
If your data is stolen there's no point of it being secure. Insights to General Data Protection Regulation (GDPR) and fundamental differences between privacy and security
With the recent enforcement of General Data Protection Regulation (GDPR) in European Union (EU) there has been a lot of talk around the town about how this is applicable to third countries (Countries outside EU), what is the jurisdiction, how this will affect service industry in Sri Lanka etc. As far as I see some has identified this as a information security initiative, some as data leakage, some as data control etc. Its none of that. It is all about PRIVACY.
Privacy is in simple terms a state which one is not disturbed or observed by other people.
Privacy can comprise of 3 key elements;
Secrecy - Conceal information about themselves that others may not misuse them
Anonymity - Desire of an individual to not disclose his/her identity
Solitude - Desire of physical separation from others
Based on these 3 key elements you may derive into 4 types of privacy that we may encounter everyday.
Bodily Privacy - Protection of physical self against invasive procedure
Territorial Privacy - Intrusion into environment (home, workplace etc)
Information Privacy - Collection and Handling of Personally Identifiable Information (PII)
Communication Privacy - Protecting means of correspondence
By now you may notice that GDPR intends to provide privacy related to last 2 types to EU citizens through this legislation. So this is not an Information Security Standard. Security will form a part of Privacy, but privacy is far wider topic than security.
GDPR applies to you under 3 conditions in the legislation;
If you are a Data Controller (Entity/person who defines the purpose of processing PII) or Data Processor (Entity/person who process data on behalf of controller) residing in EU
Offer goods and services to EU Citizens and monitors their behaviour in EU
Member State Law (EU member country) applies to you
The 4th condition would be that you may have contractual obligations under binding contracts with your customers who are either controllers or processors in EU.
Personal Data Processing Principles
There are 7 data processing principles that you need to embed in your organisation.
So if you look at this more carefully first principles that you need to look at it you need to understand what's the lawful base of processing data, and use that processing to be minimised only for the consented purpose and minimise the required fields only for that purpose is the key. So moving all your data into a secure cloud platform may give you sense of security but not necessarily the compliance to GDPR or establishing privacy.
How secure your data is a secondary question in a Privacy based thinking. Where as, why I use this data?Do I need all fields of data? What's my lawful, fair and ethical reason of processing this data? would be more primary. However once you establish these principles security is one of the key concerns.
Data Subject Access Rights
Establishing and facilitating these rights require implementing processes to facilitate these requests of Data Subjects (EU Citizens). This would require certain level of organised approach to data as an organisation may require a birds eye view of personal data to facilitate these requests at any given time. Furthermore your employees must be trained about these rights and how to facilitate them for your customers.
When you drill down further you may find the following key points to address in order to comply with the standard:
Data Protection Impact Assessment (DPIA)
DPIA is a process which assists organizations in identifying and minimizing the privacy risks of organization.DPIA must be structured, Systematic, Consistent, Repeatable, Transparent. You would require to perform a DPIA in the following circumstances;
When you process large amounts of personal data
When you handle sensitive PII (Health records etc)
When you perform profiling and monitoring of behaviour of data subjects
Data Protection Officer
Data Protection Officer will lead all your data related control implementations. You would need a dedicated DPO in the following circumstances;
When you perform systematic monitoring of data subjects in large scale
Processing large scale of sensitive PII
Processing PII related to criminal convictions
Conditions for Consent
Organisations shall be able to demonstrate that explicit consent is taken from the data subjects, with transparency and clearly defining the purpose of data collection. Provisions and processes must be set to withdraw consent at any point given for the subjects. Organisations shall manage all these consents and keep record of it.
Privacy by Design
Reporting Data Breaches
a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed This includes breaches that are the result of accidental or deliberate causes. It also means that a breach is more than just about losing personal data.
These are some of the key areas of GDPR. Understanding that implementation of privacy is more than defining the security posture of an organisation is the key to Privacy programs success. The most closest that any certification or standard get close to this is the BS 10012:2017. It is important that you understand the key concepts behind a Personal Information Management System (PIMS) in implementing them.