Do you know how to achieve GDPR compliance and who is responsible for doing so? IFS WHITE PAPER

Transcription

1 IFS INFORMATION SECURITY GENERAL DATA PROTECTION REGULATION KEY QUESTIONS: 1 Are you aware that the General Data Protection Regulation (GDPR) comes into force in May 2018? 2 Do you know how to achieve GDPR compliance and who is responsible for doing so? 3 In what areas can IFS help you achieve compliance with the GDPR? IFS WHITE PAPER By Richard Rogers, Chief Information Security Officer, IFS

2 2 IFS INFORMATION SECURITY GENERAL DATA PROTECTION SECURITY IFS INFORMATION SECURITY GENERAL DATA PROTECTION REGULATION BY RICHARD ROGERS, CHIEF INFORMATION SECURITY OFFICER, IFS In this digital age, your business is rapidly accumulating more and more personal data that can identify individuals. The way that data is used and managed and the degree to which it protects individual privacy varies greatly. The EU General Data Protection Regulation (GDPR) will change all that. It sets out new rules to protect the privacy of European residents (and any business that deals with them). There are tough penalties up to 4% of annual global revenue or 20 million, whichever is greater for those who don t comply with the new regulations for processing personal data. Yet compliance is challenging for organizations across the world. Many are just starting to realize the volume of work that needs to be done. Gartner believe around half of all businesses affected by the GDPR will not be ready when the new regulation comes into force in May While this document explores some of the basic principles of the GDPR it s not a definitive guide. Its purpose is to help you understand how IFS can help achieve GDPR compliance and some of the issues you need to consider. THE GDPR GETS PERSONAL: TO PROTECT INDIVIDUAL PRIVACY The GDPR sets out a number of key definitions and concepts that are fundamental to the regulation and achieving compliance. Firstly, the regulation aims to protect the personal data belonging to the data subject, comprising an individual within the European Union. As we will see later, the meaning of this is not as straightforward as it first appears, but for now we will focus on the meaning of personal data, defined within Article 4, paragraph 1 of the regulation as being: The regulation aims to protect the personal data belonging to the data subject, comprising an individual within the European Union Any information relating to an identified or identifiable natural person ( data subject ); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. The regulation is concerned with the processing of the data subject s personal data, where processing is defined in Article 4, paragraph 2 as being: Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

3 3 IFS INFORMATION SECURITY GENERAL DATA PROTECTION SECURITY The scope of processing is therefore very broad, covering hard copy and electronic data. It includes the potential to access, as well as actual physical access to, personal information relating to the data subject. Data processing involves two key actors the data controller and the data processor. The data controller is the entity (organization, public authority, agency, etc.) that determines the purpose for processing the data subject s personal data, as well as the manner in which it is processed. The data processor is the entity that processes the information on behalf of the data controller. A key change introduced by the GDPR, compared with previous data protection legislation, is the inclusion of the data processor s responsibilities within the scope of the regulation. Another key aspect of the regulation comprises the transfer of personal data by the data controller or data processor to a location outside the EU. Transfer does not necessarily involve the storage of the data outside the EU personal information held within the EU and accessed remotely from outside the EU would constitute a transfer. Where transfers occur, it is necessary that the data controller, or data processor, responsible for the transfer ensures that suitable safeguarding mechanisms are in place. These aim to ensure that the protection of the data subject s personal data being processed outside the EU is comparable to that applied when data is processed within the EU. The regulation prescribes a number of ways in which this can be achieved, depending upon circumstance, including the use of EU model clauses, binding corporate agreements or recognized international agreements, such as the US Privacy Shield. It is beyond the scope of this document to go into details but failure to ensure such safeguards are in place, when transferring or processing personal data outside the EU, constitutes a breach of the regulation. Further form definitions used within the GDPR can be found within Article 4 of the regulation itself. 1 A key change introduced by the GDPR, compared with previous data protection legislation, is the inclusion of the data processor s responsibilities within the scope of the regulation. GDPR WHO'S RESPONSIBLE FOR COMPLIANCE? Fundamental to compliance with the regulation is an understanding of the role of your organization with respect to data controller and/or data processor responsibilities. Since the GDPR covers all aspects of the business operation, it is quite common that an organization will act in the capacity of both controller and processor for different sets of personal data it processes. For the purposes of this document we will focus on the aspects of the regulation as they relate to IFS products and services from a customer s perspective. Regardless of the decision to implement an IFS solution on premise, the IFS Managed Cloud in Microsoft Azure service, or one of our other software as a service (SaaS) products, an IFS customer holds the role of data controller since they determine both the purpose and the manner in which a data subject s personal data is processed within their business. IFS holds the role of data processor for its customers, be that in their delivery of customer consulting and support services under an IFS service, or maintenance agreement, or through the delivery of managed services/ SaaS solutions. 1 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR)

4 4 IFS INFORMATION SECURITY GENERAL DATA PROTECTION SECURITY The responsibilities of these two roles are significantly different under the regulation. The data controller is accountable to the data subject for the protection of their personal data and the data processor is accountable to the data controller for processing personal information in accordance with the purpose for which it has been provided, which in simple terms means execution of the customer s IFS service agreement(s). Before considering responsibilities further, it is important to clarify the scope of responsibility of the data controller and processor to the data subject, since this appears to have been subject to much debate and confusion. To clarify: It is important to clarify the scope of responsibility of the data controller and processor to the data subject WILL THE GDPR AFFECT YOU? THE GDPR APPLIES TO ENTITIES (E.G. ORGANIZATIONS): in the EU: who are controlling, collecting and using personal data (controllers) including data transferred outside of the European Union and in situations where they process data from outside of European Union; in the EU: who are processing personal data (processors) only for processing obligations such as security. not located in the EU if: a) the organization is established in the EU b) the organization directs its business to the EU by offering goods or services to individuals in the EU c) if the organization monitors the behavior of individuals taking place in the EU. For organizations not located in the EU, the GDPR applies to the processing of personal data of data subjects who are in the Union From this we can conclude the GDPR applies to the organization and not to a data subject as such. Having assessed the applicability of GDPR to the organization (as above), then, and only then, is it possible to determine the applicability of GDPR to the data subject. Where GDPR applies, the data controller must ensure that the six principles of GDPR are adhered to. In summary, these require that personal data is: Processed lawfully, fairly and in a transparent manner; Collected for specified, explicit and legitimate purposes; Adequate, relevant and limited to what is necessary; Accurate and, where necessary, kept up to date; Retained only for as long as necessary; Processed in an appropriate manner to maintain security. There is an additional principle, which is that of accountability. Put simply, the organization must also ensure that it can demonstrate responsibility for data protection at the highest levels within the organization, with clearly

5 5 IFS INFORMATION SECURITY GENERAL DATA PROTECTION SECURITY defined roles and responsibilities adhering to some form of data protection management system. Data protection should be provided by design and by default with impact assessments used to consider the risk to the data subject s privacy by processing their information in the intended manner. The data should be protected in accordance with the risk arising from the manner of processing and training provided to those handling personal data. Accountability can most easily be demonstrated through the application of good information security; the implementation of a formal Information Security Management System goes a long way to helping ensure compliance. The GDPR requires significant levels of documentary evidence of compliance with the principles. One of the biggest challenges often faced by organizations in achieving compliance is assembling such documentation. As an example, where consent is used as the basis for lawful processing of a data subject s personal information, the burden of proof is with the data controller to demonstrate that consent has been explicitly granted by the data subject. Also of significance, and a change from previous data protection legislation, is the inclusion of the right of the data subject to withdraw their consent and furthermore have their personal information removed (known as the right to be forgotten ). The regulation itself goes into far more detail regarding the requirements of the key principles (see Articles 5 through 12). These will not be covered in further detail here; instead the remainder of this document will consider how IFS customers might approach compliance with the regulation and how IFS is able to support them. The organization must also ensure that it can demonstrate responsibility for data protection at the highest levels within the organization THE ROAD TO COMPLIANCE We should start by making clear that organizational compliance with GDPR cannot be achieved simply through the procurement of one or more compliant software products or SaaS solutions. To help clarify this point, we will use the analogy of a kitchen knife and the desire to know that the knife is safe. While the manufacturing quality of the knife can be assured, its overall safety will always come down to the context in which it is used by a professional chef in a kitchen probably yes; in the hands of a small child opening a tin of sweets probably not. The same applies with business software such as IFS products and GDPR compliance. While the quality of the software and the functionality it offers all have their part to play in helping achieve compliance, it is the specific use of the software within the customer s business, as part of the overall business operation, that determines compliance or otherwise. It is therefore suggested that an organization must start with an understanding of its processing of personal data, regardless of the information technologies used to support the processing. Processing of certain information for a particular purpose may be unlawful in accordance with the regulation, regardless of the systems or software used. Article 13 of the GDPR sets out the requirements for documenting the processing of personal data within the organization. If not already performed, the first step is normally to perform a data mapping exercise that sets out how and where personal data is used within the business, the locations to

6 6 IFS INFORMATION SECURITY GENERAL DATA PROTECTION SECURITY which it is transferred (including inside and outside the EU), the entities holding data controller responsibilities and those acting as data processor, etc. With such information mapped, the purpose of processing can be validated against the six principles, checking that the nature of the processing is lawful and, as an example and where applicable, is done with the consent of the data subject. Where information is being processed by a third party, as identified by the mapping, then appropriate safeguarding mechanisms need to be assured. These comprise data processing or data transfer agreements for organizations outside the EU and standard commercial clauses in supplier contracts ensuring appropriate data protection is in place. Examination again of the six principles summarized in the previous section demonstrates that very few of these are dependent on software or technical solutions to achieve compliance. Rather they are driven mainly by the nature of the business processes and practices. With that said, the following section describes how IFS products and services can be used to support GDPR compliance. The first step is normally to perform a data mapping exercise that sets out how and where personal data is used within the business THREE WAYS IFS SUPPORTS YOUR COMPLIANCE IFS can support your GDPR compliance from three specific perspectives. IFS AS A TRUSTED SUPPLIER As identified earlier in the document, a product or service supplier will normally hold the responsibility of data processor for customers implementing business solutions like those provided by IFS. The customer is therefore highly dependent on such suppliers regarding their compliance with the GDPR owing to the accountabilities of the data controller and data processors under the regulation. Supporting customers with their deployment of IFS products, and the ongoing support of such products once in production within the customers business, will usually necessitate IFS processing of some aspect of personal data for which the customer is data controller. It is therefore critical that you, the customer, can trust IFS to fulfil our obligations under the GDPR. This trust must include not just the day-to-day handling of information provided to IFS to support the implementation and maintenance of the business solution, but critically in the event of a data breach, or near miss, that the data processor and data controller will work efficiently and transparently together to address the situation. IFS reviews continuously its information security practices, making improvements to its Information Security Management System in line with evolving threats. With the introduction of the GDPR, we have performed a thorough review of our use of personal data within the company, in the capacity of both data controller and data processor in the case of our customers, ensuring that our processing is compliant with the regulation. As IFS is a global organization, this includes our transfer of data across the IFS group of companies. It is critical that the data processor and data controller work efficiently and transparently together to address situations when they occur

7 7 IFS INFORMATION SECURITY GENERAL DATA PROTECTION SECURITY IFS AS A BUSINESS SOFTWARE PROVIDER It is a mistake to assume that every software product that holds personal data must include GDPR- related functionality for it to be usable in accordance with the regulation. Take, for example, office applications such as word processors, spreadsheets, presentation tools, etc., all of which have the capability to hold personal data. It would be very difficult, if not impossible, to create specific functionality within such products that tried to enforce data protection compliance owing to the endless set of possibilities for which the products can be used. That is not to say that we do not need to consider the significant volume of unstructured personal data that sits today within many organizations in such products; rather we must look at the processes surrounding their use and ensure that these are in compliance (i.e. why we have such information, where it is stored, who can gain access, and so on). The same is true for IFS products, where compliance with the GDPR, or otherwise, is determined mainly by its use within the customer s business as described earlier. However, all software products should be able to support good information security if they are involved in the processing of personal data. For example, limiting who has access to personal data in accordance with the stated purpose of processing is key but is no different from good information security practice. IFS products provide information security by design. Governed by the IFS Product Security Board, product development processes and testing activities help provide customer confidence that personal data within IFS business solutions is held securely. Industry best practices, such as application penetration testing and vulnerability analysis, are used to check for potential security vulnerabilities, not just within the IFS products themselves but also the third-party products on which they depend. Security patches are made available to IFS customers, 24 x 7, through the IFS Security Portal in the IFS Customer Portal. IFS products provide security features by default that support customers with achieving their compliance requirements. These start with the underlying architecture of the products, utilizing tried and trusted products from Microsoft and Oracle that provide a solid, supported foundation for the business capabilities to be built on. The business applications themselves provide trustworthy user security models, ensuring user access to information can be provided on a need to know basis. IFS Applications, for example, enables the creation and management of role-based user accounts that can limit access to data and functionality to a low level of granularity where required to protect the most sensitive information. The security model is supported by the ability to define segregation of duty rules, which are frequently used to ensure adherence with company finance policies, but equally can be used to help prevent the allocation of user permissions which may conflict with data protection requirements. Data visibility can be restricted between parts of the customer s organization to support data transfer restrictions arising from GDPR using built-in application constructs such as Company and Site. Document management provides support for document classes and document level access control to help manage unstructured data within a structured environment. All software products should be able to support good information security if they are involved in the processing of personal data IFS products provide security features by default that support customers with achieving their compliance requirements

8 8 IFS INFORMATION SECURITY GENERAL DATA PROTECTION SECURITY Case management can be used to support security incident management processes including breach notification. This could include the use of escalation rules to help ensure incidents are reported in accordance with strict GDPR notification timescales. Custom reports, custom fields and customer forms, IFS event management and logging can all be used to configure IFS Applications to your specific compliance requirements, with the additional option of adding risk and compliance to your enterprise cockpit using IFS Enterprise Operation Intelligence. Existing customers of IFS Applications can make use of the above as part of their compliance solution since the capabilities described have been available within the product for many years. For those customers on, or planning to upgrade to, the latest version of IFS Applications, a number of new enhancements are being added to support the GDPR. To be made available as part of a product update release before May 2018, customers will be able to flag certain fields within IFS Applications as GDPR relevant and use this as part of their data inventory for tracking and reporting use of personal data within the organization. Additionally, functionality to support the regulation s right to be forgotten is being added and will support the data subject s request to have their personal information removed from the data controller s information systems where appropriate (see Article 17). IFS AS A SERVICES PARTNER No business software / services supplier is able to deliver GDPR compliance as a service for its customers since this involves far more than the implementation of the software solution within the customer s business. Rather, it extends to the heart of the business operation and the practices that support it. IFS s role is to help our customers achieve their compliance through the delivery of professional services and specifically through our unique expert knowledge of the way IFS products are designed to operate and the featurerich capabilities they provide. Having access to the authors of IFS products enables customers to fully understand the best way these features can be used in their business process while meeting their compliance requirements. Furthermore, use of the IFS Scope Tool and IFS Implementation Methodology enables IFS customers to comprehend how functionality provided by our products can be used to meet existing and revised business practices. This occurs very early in the project lifecycle and enables buy-in from the customer s key stakeholders. In the the latest version of IFS Applications, customers will be able to flag certain fields within IFS Applications as GDPR relevant and use this as part of their data inventory for tracking and reporting use of personal data within the organization

9 9 IFS INFORMATION SECURITY GENERAL DATA PROTECTION SECURITY WHAT S NEXT? Ultimately, the GDPR is not a destination, but a journey. Once the right procedures and policies are in place, organizations will be not only fully compliant and secure where personal data is concerned, but also in good stead to drive new revenue streams through more personalized, targeted services. To be ready for the journey and what comes next, Gartner believes that organizations need to take a fresh approach to the GDPR. The analysts advise five high-priority changes: 1. Determine your role under the GDPR 2. Appoint a Data Protection Officer 3. Demonstrate accountability in all processing activities 4. Check cross-border data flows 5. Prepare for data subjects exercising their rights¹ Taking such a step by step approach, with the right expert guidance, means that preparing for the GDPR need not be as daunting as it first appears. It is not the completely new and complex regulation that many believe it is; it builds on previous data protection directives used across Europe, to deliver a common framework that aligns with today s technological and global landscape. Put simply, GDPR compliance is an extension of good information security practice, covering internal operations as well as the complete supply chain. IFS can work with you to help you achieve compliance with the GDPR by establishing this broader data protection and information security framework. We do so through the quality and trustworthiness of our products; the skills and knowledge of our consultants and support staff; and the continuous improvement of our internal information security processes and practices. Rapid technological developments and globalization have brought new challenges for the protection of personal data. The scale of the collection and sharing of personal data has increased significantly. Technology allows both private companies and public authorities to make use of personal data on an unprecedented scale in order to pursue their activities. Natural persons increasingly make personal information available publicly and globally. Technology has transformed both the economy and social life, and should further facilitate the free flow of personal data within the Union and the transfer to third countries and international organizations, while ensuring a high level of the personal data. General Data Protection Regulation (EU) 2016/679, paragraph 6 1 Top 5 Priorities to Prepare for EU GDPR, Gartner, June 2017 [link: FURTHER READING Information regarding the GDPR can be found in the following references: Gartner Newsroom: Gartner Says Organizations Are Unprepared for the 2018 European Data Protection Regulation UK Information Commissioners Office (ICO) Preparing for the General Data Protection Regulation (GDPR) 12 Steps to take now ISO27000 Guide.com ISO and GDPR: How can ISO help?

10 ABOUT IFS IFS develops and delivers enterprise software for customers around the world who manufacture and distribute goods, maintain assets, and manage service-focused operations. The industry expertise of our people and solutions, together with commitment to our customers, has made us a recognized leader and the most recommended supplier in our sector. Our team of 3,500 employees supports more than one million users worldwide from a network of local offices and through our growing ecosystem of partners. For more information about IFS, visit IFSworld.com AMERICAS ARGENTINA, BRAZIL, CANADA, ECUADOR, MEXICO, UNITED STATES ASIA PACIFIC AUSTRALIA, INDONESIA, JAPAN, MALAYSIA, NEW ZEALAND, PHILIPPINES, PR CHINA, SINGAPORE, THAILAND EUROPE EAST AND CENTRAL ASIA BALKANS, CZECH REPUBLIC, GEORGIA, HUNGARY, ISRAEL, KAZAKHSTAN, POLAND, RUSSIA AND CIS, SLOVAKIA, TURKEY, UKRAINE EUROPE CENTRAL AUSTRIA, BELGIUM, GERMANY, ITALY, NETHERLANDS, SWITZERLAND EUROPE WEST FRANCE, IRELAND, PORTUGAL, SPAIN, UNITED KINGDOM MIDDLE EAST AND AFRICA INDIA, SOUTH AFRICA, SRI LANKA, UNITED ARAB EMIRATES SCANDINAVIA DENMARK, NORWAY, SWEDEN FINLAND AND THE BALTIC AREA ESTONIA, FINLAND, LATVIA, LITHUANIA IFSworld.com COPYRIGHT 2018 INDUSTRIAL AND FINANCIAL SYSTEMS, IFS AB. IFS AND ALL IFS PRODUCTS AND SERVICES NAMES ARE TRADEMARKS OF IFS. ALL RIGHTS RESERVED. THIS DOCUMENT MAY CONTAIN STATEMENTS OF POSSIBLE FUTURE FUNCTIONALITY FOR IFS S PRODUCTS AND TECHNOLOGY. SUCH STATEMENTS ARE FOR INFORMATION PURPOSES ONLY AND SHOULD NOT BE INTERPRETED AS ANY COMMITMENT OR REPRESENTATION. THE NAMES OF ACTUAL COMPANIES AND PRODUCTS MENTIONED HEREIN MAY BE THE TRADEMARKS OF THEIR RESPECTIVE OWNERS. IFS AB 2018 En Production: IFS Corporate Marketing, February 2018.