WHITE PAPER. A Practical Guide for GDPR Compliance. Published July An Osterman Research White Paper

Transcription

1 WHITE PAPER A Practical Guide fr GDPR Cmpliance An Osterman Research White Paper Published July 2017 Osterman Research, Inc. P.O. Bx 1058 Black Diamnd, Washingtn USA Tel: inf@stermanresearch.cm

2 A Practical Guide fr GDPR Cmpliance EXECUTIVE SUMMARY The General Data Prtectin Regulatin (GDPR) has been apprved by the Eurpean Unin and, nce it cmes int frce in May 2018, will give data subjects significant new rights ver hw their persnal data is cllected, prcessed, and transferred by data cntrllers and prcessrs. It demands significant data prtectin safeguards t be implemented by rganizatins. The time t get ready is nw, as the cnsequences f getting it wrng are significant. KEY TAKEAWAYS Mst rganizatins are nt yet adequately prepared fr cmpliance with the GDPR, as shwn in Figure 1. Figure 1 Organizatinal Preparedness fr the GDPR Surce: Osterman Research, Inc. The GDPR is a sweeping and far-reaching update t the Eurpean Directive n Data Privacy frm It harmnizes data prtectin requirements acrss all 28 Member States, intrduces new rights fr data subjects, and applies extra-territrially t any rganizatin cntrlling r prcessing data n natural persns in the Eurpean Unin. Cmplying with GDPR is nt ptinal. If yur rganizatin cntrls r prcesses persnal data n natural persns in the Eurpean Unin, GDPR almst certainly applies t yu. There are a whle hst f requirements and mandates that need t be in place when GDPR cmes int frce, nt least f which is that when a data breach ccurs, the lcal data prtectin authrity and all affected data subjects i must be ntified within 72 hurs. Mst rganizatins are nt yet adequately prepared fr cmpliance with the GDPR. GDPR requires data cntrllers and prcessrs t implement bth rganizatinal and technical safeguards t ensure the rights and freedms f data subjects are nt cmprmised. Organizatinal safeguards include data prtectin impact assessments, data prtectin by design fr bth structured and unstructured data, and the appintment f a data prtectin fficer wh reprts t the highest level f the rganizatin. Technical safeguards include pseudnymizatin, encryptin, and varius capabilities fr identifying and blcking data breaches, ensuring data security, and autmatically identifying and classifying persnal data, amng thers. It is imprtant t nte that a data breach accrding t the GDPR als includes accidental r unlawful destructin, lss, alteratin, unauthrized disclsure f, r access t, persnal data transmitted, stred r therwise prcessed, and s preventing unauthrized use r access must als be cnsidered as a key element f GDPR cmpliance. The deadline fr being cmpliant with GDPR is rapidly appraching, and the transitinary perid between the earlier Directive and the new Regulatin is n nw. Once the Regulatin ges int frce n May 25, 2018, rganizatins will be expected t cmply immediately frm that date Osterman Research, Inc. 1

3 A Practical Guide fr GDPR Cmpliance Being nn-cmpliant with GDPR will be very expensive. In additin t ther financial cnsequences, there are tw tiers f regulatry fines, the mre expensive f which is a fine f up t 20 millin r fur percent f the annual wrldwide turnver fr the rganizatin, whichever is higher. Hwever, there is a need fr cntinual cmpliance with the GDPR, since a failed audit can have damaging financial cnsequences. Cnsult Hyperin has estimated that Eurpean financial firms alne may face GDPR-related fines f $5.3 billin in the first three years after the GDPR becmes effective ii. ABOUT THIS WHITE PAPER This white paper was spnsred by RSA. Infrmatin abut the cmpany is prvided at the end f this paper. WHY IS THE GDPR IMPORTANT? The General Data Prtectin Regulatin (GDPR) is the newly harmnized Eurpean-wide regulatin that mandates the prtectin f data abut peple living in the Eurpean Unin, by every rganizatin that cntrls r prcesses data n peple in the EU, regardless f where that rganizatin is lcated arund the wrld. Its crrect name is Regulatin (EU) 2016/689, and it updates, replaces, and extends the prtectins previusly affrded thrugh the earlier 1995 directive n data privacy (Directive 95/46/EC). Prtectins fr persnal data f individuals invlved in criminal prceedings are excluded frm the GDPR; the prtectin regime fr such circumstances are utlined in a cmplementary directive (Directive (EU) 2016/680), and is beynd the scpe f this paper. The new GDPR is imprtant, fr several reasns: It almst certainly applies t yu. If yur rganizatin cntrls r prcesses data n peple living in the Eurpean Unin even if yur rganizatin is nt lcated in the EU it applies. It has a significant bite, in the frm f sky-high regulatry fines fr nn-cmpliance. If yu meet the test f applicability fr the GDPR, yu cannt pt ut f cmplying. It tuches every data prcess in rganizatins that cllects r prcesses persnal data n peple, and it cvers bth direct and indirect data identifiers in every data system. It frces rganizatins t knw and understand their data frm a 360-degree perspective. Organizatins that prcess EU citizen data will need t knw where it is being prcessed, wh is prcessing and string it, and demnstrate the ability f erasure n it n matter where it lives. It demands greater transparency with peple n hw their data is cllected and prcessed, and intrduces ntificatin requirements when persnal data is breached. There are reputatinal cnsequences f getting this wrng, particularly in light f the fact that during the previus 12 mnths, 47 percent f the rganizatins surveyed fr this white paper have suffered a breach f custmers r ther persnal data, emplyees persnal data, crprate intellectual prperty, r ther sensitive r cnfidential infrmatin. If yur rganizatin cntrls r prcesses data n peple living in the Eurpean Unin even if yur rganizatin is nt lcated in the EU [the GDPR] applies. There is nw n cst assciated with requests frm data subjects, which means that it is nw mre likely that many mre individuals will be making demands abut the infrmatin that is held abut them. Yu are running ut f time. GDPR was signed int law just ver a year ag (via publicatin in the EU Official Jurnal in early May 2016), and will be enfrced starting May 25, The earlier Directive n data privacy came int frce in 1995, just as the Internet was beginning its adptin trajectry. One f the driving reasns fr the new GDPR was t strengthen data prtectin requirements in light f an increasingly glbal and intercnnected 2017 Osterman Research, Inc. 2

4 A Practical Guide fr GDPR Cmpliance wrld, and the regulatrs tk an interesting path. Instead f regulating territrially n rganizatins within the EU, it shifted the fcus t where data subjects reside. This subtle shift means GDPR applies t the persnal data f data subjects in the EU (territrially), but has brderless applicability t rganizatins. The test is n lnger whether yur rganizatin is in the EU, but rather whether yur rganizatins cllects r prcesses the persnal data f peple wh are in the EU. Specifically: Article 23 lists key tests f applicability fr rganizatins nt lcated in the EU. The primary test is that "the prcessing activities are related t ffering gds r services t such data subjects irrespective f whether cnnected t a payment." Hwever, "mere accessibility" t an rganizatin's website r address is nt sufficient t establish the intent f ffering gds r services; whereas factrs such as the use f a currency generally used in a member state, and listing custmers lcated in the Unin n yur website, des ascertain that intentin. Article 24 ffers a secnd key test f applicability: when an rganizatin cntrls r prcesses data fr mnitring the behavir f peple that happens within the EU. Specific actins include tracking n the internet, "prfiling" based n past actins, and "analyzing r predicting... persnal preferences, behavirs and attitudes." If yur rganizatin des this fr peple within the EU, GDPR applies regardless f where yu are lcated. With the UK's vte in 2016 t leave the Eurpean Unin, there has been sme discussin abut the applicability f GDPR. There are tw answers. First, the Data Prtectin Act is the UK law fr data prtectin, and if the UK des leave the Unin, the GDPR will nt apply t data subjects and persnal data within the UK. Secnd, the GDPR des apply t Eurpe, and any UK firm that wants t sell int the EU Single Market will have t cmply with GDPR requirements. Individual firms can upgrade their data prtectin appraches t the GDPR mandates, in additin t whatever regulatry refrm is undertaken in the UK t prvide equivalent data prtectin standards. In clsing, GDPR is cming fast, it almst certainly applies t yur rganizatin, and the cnsequences f getting it wrng are severe. Equally, hwever, are the psitive cnsequences f getting it right, including a strng fundatin fr wrking with businesses in Eurpe, a clear understanding f cnsumer preferences, and strng internal data prtectin and security cntrls that fster trust with custmers and partners alike. ON THE PRIVACY OF PERSONAL DATA IN THE EU "Privacy" f persnal data has been an essential cncept in Eurpean law since 1995, when the Directive n data privacy was intrduced. As a directive, hwever, it did nt directly mandate data privacy prtectins fr EU Member States, as each State had the freedm t include the recmmended privacy prtectins in their wn laws. This freedm led t nuances and differences in data privacy regulatins acrss Member States, making it cmplex fr firms t meet cmpliance requirements. GDPR is cming fast, it almst certainly applies t yur rganizatin, and the cnsequences f getting it wrng are severe. The new GDPR is different. First, it is a regulatin - and nt a directive - fr all EU Member States. Member States dn't have t enshrine GDPR int their wn laws; it already applies t all f them. Secnd, the mre limited fcus n "data privacy" in the earlier directive has given way t a brader emphasis n "data prtectin" in GDPR; this higher standard demands mre f rganizatins everywhere. The questin as t why privacy and prtectin f persnal data is necessary is addressed in Article 75 f GDPR. The view is that lack f privacy and prtectin increases "risks t the rights and freedms f natural persns... which culd lead t physical, material r nn-material damage." Specific examples listed include discriminatin, identity theft, fraud, financial lss, and lss f cnfidentiality f persnal data, amng thers. WHAT IS PERSONAL DATA ANYWAY? Persnal data is the first definitin given in Article 4: "any infrmatin related t an identified r identifiable natural persn" (called a data subject thrughut the GDPR). Direct identifiers include name, ID number, and nline identifiers (e.g., address), and indirect identifiers 2017 Osterman Research, Inc. 3

5 A Practical Guide fr GDPR Cmpliance include lcatin data and varius types f identity. The persnally identifiable infrmatin (PII) that will be relevant in the cntext f the GDPR includes data subjects bimetric data, netwrk identifiers, images, hbbies, plitical preferences, religius preferences, sexual rientatin and ther infrmatin abut EU residents. The key test is whether direct and indirect persnal data can be used t uniquely identify a natural persn: while the persn's name bviusly can, s can the cmbinatin f indirect identifiers. Fr example, a study in the United States fund that date f birth, zip cde, and gender allwed fr the unique identificatin f 87 percent f Americans, hence the need t affrd indirect identifiers the same level f prtectin as direct nes. iii The Directive f 1995 and the Regulatin f 2016 are directinally the same, but the Regulatin demands a significant uplift in data prtectin. Fr example: Data subjects acquire many new rights, including the right t be frgtten, the right t mve their data t anther prvider, and the right f access t verify data crrectness and the prcessing activities his r her data are subjected t. Organizatins that cntrl r prcess persnal data must meet elevated prtectin mandates, including gaining specific cnsent frm data subjects, recrd keeping, ntificatin f data breaches, and having the rganizatinal and technical means t respnd t the rights f data subjects in a timely manner. Under the Directive, data prcessrs nly had respnsibilities insfar as they were demanded thrugh cntractual agreements with data cntrllers. Under GDPR, prcessrs nw have direct bligatins t implement apprpriate security measures, maintain recrds f prcessing activities, and meet data breach ntificatin requirements. DRIVERS FOR INTRODUCING THE GDPR Several factrs drve the develpment f the GDPR fr Eurpe, including: Mdernizing the data prtectin laws t take accunt f the Internet, digital marketing, scial netwrks, and the whle plethra f data tracking capabilities currently n ffer and cming due t technlgical advances since the Directive was intrduced in Harmnizing the legal framewrk fr data prtectin acrss Eurpe, mving frm separate regulatins in Member States t a Digital Single Market with cmmn standards and rules fr all. The Eurpean-wide regulatin simplifies cmpliance fr rganizatins perating in multiple States. Driving a strnger culture f data prtectin and security int the heart f rganizatinal data prcesses. The regulatin makes clear the requirements n rganizatins cntrlling r prcessing persnal data, and demands strnger measures t prtect data subjects and reduce mistakes in handling persnal data. Leveling the playing field s rganizatins utside f the Unin can't claim immunity frm data prtectin requirements when handling persnal data f EU natural persns. The Directive applied territrially t rganizatins; the Regulatin applies territrially t the persnal data f data subjects, and t rganizatins regardless f lcatin. Impacting glbal legal framewrks n data prtectin, by making GDPR apply t any rganizatin cntrlling r prcessing persnal data n data subjects in the EU, and by demanding equivalent data prtectin standards frm ther cuntries and jurisdictins wanting t trade with the EU single market. We have previusly cmmented that the GDPR shuld be mre apprpriately called the "Glbal" Data Prtectin Regulatin, given its legal impacts Osterman Research, Inc. 4

6 A Practical Guide fr GDPR Cmpliance COMPLIANCE TIMEFRAME The Eurpean Cmmissin intrduced its data prtectin refrm in early 2012, and after fur years f negtiatins the GDPR was adpted by the Eurpean Cuncil and Eurpean Parliament in April It was published in the EU Official Jurnal in early May last year, and cmes int frce n May 24, It will apply frm May 25, There is n transitinary perid as such after cming int frce; that time is the tw-years between May 2016 and May 2018, f which we are already mre than half way thrugh. BREXIT AND THE GDPR It is imprtant t nte that regardless f the implementatin f Brexit (the UK s exit frm the EU), the GDPR will cntinue t apply t subjects and rganizatins within the UK. The UK s Infrmatin Cmmissiner s Office (ICO) has clearly stated that the GDPR will be the minimum standard f prtectin fr persnal data. Specifically, the ICO has stated that iv : The GDPR will apply in the UK frm 25 May The gvernment has cnfirmed that the UK s decisin t leave the EU will nt affect the cmmencement f the GDPR. The GDPR applies t cntrllers and prcessrs. The definitins are bradly the same as under the [UK Data Prtectin Act] i.e., the cntrller says hw and why persnal data is prcessed and the prcessr acts n the cntrller s behalf. If yu are currently subject t the DPA, it is likely that yu will als be subject t the GDPR. If yu are a prcessr, the GDPR places specific legal bligatins n yu; fr example, yu are required t maintain recrds f persnal data and prcessing activities. Yu will have significantly mre legal liability if yu are respnsible fr a breach. These bligatins fr prcessrs are a new requirement under the GDPR. Hwever, if yu are a cntrller, yu are nt relieved f yur bligatins where a prcessr is invlved the GDPR places further bligatins n yu t ensure yur cntracts with prcessrs cmply with the GDPR. NON-COMPLIANCE PENALTIES There are majr penalties fr nn-cmpliance with GDPR, and these are set in tw tiers (Article 83). Administrative fines f up t 10 millin r tw percent f the ttal wrldwide annual turnver (that's revenue, nt prfit) fr the rganizatin can be levied fr varius infringements, such as nt enacting data prtectin by design and by default (Article 25), failing t keep adequate recrds f prcessing activities (Article 30), and nt ensuring apprpriate security f prcessing (Article 32), amng many thers. The failure f an audit f GDPR cmpliance, which will be a mre cmmn event than a vilatin f the GDPR itself, can als result in penalties. The higher tier f fines which are up t 20 millin r fur percent f ttal wrldwide annual turnver is fr mre serius wrngding, such as nt fllwing the basic principles f cllecting and prcessing data (Article 6), failing t acquire adequate cnsent frm a data subject (Article 7), and nt prviding data subjects with their rights (Articles 12 t 22). It is imprtant t nte that regardless f the implementatin f Brexit, the GDPR will cntinue t apply t subjects and rganizatins within the UK. Bth penalty level are whichever is higher between the Eur figure and the percentage amunt, s an rganizatin with a wrldwide turnver f 10 billin culd face a fine f 400 millin under the secnd tier. Nte that data subjects themselves als have the right t seek damages thrugh a civil curt frm an rganizatin that fails t prtect their persnal data. THE ESSENTIAL REQUIREMENTS OF THE GDPR Let's briefly review the essential requirements f the GDPR. Yu must: Have a legal basis fr cntrlling and prcessing persnal data (Article 6). Legal grunds include direct cnsent frm the data subject, fr perfrmance f a cntract with the data subject, cmpliance with a legal bligatin f the cntrller, prtecting the vital interests f a data subject, and the legitimate interests f the cntrller. It is essential t be very clear n the specific legal basis fr cllecting and prcessing persnal data, because sme rights held by data subjects apply nly t data held under ne r tw legal grunds, fr example. While the "legitimate interests" basis appears t give wide sway t 2017 Osterman Research, Inc. 5

7 A Practical Guide fr GDPR Cmpliance rganizatins, there are varius prvisins that limit its applicability, such as taking int accunt the cntext in which the data was cllected and the relatinship between the data subject and the cntrller. Cllect and prcess persnal data nly fr lawful purpses, and prtect it at all times. Required prtectins include preventing accidental r unlawful destructin, lss, prcessing, disclsure, access, and alteratin. Data subjects have significant rights and freedms under GDPR, and these must be upheld thrugh apprpriate rganizatinal and technlgical measures. Maintain dcumentatin f all data prcessing activities (Article 30). Required details include the purpses f the prcessing, categries f data subjects and persnal data invlved, categries f recipients, safeguards n any data transfers, and if pssible, time limits fr erasure. A descriptin f technical and rganizatinal security measures is als required. These recrds are t be kept in writing r electrnic frm, and available fr audit and review by the supervisry authrity n request. Organizatins with fewer than 250 emplyees are excluded frm these dcumentatin requirements, with sme prviss. Perfrm an assessment n the risks t the rights and freedms f cntrlling and prcessing persnal data, and develp rganizatinal and technlgical mitigatins fr the identified risks. The risk assessment has t include any third-party relatinships fr data held and prcessed n yur behalf. Be able t demnstrate cmpliance with the GDPR, thrugh rganizatinal and technical measures, and the n-ging assessment f the strength and suitability f these measures (Article 25). Demnstrating cmpliance includes having plicies n hw t prtect data under yur cntrl, an up-t-date assessment f risks t persnal data (e.g., unauthrized r verprivileged access), wrkable technical measures that enfrce prtectin (such as encryptin), rules n transferring data t ther cuntries, a staff training and awareness prgram, the means t identify and investigate data breaches, and the means t respnd prmptly t data access requests by data subjects, amng thers. All f these measures are n-ging: they need t wrk at all times, and having the means t verify the effectiveness f implemented measures is essential. Certificatin mechanisms are mentined thrughut the GDPR as well, highlighting the n-ging nature f cmpliance. Overall, the clear intent f the GDPR is that persnal data is actually prtected, nt merely that rganizatins implement data prtectin tls. Meet the elevated standard f cnsent, anytime cnsent is the legal basis fr prcessing data (Article 7). Cnsent means "any freely given, specific, infrmed and unambiguus indicatin f the data subjects' wishes... by a statement r by a clear affirmative actin, [that] signifies agreement t the prcessing f persnal data relating t him r her" (as defined in Article 4(11)). Cnsent cannt be implicit, the result f pre-ticked bxes, r silence. Cnsent must be dcumented (which means the data cntrller must be able t prduce evidence that cnsent was given). And amng ther stipulatins, cnsent cannt be bundled (it must be given fr each specific prcessing peratin and purpse), and the data subject must be able t withdraw cnsent just as easily as they gave it. This elevated standard f cnsent applies t cnsent gained after GDPR cmes int frce in late May 2018, as well as t any pre-gdpr cnsent indicatins that will be used after GDPR ges live. Minimize the amunt f persnal data prcessed, a principle called data minimizatin (Article 5(c)). The intent f this requirement is that superfluus r extraneus persnal data that is nt required fr a specific prcessing activity are nt cllected r prcessed. Article 25 takes this requirement further, in addressing the requirement f "data prtectin by design and by default." Once persnal data is n lnger required fr current data prcessing activities, it shuld be minimized thrugh pseudnymizatin (a prcess f replacing direct and indirect identifiers with near-meaningless values, althugh these can be reidentified thrugh specific means) r the data shuld be erased Osterman Research, Inc. 6

8 A Practical Guide fr GDPR Cmpliance Ntify the supervisry authrity f a data breach within 72 hurs f becming aware f the breach (Article 33), and under certain circumstances, ntify every data subject whse data was breached as well (Article 34). A breach ntificatin is nt required t the supervisry authrity if the breach is "unlikely t result in a risk t the rights and freedms f natural persns," nr t data subjects if the breach wn't result in a "high risk" t their rights and freedms. Fr example, if the breached data was encrypted with a sufficiently strng encryptin mechanism, data breach ntificatins are nt required. Appint a data prtectin fficer (Article 37), wh can be an emplyee fr ne rganizatin, a representative fr a grup f rganizatins, r an external cnsultant. This is mandatry fr public authrities, and fr rganizatins that meet ne r bth f tw tests: cre activities "cnsist f prcessing peratins which... require regular and systematic mnitring f data subjects n a large scale," r that special categries f data are prcessed n a large scale. The data prtectin fficer (DPO) must have "prfessinal qualities," "expert knwledge f data prtectin law and practices," and the ability t perfrm the tasks detailed in Article 39. Such bligatins include infrming and advising the cntrller and prcessr (and emplyees) f their bligatins under GDPR, mnitring cmpliance, and being the liaisn persn with the supervisry authrity. The DPO must "directly reprt t the highest management level" (Article 38), and is t be affrded independence in carrying ut his r her tasks. Carry ut a data prtectin impact assessment (DPIA) fr envisaged prcessings that are "likely t result in a high risk t the rights and freedms" f data subjects, and secure the participatin f the designated data prtectin fficer in the assessment (Article 35). High risks cver activities like autmated prcessing and prfiling, decisins that prduce legal effects fr peple, large scale prcessing f "special categries f data," and the "systematic mnitring f a publicly accessible area n a large scale." The intent f such assessments is t frce the pre-prcessing evaluatin f what is actually necessary, hw the prcessing activity culd harm data subjects, and hw t develp rganizatinal and technical mitigatins t reduce any freseen harm. Under sme circumstances, rganizatins must cnsult with the supervisry authrity prir t undertaking the prcessing itself, and wait until the supervisry authrity has ruled the prcessing activity t be lawful (Article 36). Ensure the prtectin f data during prcessing activities, thrugh the implementatin f "apprpriate technical and rganizatinal measures" (Article 25). These prtectin safeguards are t be implemented when determining hw t carry ut a prcessing, and at the actual time f carrying ut the prcessing activity. The safeguards required are t be in prprtin t the risks t the rights and freedms f data subjects. Article 32 lists technical and rganizatinal security measures such as pseudnymizatin, encryptin, prcessing system cnfidentiality, integrity and resilience, and a regular testing prcess fr ensuring the security measures actually wrk. Once persnal data is n lnger required fr current data prcessing activities, it shuld be minimized thrugh pseudnymizatin. Abide by specific cnditins when prcessing special categries f data. Article 9(1) states the general prhibitin: "Prcessing f persnal data revealing racial r ethnic rigin, plitical pinins, religius r philsphical beliefs, r trade unin membership, and the prcessing f genetic data, bimetric data fr the purpse f uniquely identifying a natural persn, data cncerning health r data cncerning a natural persn's sex life r sexual rientatin shall be prhibited." Article 9(2) then lists 10 exclusins t the general rule. Given the elevated harm that can accrue t individuals based n these special categries f data, greater prtectins are mandated. GDPR recgnizes that the use f data may be sensitive, and hence seeks t limit such usage, which is why data prtectin impact assessments are generally necessary fr prcessing special categries f data, the data prtectin fficer must be acrss such prcessing, and cnsultatin with the supervisry authrity is required. Respnd prmptly t requests frm data subjects abut the persnal data yu cntrl, prcess, r transfer abut him r her (Article 15). The data subject has the right f access t knw the purpses f the prcessing, categries f persnal data prcessed, recipients r categries f recipients the data will r have been disclsed t, hw lng the data will be stred, their right t rectificatin r erasure, and mre. If the persnal data is 2017 Osterman Research, Inc. 7

9 A Practical Guide fr GDPR Cmpliance subjected t autmated decisin-making and prfiling, yu have t prvide "meaningful infrmatin abut the lgic invlved, as well as the significance and the envisaged cnsequences f such prcessing fr the data subject." The first request frm a data subject must be fulfilled free f charge, althugh "a reasnable fee based n administrative csts" can be levied fr "further cpies." Article 63 adds that the data subject shuld be able t "exercise [this] right easily and at reasnable intervals, in rder t be aware f, and verify, the lawfulness f the prcessing." Article 63 ges n t suggest the use f a "secure system" that gives the data subject direct access t his r her persnal data. Update and crrect any inaccurate persnal data held abut a data subject, by varius means including a supplementary disclsure frm the data subject (Article 16). This is the flip side f the data subjects' right t rectificatin. Organizatins will need tight integratin acrss all data systems and prcesses t ensure data updated in ne system is autmatically and crrectly updated acrss all ther lcatins t. Permanently erase any persnal data abut a data subject under specified cnditins (Article 17). These include the withdrawal f cnsent by the data subject (where cnsent was the riginal lawful basis fr cllectin and prcessing), the data has been unlawfully prcessed, and the data subject bjects t the prcessing f their persnal data and there are n ther legitimate grunds fr cntinuing t prcess the data. If the data has been made public by the cntrller r prcessr, "reasnable steps" need t be taken t infrm ther cntrllers and prcessrs f the erasure request. Be able t temprarily restrict the prcessing f persnal data n request frm the data subject under certain cnditins (Article 18). These include cntested accuracy, unlawful prcessing but erasure is nt requested, and the data subject's need fr the persnal data fr legal claims but where further prcessing is nt necessary. Article 67 utlines several methds fr restricting prcessing, and requires that this fact "shuld be clearly indicated in the system." Supply persnal data cncerning a data subject in a "structured, cmmnly used and machine-readable frmat" in respnse t a request fr data prtability (Article 20). This requirement is limited t the persnal data the data subject "has prvided t a cntrller," and the data subject can request the cntrller t transmit the data t a new data cntrller "withut hindrance" r in gd faith. There are varius exclusins nted in Article 20, such as where ther lawful grunds apply t future prcessing activities. Have alternative methds available fr making decisins abut peple rather than just autmated prcessing and prfiling, such as human interventin (Article 22). There are several exceptins t this mandate, such as the necessity f prcessing related t cntractual matters, exemptins under Unin r Member State law, and where the data subject's explicit cnsent has been given (and nt withdrawn). Article 22 makes it clear, hwever, that whatever happens, the data subject's rights and freedms must be safeguarded. Prevent data frm being transferred utside f the EU t "a third cuntry r t an internatinal rganizatin" unless specific prtectins are in place (Article 44). These prtectins can be either an adequacy decisin by the Eurpean Cmmissin (the target recipients have an adequate level f data prtectin; Article 45), r the cntrller r prcessr has apprpriate safeguards in place and legal remedies available (Article 46), such as Binding Crprate Rules (Article 47), amng thers. Ensure additinal restrictins are in place t safeguard the handling f persnal data f children when services are ffered directly t children (Article 38). Language aimed directly at children must be "in such a clear and plain language that the child can easily understand," (Article 58) and cnsent is required frm "the hlder f parental respnsibility ver the child" fr children under the age f 16 (Article 8), althugh Member States can lwer this t 13 years. One strng implicatin f this requirement is the ability t verify prf f age Osterman Research, Inc. 8

10 A Practical Guide fr GDPR Cmpliance It shuld be clear frm the abve brief review that the GDPR demands many significant undertakings frm all rganizatins cntrlling r prcessing persnal data n natural persns in the Eurpean Unin. A CHECKLIST FOR GDPR COMPLIANCE Use the fllwing checklist t gauge yur readiness fr GDPR cmpliance, starting May 25, Item Descriptin f Task NC CC 1 Elevate the imprtance f the GDPR t the highest level in yur rganizatin Definitely: CEO and Senir Management Team Mst Likely: Bard f Directrs 1.1 Educate key decisin makers n the GDPR and its impacts fr yur rganizatin Impact: Appint a Data Prtectin Officer, wh must reprt directly t the highest level f management in the rganizatin. Impact: Execute GDPR requirements within an verall framewrk f data prtectin cmpliance. GDPR isn t the nly regulatin yur rganizatin is subject t. Impact: Create a crss-rganizatinal task frce t ensure GDPR cmpliance by May 2018 at the latest; this is nt the jb fr any grup wrking alne. 1.2 Understand the tw levels f penalties fr nn-cmpliance with GDPR and the causes fr each tier f fines, as well as bad PR thrugh failed audits, data breaches, higher data prcessing csts, etc. Tier 1: 10 millin r 2% wrldwide turnver Tier 2: 20 millin EUR r 4% wrldwide turnver Idea: Calculate the fine fr yur rganizatin at 2% and 4% f annual wrldwide turnver fr the previus year. Cmpare this cst in light f the cst f becming cmpliant. Mitigatin: The supervisry authrity will evaluate evidence f actin tward prtecting the rights and freedms f data subjects when setting a fine. It will g much better fr an ut-f-cmpliance rganizatin that has a cmprehensive prgram underway t develp a data prtectin system and culture, cmpared with ne that des nt. Mitigatin: Evaluate cyber-insurance ptins. NC = Nt Cmpliant, CC = Cmpleted and Cmpliant 2017 Osterman Research, Inc. 9

11 A Practical Guide fr GDPR Cmpliance Item Descriptin f Task NC CC 1.3 Develp and implement emplyee training n data prtectin, the GDPR, and the rights and freedms f data subjects Tpic t Cver: What emplyees must d Tpic t Cver: What emplyees must nt d Tpic t Cver: Tasks and respnsibilities in ensuring data prtectin fr data subjects 1.4 Assess the principle f data prtectin by design and by default against yur current systems and prcesses Include: Assess current systems that hld persnal data n custmers fr the risks they create t the rights and freedms t data subjects Include: Assess current systems that hld persnal data n emplyees fr the risks they create Include: Public facing websites, custmer relatinship management systems, direct marketing systems, the crprate intranet, emplyee prfiles, Active Directry and ther directry slutins that prvide authenticatin t varius data surces, HR systems, custm internal applicatins, and mre. Warning: Many f yur existing systems were prbably develped prir t GDPR, s data privacy and prtectin may be viewed as add-ns rather than integral design chices. That philsphy needs t change under GDPR. 1.5 Evaluate whether persnal data n EU data subjects will be transferred utside f the EU, and if s, what safeguards will be enacted t prtect persnal data Optins: An adequacy finding by the Eurpean Cmmissin and the use f Binding Crprate Rules are tw pssible ptins, amng thers. Task: Cnsidering the risks t persnal data, develp apprpriate rganizatinal and technical measures fr data transfers. 1.6 Review data sharing and prcessing agreements with ther rganizatins, and evaluate their cmpliance with the prvisins f the GDPR. Include: Review cntracts and agreements with business partners, clud service prviders, and ther third-parties that can access persnal data under yur cntrl. Include: Review the rganizatinal and technical measures embraced by third-parties t prtect persnal data, and the efficacy f such appraches. Include: Develp r adpt certificatin mechanisms r cdes f cnduct t gvern data prtectin by third-party rganizatins Osterman Research, Inc. 10

12 A Practical Guide fr GDPR Cmpliance Item Descriptin f Task NC CC 1.7 Lk fr assciatins and ther bdies that represent yur type f business and are wrking actively n industry-wide appraches t GDPR cmpliance Benefit: GDPR is a majr change fr all rganizatins. Develping shared best practice helps t ensure that GDPR cmpliance is effective fr all industry players, and active invlvement in industry effrts signals a serius-minded apprach t develping yur GDPR apprach. Benefit: The data subject s right t data prtability requires the develpment f interperable data frmats. Assciatins and ther bdies can champin such wrk. 1.8 Get started immediately, and allw sufficient time fr the prcess. Dn t wait until the last mment. Cnsider: Engage early and directly with yur supervisry authrity. Cnsider: Engage early and directly with external legal and prfessinal services firms with a specializatin in GDPR cmpliance. Leverage their wider experiences in yur GDPR radmap. 2 Evaluate current industry standards and certificatins that prvide a structured framewrk t guide cmpliance with GDPR (and similar bligatins), bth fr yur rganizatin and any third-parties. Benefit: Yu can use cmmnly accepted marks and seals t signal yur data prtectin standards t data subjects, the supervisry authrity, prspective business partners, and ther interested parties. Example: ISO is an internatinal infrmatin security standard that can help with GDPR cmpliance initially and nging. It ffers independent certificatin, and prvides an verall framewrk fr infrmatin security. Nte that it des nt give 100% GDPR cmpliance (fr example, respnding t the rights f data subjects). Example: ISO is the internatinal standard fr prtecting persnal data stred in public clud services, adding a substantial set f cntrls fr peratinal security Osterman Research, Inc. 11

13 A Practical Guide fr GDPR Cmpliance Item Descriptin f Task NC CC 3 Cnduct an end-t-end data inventry and audit, s as t knw every lcatin where persnal and sensitive persnal data is lcated, prcessed, stred, r transmitted. Evaluate yur ability t identify, analyze in place, and classify persnal infrmatin. Apply remediatin plicies t different categries f data and delete unneeded data (and thus minimize regulatry expsure). Include in this effrt apprpriate management f access privileges, and the ability t search acrss systems t respnd t subject access requests by gathering and remediating persnal data (prducing, deleting, etc.) Include: Data systems under the cntrl f yur rganizatin, such as systems, databases and applicatins, file servers, file shares, SharePint, clud share and sync services, SharePint and ther cllabratin systems, and archives. Include: Data stred in authritative surces, as well as data that is stred n endpint devices (as ppsed t being merely accessed). Include: Data flws t and frm cuntries utside f the Eurpean Unin, cnsidering the lawfulness f such transfers under GDPR. Include: Ensure that third party data prcessrs will be cmpliant, able t ffer all the functinality required, and have effective audit and reprting prcesses in place t prtect data and respnd in time. 3.1 Identify and catalg data systems and assets utside f the rganizatin s direct cntrl Example: Nn-sanctined use f clud strage services such as Drpbx, Bx, and ther similar services. Example: Synchrnizatin f crprate data t clud services that is then synced and accessed frm nncrprate devices (e.g., persnal mbile devices and hme cmputers) 3.2 Evaluate data svereignty and data residency bligatins under GDPR, and hw these are enfrced by clud service prviders used acrss yur rganizatin 2017 Osterman Research, Inc. 12

14 A Practical Guide fr GDPR Cmpliance Item Descriptin f Task NC CC 3.3 Identify rganizatinal and technical measures that make persnal and sensitive persnal data inaccessible t the rganizatin, t prtect the rights and freedms f data subjects Example: Identity management and access cntrl, t ensure nly the right peple have access t data at the right time Example: Encryptin at rest, in use, and in mtin Example: Pseudnymizatin Example: Data prtectin by design and by default Recmmendatin: Keep gd recrds f the rganizatinal and technical measures evaluated and implemented. Yu will need t be able t demnstrate actins and mitigatins aligned with GDPR cmpliance when being audited r mnitred by a supervisry authrity 4 Classify current data apprpriately t determine specific categries f data that will be subject t the GDPR Remember: Bth direct and indirect identifiers must be prtected, and the use f data can be sensitive, nt just the data value itself 4.1 Determine the categries f data that wuld trigger a data breach ntificatin, and nte the breadth f where such data culd be breached frm Include: Authritative surces such as databases, directries, and custmer relatinship management systems Include: Ad-hc data surces, such as file servers, SharePint sites, and Include: Test and develpment envirnments that have wrking cpies f prductin systems (and therefre culd have valid persnal data t) Include: Endpint devices that have synchrnized cpies f persnal data 4.2 Establish the lawful basis fr each categry f data held and assciated prcessing undertaken n such data Remember: All prcessing activities require a lawful basis, and these are specified in the GDPR Warning: While cnsent is the bradest lawful basis, there is an elevated standard f cnsent required, and cnsent can be withdrawn at any time 2017 Osterman Research, Inc. 13

15 A Practical Guide fr GDPR Cmpliance Item Descriptin f Task NC CC 5 Review and update current privacy and data prtectin plicies t ensure cnfrmance with GDPR Remember: Existing plicies will prbably have t be updated t cnfrm with GDPR Example: Hw t prtect persnal data Example: Hw t limit access t persnal data Example: Hw t ensure internatinal transfers are lawful Warning: While plicies are essential, as they create the internal legal framewrk fr hw wrk is suppsed t be dne, plicies alne are insufficient. These rganizatinal measures must be cmplemented by technical measures t ensure adherence. 5.1 Implement apprpriate mechanisms fr establishing and receiving cnsent frm data subjects, reflecting the elevated cnditins n cnsent Include: Update existing cnsent fr persnal data, as this will be required after GDPR cmes int frce Include: Determine hw t cllect and stre evidence f elevated cnsent Include: A methd f withdrawing cnsent, that is just as simple as giving cnsent Remember: Cnsent must be given specifically fr each prcessing activity. Bundled cnsent is nt allwed 5.2 Develp capabilities fr respnding t data access requests by data subjects. Include: The prcessing activities their data are subject t, and fr the duratin f time data will be retained and prcessed Include: Ntificatin f the right t bject t prcessing, as well as rights f rectificatin and erasure (under specified cnditins) 6 Implement plicies and prcesses fr the new requirements under GDPR, such as the rights f data subjects Example: Respnding t the right f access, rectificatin, r erasure within the allcated timeframe, and withut nerus and expensive manual prcessing requirements Example: Respnding t data prtability requests, using an apprpriate digital frmat, and when required, transmitting the requested data directly t the new prvider. Remember: The right f erasure, fr example, applies t all instances f persnal data, nt just data in the authritative system. Ensure yu can catch all cpies and extracts Warning: Failure t address the rights f data subjects is a Tier 2 ffence, attracting a pssible fine f 20 millin EUR r 4% f wrldwide annual turnver, whichever is higher. It is wrth getting it right Osterman Research, Inc. 14

16 A Practical Guide fr GDPR Cmpliance Item Descriptin f Task NC CC 6.1 Dcument all data prcesses and bring them int alignment with GDPR requirements. Keep accurate recrds f all data prcessing activities Remember: Prcessing in cre systems is relatively easy t safeguard, by data prtectin fr exprted data and data in test systems is als essential Warning: Failure t have an accurate register f data prcessing activities is a Tier 1 ffence, attracting a pssible fine f 10 millin EUR r 2% f wrldwide annual turnver, whichever is higher. It is wrth ding it prperly. 6.2 Mdify r disestablish any data prcesses that are nt cmpliant with GDPR requirements and are n lnger necessary Example: Use pseudnymizatin r full annymizatin t remve persnal data frm data prcesses that are n lnger required Warning: Ensure that yu have the lawful basis fr deleting persnal data, and that such persnal data is nt ging t be required in the future fr legitimate purpses, such as establishing r defending legal claims 6.3 Fr services targeted directly at children, establish apprpriate practices fr verifying data subjects age, and where necessary, fr gaining parental r guardian cnsent Remember: GDPR sets the age f a child as less than 16 years, but Member States have the right t reduce it t 13 years. Beware reginal variatins in different Member States 6.4 Develp and implement the data prtectin impact assessment prcess, fr use when necessary Include: Prir cnsultatin with the supervisry authrity when the impact assessment reveals high risks t the rights and freedms f data subjects Remember: Yur data prtectin fficer must be invlved in this prcess Recmmendatin: Make this an auditable prcess, t create a trail f evidence f gd practice in data prtectin 2017 Osterman Research, Inc. 15

17 A Practical Guide fr GDPR Cmpliance Item Descriptin f Task NC CC 6.5 Implement apprpriate plicies and ntificatin schemes that will be triggered in the event f a data breach Include: real-time, cntinuus mnitring f suspicius r unauthrized changes t detect suspicius changes r unauthrized access t files r systems that cntain persnal data. Remember: Ntificatin is nt required if there is n risk t the rights and freedms f data subjects as a cnsequence f the breach Remember: If there is a risk t the rights and freedms f data subjects, ntificatin is always required t the supervisry authrity, and t data subjects under sme cnditins Warning: The cmmn view is that a data breach is a matter f when nt if. Dn t wait until a breach has ccurred t get this prcess wrking Cnsider: Have a standing agreement with a public relatins firm, t be activated in the event f a breach Cnsider: Have a similar standing agreement with a specialist incident respnse partner, t be activated as required. Or build (and regularly test) incident respnse capabilities internally 7 Establish the rle f the Data Prtectin Officer, either as an internal rle fr ne rganizatin, a shared rle acrss a grup f rganizatins, r thrugh a services engagement Remember: The cntact details f the DPO must be accessible t data subjects, and the cntact prcess simple and apprpriate Remember: The DPO must reprt directly t the highest level f the rganizatin, and his r her duties must nt be interfered with Ensure: Yur selected DPO has the required prfessinal capabilities and expert knwledge in data prtectin 8 Implement apprpriate technical measures t safeguard the rights and freedms f data subjects, infrmed by an assessment f the risks t these rights and freedms. The GDPR specifically mandates bth rganizatinal and technical measures, because peple get it wrng smetimes, whether intentinally r by accident. Pint f View: The Eurpean Regulatrs are cncerned that cmpanies nt paying sufficient attentin t the technlgy tls available t prtect persnal and sensitive persnal data, and are thus using a legal framewrk t frce adptin and uptake 2017 Osterman Research, Inc. 16

18 A Practical Guide fr GDPR Cmpliance Item Descriptin f Task NC CC 8.1 Autmated tls fr discvering, catalging and classifying persnal and sensitive persnal data acrss yur rganizatin Why Necessary? Prtecting data in sanctined systems is relatively easy. The much harder task is ensuring any cpies, exprts, backups, and shadw IT systems that cntain such data are made visible and prtected. Autmated means f discvering, catalguing and classifying data ffer an excellent safeguard against missing smething imprtant 8.2 Data Lss Preventin (DLP) capabilities t examine data flws and identify persnal data that is nt subject t adequate safeguards r authrizatins. DLP tls can blck r quarantine such data flws, pending suitable rectificatin Why Necessary? An emplyee that s a mail merge spreadsheet cntaining persnal data t an external marketing firm may have just caused a data breach, thus triggering the data breach ntificatin requirement. DLP tls can identify and stp the breach befre it happens. 8.3 Encryptin f data in use, at rest, and in transit. Alng with pseudnymizatin, encryptin is explicitly mentined as a safeguard in the GDPR Why Necessary? Encryptin is ne f the mst ptent data prtectin measures an rganizatin can deply. It renders persnal data unintelligible t anyne withut the decryptin key. Mst data breaches can be prevented if encryptin is used 8.4 Data breach identificatin, blcking and frensic investigatin capabilities fr rapid awareness f active breach attempts by malicius actrs, such as thrugh cmprmised credentials, unauthrized netwrk access, and active advanced persistent threats. Why Necessary? It will nt lk gd fr yu if yu dn t knw yu have been breached, and anther party makes it publicly knwn that yu were. This will signal incmpetence, and yu will becme a target fr punitive regulatry fines. Frewarned is frearmed. 8.5 Pseudnymizatin t replace direct and indirect persnal data identifiers in data systems with meaningless data values that can be reversed under the right cnditins. This apprach is explicitly champined in the GDPR, althugh there are sme risks. Why Necessary? Pseudnymizatin safeguards persnal data by remving it frm prductin systems, enabling emplyees and thers t wrk within the prductin system withut actually having access t persnal data. When necessary, the data values can be reidentified Osterman Research, Inc. 17

19 A Practical Guide fr GDPR Cmpliance Item Descriptin f Task NC CC 8.6 Data exprt capabilities fr cmplying with a data prtability request frm a data subject. Supplying data in the mst apprpriate frmat is essential. Why Necessary? T be able t respnd prmptly t data prtability requests, withut relying n manual exprt prcesses. 8.7 Netwrk perimeter and endpint security tls, fr preventing unauthrized access int the netwrk, preventing the entry f unwanted data types and malicius threats, and ensuring endpints have nt been cmprmised when requesting netwrk, system, and data access. Why Necessary? T reduce the risk f malicius threats frm taking rt in netwrk devices and endpints, leading t data breaches and ther threats. Such security capabilities can als highlight any unpatched r ut-f-date perating systems r applicatins that culd be vulnerable t malicius threats. 8.8 Mbile device management capabilities that can remtely wipe and kill devices that are lst, stlen, r therwise cmprmised, as well as enfrcing certain settings such as lcal encryptin and security sftware currency. Why Necessary? Lss f unencrypted devices is ne f the tp causes f data breaches, and are relatively easy t vercme with mbile device management capabilities 8.9 File sharing prtectin and file sharing technlgies that meet the requirements f data prtectin. Minimizing the duratin f pen sharing links, fr example, can reduce data breach pssibilities. Why Necessary? Using authrized file sharing services ensures cmpliance mandates are met fr data prtectin, data transfers, and data residency Behavir analytics uses machine intelligence t identify peple ding weird things n the netwrk, in rder t give early visibility and warning f emplyees starting t g rgue. Such tls can als highlight weird activities, such as emplyees lgged in n devices in tw different cuntries, which almst certainly means cmprmised accunts. Why Necessary? Early warning f ut-f-nrmal behavir allws fr quick rectificatin actins t prevent unauthrized access, data breaches, and ther negative utcmes Privileged accunt management tls keep a clse eye n the actins undertaken by administratrs using privileged accunt credentials. Why Necessary? Privileged accunts are a key target fr hackers, as they give widespread access t the mst data. Alerting n ut-f-the-rdinary behavirs by privileged accunts gives early warning f pssible malicius intent Osterman Research, Inc. 18

20 A Practical Guide fr GDPR Cmpliance Item Descriptin f Task NC CC 8.12 Anti-malware and anti-ransmware t ensure the integrity, availability, and resilience f data systems, by blcking and preventing malware and ransmware threats frm gaining a fthld n devices. Why Necessary? T prevent malicius sftware frm cmprmising rganizatinal data systems and devices. SUMMARY The GDPR will be enfrced beginning in less than 11 mnths frm the publicatin date f this white paper. Every rganizatin that maintains data n EU residents will need t ensure that they have the apprpriate capabilities in place t ensure cmpliance with the varied aspects f the GDPR. Nt cmplying will be ptentially very damaging and, if the EU fllws thrugh n its prmised fine structure, very expensive. There are three primary imperatives that shuld drive decisin makers t give the GDPR an extremely high pririty until cmpliance has been assured: Get yur data ducks in a rw Every rganizatin that maintains data n EU residents must undertake a significant reexaminatin f its data strategy with regard t its persnal and sensitive data n these individuals. The specific requirements must be understd, planned fr, and technlgy appraches implemented t address prblems, strengthen plicies and prtectins, and prtect against things like data breaches and an inability t cmply with the prvisins f the GDPR. Data prtectin must be by design and by default. Many firms will have t play catch up Organizatins in the EU have lived with the general ntin f the GDPR fr mre than tw decades, but nn-eu firms are largely unprepared fr the implicatins f such a rigrus apprach t data prtectin. Cnsequently, nn-eu firms will need t cme up t speed rapidly in rder t prtect against the cnsequences f nn-cmpliance with the GDPR. Fcus n technlgy Technlgy is essential in enabling rganizatins t be cmpliant with the GDPR, but it is nly ne element f a cmprehensive apprach t cmpliance, which includes rbust and detailed plicies, training, gvernance prcesses, and apprpriate strategies that cut acrss nt nly IT, but als legal, risk management, cmpliance, senir management, HR and finance. SPONSOR OF THIS WHITE PAPER Mre than 30,000 custmers wrldwide including mre than 90 percent f the glbal Frtune 500 rely n RSA Business-Driven Security slutins fr cyber threat detectin and respnse, identity and access management, nline fraud preventin, and GRC and business risk management. Armed with the industry s mst pwerful tls, enterprises can better fcus n grwth, innvatin and transfrmatin in tday s vlatile business envirnment. Fr mre infrmatin and t see hw RSA can help yur rganizatin address GDPR cmpliance, g t Osterman Research, Inc. 19