The European Parliament adopted the GDPR in April 2016, requiring certainclasses of companies in accordance with the applicability criteria, to protectthe personal data and privacy of European Union (‘EU’) citizens for transactions that occurwithin EU member states, thereby regulating the export of sensitive personalinformation outside the 28 EU member states.
ApplicabilityGDPR compliance isapplicable to all companies processing and archiving personal information (includingpersonally identifiable data within social media, photos, email addresses andIP addresses) regarding EU citizenswithin EU states, even if such companies do not have a business presence withinthe EU. The below mentioned companies are required to adhere with GDPRprovisions:· A presence in an EUcountry;· No presence in theEU, however the company processes personal data of European residents;· More than 250employees; &· Fewer than 250employees however the company’s data-processing impacts the rights of individuals (data subjects), isnot occasional, or includes certain types of sensitive personal data. Compliance responsibility – Data protectionofficers GDPR defines specific roles andresponsibilities for ensuring compliance viz. data controller, data processorand the data protection officer (‘DPO’) respectively. The data controller defines themethodology for processing personal data and defines the objectives for which datais processed.
Data processors are generally represented by internal groups orexternal outsourcing firms that maintain and process personal data records andare held liable for breaches or non-compliance. Data controllers and data processorsare mandated to appoint a DPO in cases where Companies process or archive significantvolume of EU citizen data, process or archive privileged personal data,regularly monitor pertinent data subjects, or are a public entity (except lawenforcement authorities, which may be exempt). The primary objective behindappointment of DPO is to designate someone responsible for overseeing the datasecurity strategy. Overview of key components i) Data privacy by design(‘DPD’) Processes will need to be continuouslyassessed and periodically amended to consider privacy by design wherein the datacontroller must apply adequate technical and organisational procedures to complywith the requirements of GDPR and protect the rights of data subjects. Types ofprivacy data protected by GDPR include:· Basic identityinformation such as name, address and ID numbers;· Web data such aslocation, IP address, cookie data and RFID tags;· Health and geneticdata;· Biometric data;· Racial or ethnic data;· Political opinions; orientation.ii) Data portabilityPersonally, identifiable data must beportable by open use of common file formats that are machine-readable when thedata subject receives them. iii) Rights of data subjects The data controller is obligated toprovide a free electronic copy of any personally identifiable data to the datasubject. GDPR provides the below mentioned rights to data subjects from therespective data controllers: a) Rightto access: to confirm whether their personallyidentifiable data is being processed along with the objective for which it isbeing processed and the location; ) b) Right to be forgotten: includes permanent or on-demand deletion of his/her personallyidentifiable data, cease further distribution of the data, and demand third parties’restriction on processing of the data.
iv) Data breach notification As a data breach is likely to result ina risk to the rights of individuals, GDPR requires a mandatory breachnotification to be submitted to the supervisory authority within 72 hours ofthe organisation first becoming aware of the breach. In addition, dataprocessors are required to notify their customers without unnecessary delay.v) ConsentGDPR requires ‘a statement or clear affirmative action’ that signalsagreement of transferring personal data. Further parental consent is requiredfor processing children’s (13-16 years of age depending on member state)personal data.Penal consequencesThe GDPR allows for steep penalties ofup to €20 million or 4 percent of global annual turnover, whichever is higher,for non-compliance. Failure to adequatelyconduct a DPIA where appropriate, is a breach of the GDPR and could lead to fines of up to 2% of an organisation’s annual globalturnover or €10 million – whichever is greater. MappingIT security, governance and GDPR Compliance with GDPR will require an ITgovernance framework to be modified to incorporate pertinent aspects relatingto data transfer, data subject consent, and privacy by design.
GDPR introduces several privacyarrangements and control mechanisms that are intended to safeguard personallyidentifiable information. Most of these controls are also recommended by ISO/IEC 27001:2013, ISO/IEC 27002:2013 and other ‘ISO27k’ standards, as well as COBIT 5.