General Data Protection Regulation (GDPR) will change the way the European Union handles personal information by enforcing strict guidelines on how that information is collected and used. However, GDPR’s changes aren’t limited to the EU — in fact, these rules will have international consequences for any organization that handles personal information from anyone in the EU.
What does this mean for the rest of the world? Security Compass has been preparing for GDPR and can help ease the burden many organizations will face as they struggle to meet compliance. To understand the full extent of these rules, it’s important to explore the intentions behind them, how they penalize non-compliance, and how they will affect the software industry.
What is GDPR?
GDPR is a regulation that will be replacing the Data Protection Directive (Directive 95/46/EC). It will be enforced by all members of the European Union when it comes into force May 25, 2018. Simply put, GDPR is designed to give residents of the EU more rights, control, and awareness about how their personal information is used whenever they submit it to public and private organizations — especially when that information crosses borders.
GDPR is composed of 99 articles that outline definitions and regulations, and 173 recitals that provide legal context for the articles. The final version was completed on April 27, 2016.
The regulation makes it clear that collecting and using personal data is beneficial to society, but it’s also important to balance the way this data is used with a person’s fundamental rights and freedoms (Recital 4). With these rights in mind, GDPR will heavily penalize any organization that does not comply with its far reaching guidelines.
Are there any new terms I should know?
GDPR uses specific terminology to describe the different groups of people who are involved, and how they fit into a hierarchy (Article 4).
Who are data subjects?
We are. A data subject is any person whose personal information is being handled by an organization. Personal information can be used to directly and indirectly identify a person.
What is a data processor?
Data processors process personal data, but only on behalf of data controllers. Processing has a wide definition and includes the “… collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, [and] use…” of personal data.
Who are data controllers?
Data controllers determine how and why personal data should be handled by data processors.
(Data processors and controllers may not be part of the same organization. The processor physically manipulates personal information, while the controller delegates.)
What is a Data Protection Officer (DPO)?
DPOs are consultants who specialize in protecting data and monitoring compliance. They also act as a point of contact for the supervisory authority.
What is a supervisory authority?
Supervisory authorities are independent data protection authorities who enforce GDPR’s compliance on a national level. They monitor data processors and data controllers, and report to the European Data Protection Board (EDPB).
What is the European Data Protection Board (EDPB)?
The EDPB will take over the responsibility of ensuring that GDPR is enforced consistently across the EU. It will issue guidelines, best practices, and accreditation for groups that provide GDPR certification (Articles 68, 70).
What are GDPR’s requirements?
The regulation enforces requirements for profiling, collecting the personal information of children, obtaining consent, and erasing personal information.
Profiling is when personal data is used to make predictions about a person’s behavior based on their “performance at work, economic situation, health, personal preferences or interests, reliability or behavior, location or movements….” This is restricted because it allows non-human decisions to affect a person’s life. However, there are some exceptions in the case of profiling for legal reasons, or by consent (Article 4, Recital 71).
For children under 13 (or under 16 in some EU countries), it will be mandatory to obtain parental consent for online activities that collect their information. The regulation explains that children “merit specific protection” when it comes to their personal information (Recital 38).
Consenting to the collection and use of personal information will have to be less ambiguous under GDPR, instead of being obscured in terms of agreement. For those who want to withdraw consent, however, the process of opting out must be simple (Article 4, Recital 32).
In addition to this, people will have the right to have their personal information corrected for inaccuracies, and the “right to be forgotten”, so that their information can be completely erased (Recital 65).
What are the penalties for not complying with GDPR?
The urgency to understand how GDPR will affect organizations is largely based on the penalties for non-compliance. Under GDPR, organizations that do not comply can be fined up to 4% of their annual global turnover, or €20 million (~$22 million USD, ~$30 million CAD) — whichever is greater.
However, there will be a tiered and case-by-case approach to fines depending on the severity of non-compliance. These penalties will vary based on an organization’s attempts to protect an individual’s privacy, and minor infringements may not even be fined at all (Article 83, Recital 148).
Data protection by design and default
For developers, there will be an expectation to incorporate data protection into applications by design. GDPR outlines that there must be measures to show that data privacy compliance has been thoughtfully integrated into an application at both technical and organizational levels (Article 25).
Also, GDPR states that organizations, by default, must process personal data for the purpose it was collected, and never for multiple purposes. This is part of an attempt to make sure that personal data isn’t being handled by a number of people or groups without the consent or knowledge of the owner (Article 25).
In terms of privacy by design at the earliest stages of development, the regulation encourages pseudonymization of personal information. This refers to processing personal information so that it can’t be associated back its owners without additional information. GDPR stresses the use of “technical and organisational measures” like encryption to keep these two sets of data separated and protected (Articles 4, 25).
An important condition of complying with GDPR is being able to provide notice for data breaches, which includes any situation in which personal data is accidentally or illegally changed or accessed. This responsibility falls on the data controllers who must notify supervisory authorities within 72 hours of the breach, and data subjects as soon as possible depending on the circumstances (Articles 4, 32, 33).
In the end, the rules are intended to establish a risk-based approach to personal data processing, so that precautions are developed according to the risks associated with processing it. Part of this makes providing data protection impact assessments mandatory. These are descriptions about how personal information is processed, why it’s processed in the first place, any risks that might be involved, and the safeguards used to handle these risks (Article 35).
SD Elements is an application security requirements and threat management (ASRTM) platform that provides tailored security advice for each phase of the software development lifecycle. It simplifies GDPR compliance by using a series of tasks and reports that can be assigned to developers, and monitored for completion.
In SD Elements, tasks are instructions for protecting against a vulnerability at various stages similar to the phases of software development. They’re procedures for solutions or tests that improve an application’s security and compliance with established standards, like privacy and GDPR.
For example, these tasks help developers comply with GDPR by directly addressing specific recitals and articles:
- T178: Ask for consent from user prior to collecting personal information (Recital 42, and article 7)
- T604: Apply data protection principles when handling personal data (European Version) (Recital 39, and article 5)
- T607: Develop procedures for personal data destruction when they are no longer needed (Recital 65, and article 17)
Whereas these tasks are designed for general privacy and security guidelines, and indirectly address GDPR:
- T177: Allow users to review and update their personal data (Recital 63, and article 15)
- T179: Allow access for users to remove their data from the system (Recital 65, and article 17)
Tasks can be tracked using compliance reports. These reports provide information on the regulation that is being addressed, the tasks related to that regulation, and the status of the task. Below is an excerpt from a compliance report that shows how security requirements can be tracked.
The report lists all tasks related to a GDPR recital or article, along with a status of completion. This makes it easy to determine if requirements are being met, especially for an auditor.
May 2018 is right around the corner
There isn’t much time before GDPR comes into full effect. Its new rules dramatically change the way personal information is handled in the software industry, and for those organizations affected, the burden to comply with these guidelines will vary. This burden will depend on several factors, including how challenging it will be to reevaluate existing policies, develop new processes, and designate a DPO. For now, consider the steps you need to take to reduce the impact GDPR will have on you, work towards compliance, and take advantage of the resources available to you.
Download or view the full version of GDPR.