A Comprehensive Guide to Compliance with GDPR

Privacy is becoming more prevalent in financial institutions such as investment banks, commercial banks, insurance companies, and brokerage firms. The landscape of privacy regulations spans multiple industries, such as Gramm-Leach-Bliley Act (GLBA) for Banking, the Family Educational Rights and Privacy Act (FERPA) for Education and Health Insurance Portability and Accountability Act (HIPAA) for Healthcare.?? The evolution of the internet and cybersecurity has been a significant catalyst for the increased focus on Privacy Laws.? Yet, there is not one overarching regulation that is ubiquitous.? As such, there are multiple Privacy laws at the National, Federal, and State Levels.? One of the Privacy regulations that’s become more widespread is the European Union’s General Data Protection Regulation (GDPR).?

GDPR is an extensive privacy regulation with many different provisions. The regulation is known for its tough mandates for protecting the privacy of EU constituents.? The regulation applies to all types of organizations: those in the public sector, those in the private sector, and government agencies.

A GDPR is formatted with two key elements: Articles and Recitals.? Articles are components or provisions that outline the legal requirements of the regulations.? GDPR has 99 Articles in total.? The Recitals contain information that provides direction and a framework to aid in the implementation of the legislation’s requirements that are enumerated in the articles.? GDPR contains 173 Recitals in total.

One way to approach compliance with GDPR is to focus on the 7 Privacy Principles.? GDPR has 7 Privacy Principles, which are at the core of its implementation and must be understood to be compliant with the regulations, numerous articles, and recitals.? These 7 Privacy Principles are as follows:

• Lawfulness, Fairness and Transparency
• Purpose Limitation
• Data Minimization
• Accuracy
• Storage Limitation
• Integrity and Confidentiality
• Accountability

Understanding the 7 Privacy Principles of GDPR ensures that a practitioner is well poised to become compliant with the Articles of the regulations.? This also ensures the practitioner has a deeper understanding of the objectives and goals of the Articles and Recitals that comprise the regulation.? This understanding will assist in removing some of the complexity in trying to understand the numerous aspects of the regulation.?

Lawfulness, Fairness and Transparency

It might seem strange that there are 3 criteria mentioned for the first privacy principle.? GDPR views these three criteria as being interlocked with each other. Thus, because these criteria are interlocked, it’s logical for the criteria to be one privacy principle and not three separate privacy principles.?

The criteria answer three questions regarding the data processing: that would be Why, How, and What.? Why refers to the lawfulness of obtaining the data. There needs to be a lawful reason why one needs the data.? How one handles the data is to ensure fairness and not use the data in a manner that misrepresents the subject of data that’s been collected.? Finally, What is the transparency in understanding what will be done with the data?? This transparency details what is done with the data in all aspects of the data lifecycle.?

The controls that relate to ensuring that one has complied with the first privacy principle reside in the business requirements.? Business Requirements provide an overview of the reasons why the data is needed to conduct business and the implications of not having access to the data.? For compliance purposes, one must ensure that the business requirements are consistent with the Articles of GDPR.? Specifically, Article 5, which refers to the Privacy Principles, and Article 6 refers to the 6 legal reasons one may process data of a subject.?

Controls should be designed and implemented to relate directly to the 6 legal reasons for processing the data to ensure the lawfulness aspect of the privacy principle. Fairness and Transparency are more difficult to isolate than Lawfulness.? Lawfulness can be defined by a few actions and behaviors, thus making it easier to define.? Fairness and Transparency are more generalized subjective terms that have a wide array of characteristics and meanings.? Thus, GDPR Articles 7 through 23 deal with all aspects of Fairness and Transparency.?

To be fully in compliance with the Fairness and Transparency aspects of the first privacy principle, one needs to focus on the recitals associated with GDPR articles.? This aids in identifying details regarding the requirements and what actions are needed for compliance. The recitals provide more details on the GDPR articles' implementation.????

Purpose Limitation

Once the data processor has obtained the data, there needs to be a reason for having possession of the information.? When this reason has been established through the lawfulness, fairness, and transparency requirements of the GDPR articles, there needs to be restrictions put on the data usage.? Specifically, the usage restrictions are focused on using the data only for the purpose intended and not for any other purposes.? Therefore, one can’t recycle or reuse data for another purpose.? The permission granted is for a specific purpose and only for that purpose which was originally granted to the data processor.?

If the data processor needs to reuse the data for another purpose other than what was originally granted, there must be a new request submitted to the data subject.? Once the data subject approves the request, the data processor is then able to process the data based on the requirements of the articles of GDPR.? The articles that are associated with the purpose limitation aspect of GDPR are Article 12 – Article 23.? These articles are directly related to the rights of the subject, which is applicable when referring to the Purpose Limitation Privacy Principle.

The control implementation regarding the Purpose Limitation Privacy Principle would entail the creation of a validation and verification step in obtaining data from the subjects.? Once the data has been obtained, there needs to be a review of the business requirements that detail how the data will be used.? This documentation needs to be cross-referenced with the GDPR requirements related to Purpose Limitation, Articles 12- Articles 23.? Additionally, an examination of the recitals will assist in ensuring an understanding of how to comply with the stipulation as defined by the articles.??

Once verification of the business requirement’s documentation has occurred, there needs to be a control put in place to review how the data is being used.? Once this usage has been verified, the usage needs to be validated against the original business requirements.? This review is vital to ensure consensus to the Purpose Limitation Privacy Principle, which directly supports compliance with multiple aspects of GDPR requirements.?

Data Minimization

The second Privacy Principle of Purpose Limitation relates directly to Data Minimization.? If done correctly, the Purpose Limitation will only provide the data that are needed for a specific purpose. Data Minimization deals with ensuring that one doesn’t gather more data than required.? If one has a specific purpose for the data, then gathering more than needed should not be an issue.? Things do change, and if that’s the case, then Data Minimization activities would have to lead to the removal and destruction of the data that was originally collected.?

The control that one would implement to support the Data Minimization Privacy Principle would be to correlate to the Purpose Limitation.? The correlation would put emphasis on the data that was collected to ensure that there is consistency between the two privacy principles.? Once the data has been collected, one needs to review how the data is being used.? If the data is not being used for whatever purpose, then that data needs to be removed from processing and destroyed in an approved and secure manner.

Accuracy

Once the business requirements have been created and a data request has been submitted to the data subject, the need to understand the data becomes paramount.? The Accuracy Privacy Principle ensures that the data is current and does not become stale over time.? This ensures that the data processor is using data that is representative of the subject and is not information that could be misconstrued by those consuming and processing the data.? The data must reflect the current state of the data subject.??

From a implementation of control perspective, this aspect of the privacy principles can be rather complex.? There needs to be in place a constant monitoring and update mechanism to ensure that data is current and that’s being used for processing.? This means contacting the data subject periodically to validate that the data is still reflective of the data subject’s current state.? Conversely, one does not want to update the data and it is not reflective of the data subject’s current state.? Therefore, some change control needs to be in place to protect the data.?

A robust data change management system needs to be in place to ensure the data is being updated or changed only on an as-needed basis.? The change needs to be performed by the right data processors and with the correct authority to update the data.? The subject’s authorization and approval need to be expressly documented for the purposes of proving compliance with the GDPR article requirements.

Storage Limitation

Storage, record retention, and destruction of data are all associated with the Storage Limitation Privacy Principle.? The requirements of the Storage Limitations come from Article 5 of GDPR.? Specifically, Article 5 States the following on regard to Storage Limitations:

Personal Data Shall Be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organizational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);

This passage, though seeming simple, has some complex requirements that can’t be underestimated.? The statement regarding not keeping the data as long as necessary has record retention implications in that, in some cases, there is a regulatory requirement to keep data for a definite period of time.? Therefore, a company’s first control, the Directive Control of a Records Retention policy, is a key factor in implementing controls within the organization that assist with compliance with GDPR.?

Once the data has passed the records retention policy deadlines, it’s time to destroy the data securely and responsibly.? Data destruction methods vary, but it is vital to understand where the data has resided or has been used and ensure that the data hasn’t been stored in offline archiving or storage systems.?

Means of data destruction include reformatting, erasure, overwriting, degaussing, and deleting the data from the media for which it's stored.? Each method has advantages and disadvantages.? Some methods are more practical for individuals, while others are more practical for organizations.? It’s essential to understand which methods provide the best solution for the situation at hand.? There is no one-size-fits-all method for destroying data.

There are a few guidance and frameworks that have been published that provide best practices for destroying data.? NIST is one of the more popular guidance for destroying data.? The NIST SP 800-88 Guidelines for Media Sanitization promotes 3 ways of destroying data, which are Clearing, Purging, and Destroying the data.

To be compliant with GDPR articles associated with the Storage Limitations Privacy Policy, Record Retention, and Data Destruction Policies and Procedures need to be implemented within the organization.? Policies and Procedures are only Directive Controls, there also need to be some Detective and Corrective controls implemented to ensure there is data destruction performed as documented in the Policies and Procedures.?

Integrity and Confidentiality

Integrity and Confidentiality in part are the underpinning of many information security programs.? Therefore, this privacy principle associated with Integrity and Confidentiality is truly at the heart of all privacy principles.? Integrity and Confidentiality relate to aspects of all the privacy principles.? Confidentiality refers to the ability to keep the data isolated to only those who have a need-to-know requirement.? Integrity relates to the ability to ensure that the data cannot be changed or altered from its original state.

The implementation of controls in support of integrity and confidentiality can be far-reaching and extensive.? Ensuring integrity can take different forms and as such, can be multifaceted.? To ensure that no one can alter or change the data means that there needs to be authentication and authorization measures implemented to ensure a steady state for the data.?

Monitoring the access attempts associated with the data is an important feature related to the confidentiality requirement.? One needs to understand who has tried to access the data both successfully and unsuccessfully. Periodic entitlement reviews also need to be implemented for both confidentiality and integrity purposes.? Entitlement reviews ensure that access is granted on a need-to-know basis.? Sometimes, this need-to-know changes due to the transition to new duties and positions by personnel within the organization.???

Accountability

Accountability refers to the data processes being compliant with the GDPR articles.? If the data process implements the first 6 privacy principles, then proving compliance or accountability is relatively simple.? All one needs to do is produce the articles that support the implementation of each privacy principle. Therefore, any documented evidence can show regulators that the data processor is accountable to the articles and recitals of GDPR

In conclusion, GDPR is a regulation that applies to all organizations operating within the EU and all organizations outside of the EU that offer goods or services to, or monitor the behavior of, EU data subjects.? Compliance with GDPR is not a simple task and requires a thorough, organized plan that takes into consideration all the pertinent components of the regulations, specifically the Articles and Recitals.? GDPR represents a significant shift in the data protection world, emphasizing transparency, security, and accountability while giving individuals control over their personal data.

What are your thoughts and experience with Compliance to GDPR? Your thoughts and comments are welcome.