Cyber Security – Crack GDPR in 10 Minutes

Cyber Security – Crack GDPR in 10 Minutes

If you are in Information Security you must have heard about the term GDPR (General Data Protection Regulation), or Privacy Regulation ( CCPA, CPRA, CDPA, CPA etc)

So What is GDPR – It’s a Regulation set by EU for the Protection of Personal Information of Data Subject’s (EU Citizens whose data is collected or processed) – Below Concepts can be applied to all PII (Personally Identifiable Information) and in any country to comply with Local Privacy Regulation

What is Personal Information?

Anything which can identify a person i.e Name, Address, Phone No, Picture, Health History, Banking Information, Geo Location, Cookies etc.

What is Special Category of Data? Data which is related to Biometric, Genetic , Health, Criminal records etc. comes in to Special Category ( Special Category need more controls)

Is GDPR applicable to my organization?

-?????????If your organization is established in EU, and collects personal data of EU Citizens ( Like corporates which collect PII of their Staff)

-?????????If your organization is outside EU but Collect/Process data or provide services to EU Citizens (i.e. International Banks, Airlines, Social Media Platform etc.)

-?????????If your Organization Monitor the behavior of EU citizens (Ecommerce, CCTV Surveillance etc.)

So what is required from an Organization to comply with GDPR?

There are 99 Articles and 173 Recitals in GDPR Regulation ( No need to break your head with all these control if you are Cyber Security, DPO will take care of it ??)

·????????Article - Specifies the Requirements that the organizations under GDPR Must comply with

·????????Recitals - Provide guidance for the understanding of requirements

You Just need to understand few Foundational Concept to understand the regulation and what is expected from organization to comply with this regulation

“Data Protection Principles Chapter 2” of GDPR

Organizations are allowed to collect and process personal data only if following data protection PRINCIPLES can be demonstrated

1. Lawfulness, Fairness and Transparency

• Data is collected for legitimate purpose, data subject consent is taken before processing, and all processing activities are communicated to data subject on their data)
• In Case of Data of Minor, Consent should be taken from Parent or legal Guardian (Default age limit for consent is 16 years, some counties can EU its 13)

2. Purpose Limitation

• Collected data is processed only for the Purpose communicated to data subject which consent was taken (Don’t Sell data to marketing if you are collecting for Transaction Processing)
• Processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes (‘purpose limitation’)

3. Data Minimization

• Collect only data from data subject which is required for processing (i.e. if the Process requirement is to collect data for delivery of Goods don’t collect his family details or health information)

4. Accuracy

• Ensure data collected is kept up to date, give access to Data Subject on the system so s/he can update the data as required. or have a process so data subject can request for correction of his/her data

5. Storage Limitation

• Processing data should be stored as required by the processing requirements, and same is communicated to Data Subject ( i.e. if you are collecting data for Survey, delete the data after survey is completed, unless there is a justification to keep it for later use as part of Contractual or Regulatory requirement)

6. Integrity and Confidentiality

• Ensure Stored data is keep secured (Encrypted, pseudonymized, anonymized)
• Stored data is kept encrypted
• Pseudonymized – Processing of personal data in such a manner that the personal data can no longer be attributed to a specific person without the use of additional information.?Such additional information must be kept carefully separate from personal data.
• Anonymized – Data is replaced with dummy data (i.e Original data cannot be recovered, processing of personal data in a manner that makes it impossible to identify individuals from them
• Access to Data is restricted to those with business need (i.e. you have necessary authorization matrix for users who can access this data and there is a business case for them to access the data, be it internal users or 3rd party contractor)

What are the Rights of Data Subject (Chapter 3)

1.??????Right to be informed (Article 12-14): Data subject should be aware you are collecting their data and for what purpose. If you have not collected data directly from data subject, you still need to inform him/her that you possess the data (with 30 days)

2.??????Right to Access (Article 15): Data subjects have the right to view and request copies of their personal data

3.??????Right to rectification / Correction of his/her data (Article 16): Data Subject has right to correct his/her data, so you need to have system / process where data subject can request for correction

4.??????Right to Erasure /Right to be forgotten (Article 17): Data Subject can request you to delete all his data, unless it’s required for contract or Legal requirements

5.??????Right to Object (Article 21) : Data subject has the right to object processing of his/her data personal data

6.??????Right to data portability (Article 20): Data subject can request a copy of his/her data in you possession and you are required to deliver him the requested data in readable format without charging him/her for the data

7.??????Right to restrict processing (Article 18): Data subjects have the right to request the restriction or suppression of their personal data.

8.??????Right to object to automated processing (GDPR Article 22): Data subjects have the right to object to decisions being made with their data solely based on automated decision making or profiling.

9.??????Right to withdraw consent (GDPR Article 7):?Data subjects have the right to withdraw previously given consent to process their personal data

Data Subject request should be responded within 30 days, and request to be fulfilled within max 90 days, so you need to have necessary process in place to fulfill above requirements (Technical System/ Process)

What else is expected form Organization

1.??????Keep record of all Processing activity which include personal Data (if records are for more than 250 data subject)

• You might have HR who collects PII of Staff for onboarding and for Salary Processing, this information may cover Staffs Name, Address, Family details, Account number etc, so you need to keep a record of all these information – Justification is Employment Contract or Regulatory requirements
• Same can be applied to all process which collects or process PII of Internal / External data subject

2.??????Prepare Incident / Breach response process related to personal data

3.??????Report Breach to Supervisory Authority (Regulator) within 72 Hours and notification to all data subject whose data is breached where possible within reasonable time

4.??????Nominate Data Protection officer ( DPO) as single point of contact for Supervisory authority and Data Subject ( DPO is required only if processing is on large scale, if you are a public company or if processing special category of data or Criminal conviction)

• DPO has advisory role in conducting DPIA (Data Protection Impact Assessment, this is to access the Risk to Data Subject if collected data in breached)
• DPO will monitor compliance with GDPR
• DPO is responsible for conduction Awareness
• Single point of contact with Supervisory authority and data subject for any issue / concerns?

5.??????Information Shared with 3rd party for processing should have a contract which should clearly mention their responsibility to comply with GDPR requirements.

6.??????Necessary Policies / Procedures to achieve the above goals, including backup/recovery and regular testing of controls

What are the penalties for noncompliance?

• Up to 20 Million of 4% of Global turnovers for noncompliance to Chapter 2 and 3 of GDPR (i.e. for noncompliance with GDPR Principles and Data Subject right)
• Penalty of up to 10 million EURO or 2% of global turnover for noncompliance to some other Section of GDPR (Not appointing DPO, not reporting breach to Supervisor, not performing DPIA etc.)

Even if you are complaint with GDPR, if there is a data breach, you still be penalized, penalty amount will be decided by the Supervisory authority based on your maturity and existing due diligence

Controller: Organizing which collect Personal Information from Data subject

Processor: Organization who process the Personal Information of data subject on behalf or Controller

Supervisory Authority is an official Authority which is established by Member EU State (Consider Regulators who monitor your compliance to GDPR and provide guidance)

DPO- Data Protection Officer

#gdpr