Vous êtes sur la page 1sur 10

EU General Data

Protection Regulation
A Compliance Guide

December 2016

Protect Comply Thrive


IT Governance Green Paper

Getting ready for GDPR compliance


The introduction of the European A matter of urgency
General Data Protection Regulation
Every organisation that processes or shares
(GDPR) heralds the most significant
personal data now has less than 18 months
change to data protection law in the
to comply with the new Regulation. This
EU, and globally, in recent years. In
involves organisations understanding what
this green paper, we give an overview
personal data they currently hold or process
of the key areas of change presented
and the risks to that data, adapting their
by the Regulation, and the critical
business processes and infrastructure,
areas to be aware of when preparing
implementing tools and compliance
for compliance.
processes, and changing the way they
collaborate with suppliers. In some
Introduction instances, those changes could be
significant and work will need to start as a
The EU General Data Protection Regulation matter of urgency. Bear in mind that every
(GDPR) was adopted in April 2016 and will organisation in the EU is simultaneously
take effect across the European Union (EU) faced with the same timetable, and that
on 25 May 2018, when it supersedes the 28 skilled compliance resources are already in
current national data protection laws based short supply.
on the 1995 Data Protection Directive
(DPD). Regulatory compliance may be viewed by
many as an administrative burden.
Introduced to keep pace with the modern However, ignoring the GDPR or getting it
digital landscape, the purpose of the new wrong could have costly repercussions:
Regulation is twofold: organisations found to be in breach of the
1. to improve consumer confidence in Regulation face administrative fines of
organisations that hold and process up to 4% of their annual global
their personal data by reinforcing their turnover or 20 million whichever is
privacy and security rights consistently greater.
across the EU, and Organisations that take the time to properly
2. to simplify the free flow of personal data prepare for and comply with the new
in the EU through a coherent and Regulation will not only avoid significant
consistent data protection framework fines and reputational damage, but will also
across the member states. find that their data handling, information
security, compliance processes and
The new Regulation does not fundamentally contractual relationships are more robust
change any of the core rules in the DPD; it and reliable.
instead extends the Directives
requirements significantly by introducing a The Brexit question
range of new obligations to support those UK organisations handling personal data
core rules. These additional obligations will still need to comply with the GDPR,
be familiar in some member states. For regardless of Brexit. The government has
example, Germany already imposes an confirmed that GDPR will apply in the UK, a
obligation to appoint data protection position endorsed by the UKs Information
officers, has the concept of pseudonymised Commissioner:
data and has extensive requirements for
processors contracts. In other member
states, these obligations will be very new.

IT Governance Ltd 2016 2 EU GDPR A Compliance Guide


IT Governance Green Paper

It is extremely likely that GDPR will be live For organisations that operate across
before the UK leaves the European Union. multiple member states, this harmonisation
Remember that the GDPR is actually is welcome. However, some national
already in force, it is just that Member divergences are likely to remain and further
States are not obligated to apply it until 25 divergences may arise because member
May 2018. states have limited rights to amend some of
the obligations under the Regulation:
Organisations therefore need to act now to
ensure that they are compliant with the Employment - member states can
GDPR when it comes into effect on 25 May introduce further restrictions on the
2018. processing of employee data.
National security - member states can
pass laws to limit rights under the
Key changes: Regulation in areas such as national
security, crime and judicial proceedings.

GLOSSARY Although the Regulation has been


published, there is still uncertainty about
Data controller (organisation) means what some of the provisions mean or how
the natural or legal person, public they should be applied. Different social and
authority, agency or other body which, cultural attitudes to data protection will
alone or jointly with others, determines the influence their interpretation, and what is
purposes and means of the processing of regarded as high risk in Berlin may not
personal data. also be regarded as high risk in Rome.
Data subject (individual) means an Finally, differences in the resources and
identifiable natural person who can be attitudes of supervisory authorities may
identified, directly or indirectly, in particular result in wide variations in enforcement.
by reference to an identifier such as a There is a wide discrepancy between the
name, an identification number, location theoretical powers open to national
data, or an online identifier. regulatory authorities and the application of
Personal data means any information those powers in practice.
relating to an identified or identifiable Issues of this sort will be resolved in the
natural person (data subject). The normal course of regulatory business.
Regulation states this also includes online Organisations still face the 25 May 2018
identifiers such as IP addresses and cookies. compliance deadline.
Data processor (service providers) Expanded territorial reach
means a person, public authority, agency
or other body which processes personal data The GDPR applies to all EU organisations
on behalf of the controller. An example is a whether commercial business or public
Cloud provider that offers data storage. authority that collect, store or process the
personal data of EU individuals.
Organisations based outside the EU that
1. Scope of the new law monitor or offer goods and services to
individuals in the EU will have to observe
Harmonisation only one law the new European rules and adhere to the
There are currently 28 different sets of data same level of protection of personal data.
protection laws across the European Union. The Regulation also requires such
The GDPR will replace these with a pan- organisations controllers and processors
European regulatory framework effective to appoint an EU representative based in
from 25 May 2018. As a Regulation, it is one of the member states in which the
directly effective in all member states relevant individuals are based. This is
without the need for further national unless the processing is occasional and
legislation. does not include large scale processing of

IT Governance Ltd 2016 3 EU GDPR A Compliance Guide


IT Governance Green Paper

special categories of data or processing of general principles when processing personal


data relating to criminal convictions and data. Some important new concepts are
offences. high risk to individuals, large scale
processing and pseudonymised data
Single scheme one-stop shop
(data from which no individuals can be
A new one-stop shop provision means that identified without the use of additional
organisations will only have to deal with a information).
single supervisory authority, not one for
Consent
each of the EUs 28 member states, making
it simpler and cheaper for companies to do The Regulation imposes stricter
business in the EU. An organisation that requirements on obtaining valid consent
carries out cross-border processing should from individuals to justify the processing of
be primarily regulated by the supervisory their personal data. Consent must be
authority in which it has its main freely given, specific, informed and
establishment (the lead supervisory unambiguous indication of the individuals
authority). wishes. Silence, pre-ticked boxes or
inactivity do not count as consent. The
Obligations on processors
organisation must also keep records so it
The Regulation also introduces obligations can demonstrate that consent has been
on data processors. These are service given by the relevant individual. Finally,
providers that process personal data on consent must be explicit when processing
behalf of organisations but do not sensitive personal data, or transferring
determine the purpose or means of the personal data outside the EU.
processing, such as call centres.
Additional protection for children
Where a controller contracts a processor to
Consent from a child in relation to online
process personal data, that processor must
services is, under the new Regulation, only
be able to provide sufficient guarantees to
valid if authorised by a parent. A child is
implement appropriate technical and
someone below the age of 16, though
organisational measures to ensure that
member states can reduce this age to 13.
processing will comply with the GDPR and
that data subjects rights are protected. New data access rights
This requirement flows down the supply
One of the key aims of the Regulation is to
chain, so a processor cannot subcontract
empower individuals and give them control
work to a second processor without the
over their personal data. While the
controllers explicit authorisation.
Regulation largely preserves the existing
Contractual arrangements will need to be rights of individuals to access their own
updated, and stipulating responsibilities and personal data, require rectification of
liabilities between the controller and inaccurate data, object to direct marketing,
processor will be imperative in future and challenge automated decisions about
agreements. Parties will need to document them, it also confers significant additional
their data responsibilities even more clearly new rights for individuals.
and the increased risk levels may impact
Right to be forgotten
service costs.
Individuals have a new right to require
the data controller to erase all personal
data held about them in certain
2. Individuals data rights
circumstances, such as where the data
Core rules remain the same is no longer necessary for the purposes
Many of the core definitions from the DPD for which it was collected. There are a
remain largely unchanged. In particular, the number of exemptions to this right, for
Regulation retains the very broad definition example in relation to freedom of
of personal data and processing, and expression and compliance with legal
organisations must comply with all six obligations. It is likely that the limits of

IT Governance Ltd 2016 4 EU GDPR A Compliance Guide


IT Governance Green Paper

this right will be fought over in EU law Data protection impact assessment
courts for many years. (DPIA)
Right to data portability
Data protection must now be designed into
This is a new concept under the
processing systems by default and a DPIA
Regulation. Individuals will have the
is now mandatory in certain circumstances.
right to transfer personal data from one
Good practice for new technologies and
data controller to another where
processes is to assess whether processing
processing is based on consent or
has a high risk of prejudicing data
necessity for the performance of a
subjects rights, and whether this risk can
contract, or where processing is carried
be reduced or avoided, for example by
out by automated means.
pseudonymisation. A DPIA shall in
Profiling particular be required where there is
automatic processing (including filing) and
Data controllers must inform data subjects processing of special categories of data on
of the existence and consequences of any a large scale.
profiling activities that they carry out
(including online tracking and behavioural
advertising). Compliance standards
Organisations that collect and use personal The GDPR encourages the adoption of
data will need to put in place more robust certification schemes as a means to
privacy notices than have previously been demonstrate compliance. Compliance with
required, providing more information in a the international information security
more prescribed manner. This will involve a standard ISO 27001 the only
large-scale review of all privacy notices. independent, internationally recognised
data security standard will help
organisations demonstrate that they have
3. Data protection endeavoured to comply with the data
Data protection by design security requirements of the GDPR.
Implementing ISO 27001 involves building
The Regulation does not just require tick- a holistic framework of processes, people
box compliance; compliance must become
and technologies in order to secure
part of business as usual. The key to information.
accountability is to embed compliance into
the fabric of your organisation. This
includes not just developing appropriate Records of data processing
polices but also applying the principles of
data protection by design and by The Regulation now places the onus on
default. organisations and data processors to keep
their own records of data processing
Specifically, organisations must take activities and make these available to the
appropriate technical and organisational supervisory authority on request. This
measures before data processing begins to record needs to contain a specific set of
ensure that it meets the requirements of information so that it is clear what, where,
the Regulation. Data privacy risks must be how and why data is processed. Small
properly assessed, and controllers may use businesses employing fewer than 250
adherence to approved codes of conduct or employees are exempt from these record-
management system certifications, such as keeping requirements unless their
ISO 27001, to demonstrate their processing activities involve a risk to the
compliance. rights and freedoms of data subjects, are
not occasional, or include special categories
of personal data or data relating to criminal
convictions or offences.

IT Governance Ltd 2016 5 EU GDPR A Compliance Guide


IT Governance Green Paper

4. Accountability certification. However, obtaining


training and qualifications in GDPR
Data protection officer
compliance would be an effective way to
Many organisations will be required to demonstrate expert knowledge. The
appoint a data protection officer (DPO) to IBITGQ ISO 17024-accredited EU GDPR
be responsible for monitoring compliance Practitioner (EU GDPR P) is one such
with the Regulation, providing information qualification.
and advice, and liaising with the
Data breach notification and penalties
supervisory authority. They are an existing
feature of some member states data The increase in high-profile cyber attacks is
protection laws, such as Germany. reflected in the enhanced data security
obligations in the Regulation and the
A DPO must be appointed where:
parallel obligations in the Network and
the processing is carried out by a public Information Security Directive.
authority;
It will be mandatory for an organisation to
the organisations core activities require
report any data breach to its supervisory
regular and systematic monitoring of
authority within 72 hours of becoming
data subjects on a large scale; or
aware of it. If that requirement is not met,
the organisations core activities consist
the eventual report must be accompanied
of the large-scale processing of special
by an explanation for the delay. The
categories of data and data relating to
notification must include specific
criminal convictions and offences.
information, including a description of the
In most organisations, it will be good measures being taken to address the
practice to appoint a DPO anyway. The breach and mitigate its possible side
GDPR obligations are such that having effects. Where the breach may result in a
readily available advice and support from a high risk to the rights and freedoms of data
data protection specialist will be an subjects, the data subjects themselves
essential risk management step, in the must be contacted without undue delay.
same way that organisations now appoint This contact will not be necessary if
HR or health and safety managers. appropriate protective measures
The DPO, where appointed, must be essentially encryption are in place to
eliminate danger to data subjects.
independent. This does not mean you have
to appoint an external person; the DPO role Any infringements of the new Regulation
can be fulfilled by an employee. The post are subject to a tiered financial penalty
can be a part-time role or combined with regime with fines of up to 4% of annual
other duties, but, in performing the role, global turnover or 20 million,
the DPO must have an independent whichever is the greater. In determining
reporting line and be empowered to report the level of the fine, the supervisory
directly to the board without interference. authority must consider a range of factors
What is important is that the appointed including the gravity of the breach, whether
person must be a data protection the breach was intentional or the result of
professional with expert knowledge of data negligence, and any steps taken to mitigate
protection law and practices to perform the breach. Additionally, individuals can sue
their duties. organisations for compensation to cover
both material and non-material damage
What qualification does the data
protection officer need? (e.g. distress).
Given the magnitude of potential fines, the
The data protection officer must have
rights of individuals to bring cases and
the right professional qualities and
knowledge of data protection law. There claim compensation, and the prevalence
and effectiveness of cyber crime, the risk of
is currently no express requirement to
a data breach should go straight onto the
hold any particular qualification or

IT Governance Ltd 2016 6 EU GDPR A Compliance Guide


IT Governance Green Paper

boards risk register, with compliance high What processes and systems are in
on senior managements agenda. place for handling personal data
Where personal data is transferred
outside the organisation (including third
5. Data transfers outside the EU parties and cross-border)
The Regulation prohibits the transfer of How personal data is secured
personal data outside the EU to a third throughout its lifecycle
country that does not have adequate data With an understanding of the compliance
protection. The European Commission has gaps, organisations will be in a position to
the power to approve particular countries assess their personal data risks and develop
as providing an adequate level of data an appropriate remediation plan.
protection, taking into consideration the
data protection laws in force in that country The time to start planning for GDPR
and its international commitments. At compliance is now.
present this list is Andorra, Argentina,
Canada, Faroe Islands, Guernsey, Israel,
Isle of Man, Jersey, New Zealand, How we can help
Switzerland and Uruguay. A leading global authority on data
For data transfers to any country not on the protection, IT Governance helps
list, there must be a legal contract that organisations address the challenges of
stipulates that the non-EU recipient agrees GDPR compliance with a comprehensive
to the data protection safeguards required. suite of information resources, solutions
The Regulation explicitly recognises and and advisory services.
promotes the use of binding corporate rules
as a valid data transfer mechanism within
GDPR compliance solutions and services
groups of companies. Approved codes of
conduct also can be used for data transfers. GDPR bookshop
Information EU GDPR - EU GDPR An
resources A Pocket Implementation and
Preparing for GDPR compliance Guide Compliance Guide
There are clearly a number of key critical
GDPR training courses
areas to observe in your approach to
ensure GDPR compliance. Plenty of Certified EU General Data
obligations can be resolved fairly simply Protection Regulation
Education Foundation
and quickly. Others, particularly in large or
Certified EU General Data
complex organisations, could have Protection Regulation
significant budgetary, IT, personnel, Practitioner
governance and communications Classroom Live E-learning
implications. Ensuring buy-in from senior Online

management and key stakeholders in your


Productivity GDPR toolkits
organisation will be critical to meeting your tools EU GDPR Documentation Toolkit
obligations.
An important next step will, for most GDPR transition services
organisations, be to gain clarity on their Advice and Data Flow GDPR GDPR
personal data processing, and includes consultancy Audit Gap Transition
Analysis
identifying:
What personal data is held across the Information security
organisation Certification management system
What permissions have been obtained ISO 27001 certification
for that data

IT Governance Ltd 2016 7 EU GDPR A Compliance Guide


IT Governance Green Paper

About the author


Alan Calder is an acknowledged international cyber security guru and a leading author on
information security and IT governance issues. He is also chief executive of IT Governance
Limited, the single-source provider for products and services in the IT governance, risk
management and compliance sector.
Alan wrote the definitive compliance guide, IT Governance: An International Guide to Data
Security and ISO 27001/ISO 27002 (co-written with Steve Watkins), which is the basis for the
UK Open Universitys postgraduate course on information security. This work draws on his
experience of leading the worlds first successful implementation of BS 7799 (now ISO 27001).
Alan is a frequent media commentator on information security and IT governance issues, and
has contributed articles and expert comment to a wide range of trade, national and online
news outlets.

GDPR compliance products and services


Books
EU GDPR: Pocket Guide
The perfect introduction to the principles of data privacy and the GDPR, this concise
guide is essential reading for anyone wanting an overview on the new compliance
obligations for handling the personal data of EU residents.
Click for further information and to purchase the book >>

EU General Data Protection Regulation An Implementation and Compliance


Guide
This clear and comprehensive guide provides detailed commentary on the GDPR and
practical implementation advice on the compliancy measures needed for your data
protection and information security regimes.
Click for further information and to purchase the book >>

Training courses
Certified EU GDPR Foundation training course
This one-day course will offer a solid introduction to the European General Data
Protection Regulation and provide a practical understanding of the implications and
legal requirements of the Regulation, culminating in an official certification from the
International Board of IT Governance Qualifications (IBITGQ).
Click for further information and to book a course >>

IT Governance Ltd 2016 8 EU GDPR A Compliance Guide


IT Governance Green Paper

Certified EU GDPR Practitioner training course


This comprehensive training course prepares individuals who are seeking to embed
their knowledge of the EU GDPR in order to serve as their organisations data protection
officer (DPO). The course will cover aspects of the Regulation in depth, including
implementation requirements, the necessary policies and processes, as well as
recognised data security risk analysis methods.
Click for further information and to book a course >>
Privacy impact assessment training

This one-day workshop is designed to provide delegates with the practical knowledge
needed to perform a privacy impact assessment (PIA), designed to minimise privacy
risks and comply with the UK Data Protection Act (DPA) and the EU General Data
Protection Regulation (GDPR).
Click for further information and to book a course >>

Documentation toolkits
EU GDPR Documentation Toolkit
A full set of policies and procedures enabling your organisation to comply with the EU
GDPR. These digital templates are fully customisable and significantly reduce the
burden of developing the necessary documents to achieve legal compliance.
Click for further information and to download a free trial version >>

Advice and consultancy


EU GDPR data flow audit
For this essential first step in the preparation process, our privacy experts provide a
data inventory and flow map of the personal data held and shared by your organisation.
This forms the basis for assessing the information privacy and security risks in your
organisation.
GDPR Gap Analysis
Delivering a targeted assessment of your compliance with the GDPR, our privacy
experts provide a detailed assessment of your readiness, key gaps and risks, and a
remediation roadmap.
Click for further information and to contact IT Governance for assistance >>

Certification
Information security management system: ISO 27001
Internationally recognised as an effective way to demonstrate that appropriate
technical and organisational measures have been implemented to meet GDPR
requirements, our leading ISO 27001 implementation specialists will help your
organisation achieve certification.
Contact IT Governance for assistance at servicecentre@itgovernance.co.uk >>

IT Governance Ltd 2016 9 EU GDPR A Compliance Guide


IT Governance Green Paper

IT Governance Solutions
IT Governance sources, creates and delivers products and services to meet the evolving IT
governance needs of today's organisations, directors, managers and practitioners.
IT Governance is your one-stop shop for corporate and IT governance information, books,
tools, training and consultancy. Our products and services are unique in that all elements are
designed to work harmoniously together so you can either benefit from them individually or
combine different elements to build something bigger and better.
Our Protect - Comply - Thrive approach is aimed at helping your organisation achieve
resilience in the face of constant change.

Our areas of expertise:

Contact us: + 44 (0)845 070 1750


www.itgovernance.co.uk servicecentre@itgovernance.co.uk

IT Governance Ltd 2016 10 EU GDPR A Compliance Guide

Vous aimerez peut-être aussi