In this issue of the CyberSurance newsletter we discuss the new ‘General Data Protection Regulation’ (GDPR) and the importance of the ‘Data Protection Officer’ (DPO) as both a risk management and regulatory compliance leader within the organization.
GDPR applies to the processing of personal data of EU data subjects, regardless of whether the processing activities take place in the EU or not. The GDPR is also applicable to entities established outside the EU if they offer goods or services to individuals in the Union, or if they monitor the behavior of individuals in the Union (i.e., profiling activities, tracking individuals’ activities on the internet, etc.).
Under GDPR, ‘personal data’ is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, home address, photo, email address, bank details, posts on social networking websites, medical information, or a computer’s IP address. In addition, there are special categories of sensitive data that carry additional protections for information such as biometric data, genetic information, political opinions, religion, sexual orientation, and more.
GDPR requires companies to keep personal data secure through a thorough data privacy and security program that includes: legal basis and accountability for all ‘personal data’ acquisition, processing, storage, analytics, and transfers. Data transfers are a complicated area of the GDPR. As such, organizations that have historically protected themselves via user consent may find themselves having to rework their data transfer framework or face high penalties.
Penalties under the GDPR fall under two categories in terms of the amount of the fine: First, up to 2% of annual worldwide turnover or €10m, whichever is higher can be assessed for compliance violations such as failure to report a data breach. Secondly, up to 4% of the annual worldwide turnover or €20m, whichever is higher, can be assessed for more serious offenses such as failure to comply with the principles of lawful data processing as set forth by the GDPR.
It is the responsibility and the liability of controllers and processors to implement effective measures and be able to demonstrate the compliance of processing activities. Data Protection Impact Assessments (Article 35) have to be conducted when specific risks occur to the rights and freedoms of data subjects. Risk assessment and risk mitigation is required and prior approval of the national data protection authorities (DPAs) is required for high risks. Data protection officers are required to ensure GDPR compliance within organizations.
It is important to remember that even with all of the best technology and formal processes in place, people are still the weakest link in the goal of data protection. Despite all of the focus on human resources policies and ongoing security awareness training, social engineering attacks are still a major threat. Therefore, consistent, real-world education is an important mitigation component. But the only way to validate the effectiveness of this training and strive for continual improvement is through ongoing data protection operations that include periodic security assessments, and risk management.
Under the GDPR there is an obligation to appoint a Data Protection Officer (DPO) if the organization processes personal data on a large scale, or processes one or more of the categories of sensitive data, or if personal data processing is part of its core business. The DPO will continue to grow in significance as the point person for providing leadership to minimize the risk of GDPR fines and provide oversight for the formal governance programs to address data privacy and security in accordance with GDPR.
CyberSurance is a leader in providing cyber-security consulting and managed services and serves as a strategic partner to many top companies in the financial, healthcare, defense, transportation, communications, entertainment, and e-commerce industries. Our cybersecurity consultants have served as Chief Information Security Officers (CISO) and Data Protection Officers (DPO), and are certified and experienced in data protection, ethical hacking, risk management, security management, security auditing, and business consulting. At CyberSurance we develop risk management strategies that take a holistic approach to examining risk factors associated with an organization’s People, Processes, and Technology.
For organizations that currently do not have the on-staff expertise of a Data Protection Officer (DPO), CyberSurance offers a ‘DPO-as-a-Service’ program that provides strategic vision, tactical expertise, and management oversight. CyberSurance has the expertise and experience to put your overall security management, compliance, and data protection programs on the right track – consulting services for a secure and resilient cyber-space.