Featured Video
This Week in Quality Digest Live
Standards Features
Grant Ramaley
The quiet battle over medical device trade in Canada heats up
Richard Pazdur
Regulatory work must keep pace with emerging cancer therapies
Nicole Radziwill
Why you should start employing a risk-based mindset
Oscar Combs
Properly identifying uncertainties is key to mitigating risk
Jama Software
Teams must be able to access, collaborate, update, and test each requirement through to project completion

More Features

Standards News
Intended to harmonize domestic and international requirements
User-friendly database offers 3,000 classes available in 35 cities in North America
Find reputable, accredited registrars within 72 hours
American National Standards Institute (ANSI) encourages relevant stakeholders to get involved
The audit solution provides 360-degree, real-time visibility into nonconformance status and completion
Specifications will focus on meeting the demand placed on high-performance electrical systems
Standard recognizes that everyone is critical to a successful quality management process.
May 7–8, 2018, in Galveston, TX

More News

Martin R. Voelk

Standards

Are You Ready for the EU’s General Data Protection Regulation?

Entities prepare for stricter controls over the security of personal data

Published: Tuesday, February 6, 2018 - 13:02

In just a few short months, the European Union’s General Data Protection Regulation (GDPR) will take effect. The regulation, which replaces the EU’s 20-year-old Data Protection Directive, imposes new and more rigorous requirements on any entity that collects or maintains personal consumer data, including entities located outside of the EU. In this article, we’ll provide some background on the origins of the GDPR and summarize the key aspects of the regulation.

What is the General Data Protection Regulation?

The GDPR (officially referenced as Regulation (EU) 2016/679) was originally developed to strengthen and harmonize the safeguards around personal data implemented as a result of the EU’s Data Protection Directive (95/46/EC). The GDPR imposes strict regulations on what it terms “data processors” or “data controllers,” that is, any entity that collects, handles, or analyzes personal data. The overall intent of the regulation is to provide consumers and private parties with greater control over how their personal data is maintained and used. 

Under the GDPR, the term “personal data” is broadly defined to be “any information relating to an identified or identifiable natural person,” who can be identified by “one or more factors specific to the physical, psychological, genetic, mental, economic, cultural, or social identity of that natural person.” In practice, this definition encompasses almost every sort of data about an individual consumer that could be collected by an entity, such as personal and account records, purchasing activities, financial and health records, videos, and photos. Further, Article 9 of the GDPR defines “special” categories of personal data that could reveal racial or ethnic origin, political opinions, religious or philosophical beliefs, genetic predispositions, or sexual orientation, which are subject to even more stringent requirements.

Importantly, under Article 3 of the regulation, the provisions of the GDPR apply not just to EU-based organizations but also to entities located outside of the EU that offer goods or services to EU citizens. This expanded scope effectively mandates compliance with the requirements of the GDPR by most companies and organizations, regardless of where they are located, and is likely to result in an overall increase in the levels of data privacy and security enjoyed by consumers around the world. 

The GDPR was officially enacted by the EU in April 2016, and comes into force on May 25, 2018, following a two-year transition period. Unlike the EU’s Data Protection Directive which required EU member states to adopt national legislation to implement its provisions, the GDPR will have full and immediate effect across the entire EU. This approach will eliminate differences in the interpretation and implementation of data privacy requirements that accompanied the implementation of the Data Protection Directive, thereby helping to ensure the uniform implementation of its requirements and easing enforcement.

What rights does the GDPR confer on individuals?

The GDPR bestows on individuals (defined as “data subjects” under the regulation) unprecedented rights regarding their personal data that must be honored by any entity that collects or processes that data. These rights include:
• Right of access (Article 15). Individuals have the right to obtain confirmation from an entity whether or not that entity has possession of their personal data and, if so, the purpose for which that data is being used.
• Right of rectification (Article 16). Individuals have the right to request that an entity correct inaccurate or incomplete personal data.
• Right to erasure (Article 17). Under several specified circumstances, individuals have the right to request that an entity erase or otherwise destroy their personal data.
• Right to restrict data processing (Article 18). In some cases, individuals also have the right to request that an entity restrict the processing of their personal data.
• Right to data portability (Article 20). Individuals have the right to request from an entity their personal data “in a machine-readable format,” for the purposes of transmitting it to another entity.

Key personal data principles with which entities must comply

In general, the specific requirements of the GDPR applicable to the collection and handling of personal data are based on the following six key principles, as defined in Article 5 of the regulation:
• Lawfulness, fairness, and transparency. Entities are obligated to process personal data in a lawful, fair, and transparent manner.
• Purpose limitation. Personal data can only be collected for a specified, explicit, and legitimate purpose, and cannot be used or reused for purposes inconsistent with the stated intention.
• Data minimization. Entities must strive to obtain only that data that is “adequate, relevant, and limited” to the stated purpose.
• Accuracy. Data must be updated as new information becomes available and must be erased or corrected if deemed to be inaccurate.
• Storage limitation. Entities can retain personal data for only as long as required to fulfill the intended purpose.
• Integrity and confidentiality. Entities must implement measures to secure personal data in their possession, and to protect against unauthorized or unlawful access to that data.

These six principles serve as the foundation for the broad range of specific requirements detailed within the scope of the 88-page regulation.

Some of the most critical obligations for entities

For entities that collect, process, or otherwise handle personal data, the GDPR imposes a number of new obligations, as follows:
• More rigorous rules for obtaining valid consent on the use of personal information (Article 7). Requests for consent regarding the use of personal data must be presented “in an intelligible and easily accessible form, using clear and plain language.” Further, individuals must be afforded the ability to withdraw their consent regarding the continued use of personal data at any time.
• Adherence to “privacy by design” principles (Article 25). Entities must take any and all measures to ensure that their systems and processes for handling personal data are designed to protect the security of that data and the privacy of the individual. The GDPR encourages the use of an “approved certification mechanism” as a means of demonstrating compliance with this requirement.
• Compliance with data breach notification requirements (Articles 33 and 34). Under the GDPR, entities are required to report to authorities any instance of a data breach within 72 hours of its discovery. Entities are also required to notify individuals affected by such breaches “without undue delay.”
• Mandatory privacy impact assessments (PIAs) where risks are high (Article 35). In cases where the use of specific systems, technologies, or processes regarding the use of personal data is likely to result in a “high risk,” entities must conduct a comprehensive assessment on those potential risks.
• For many entities, the appointment of a data protection officer (Articles 37-39). Entities that collect, process, or handle large volumes of personal data are required to appoint a data protection officer (DPO), who is responsible for monitoring compliance with GDPR requirements and who serves as a point of contact with EU supervisory authorities.

Additional considerations

Entities that fail to comply with the full scope of requirements of the GDPR face the prospect of severe financial penalties. Under the regulations, entities can be fined a maximum of four percent of annual global sales (turnover), not to exceed 20 million euro. Regulators can also implement a tiered approach in the application of fines for lesser offenses, such as recordkeeping deficiencies, failing to conduct a data protection impact assessment where required, or failing to notify regulators or the public of data breaches within the defined timelines. The magnitude of possible financial penalties should provide significant incentive for any entity that handles the personal data of consumers to fully understand how the provisions of the GDPR apply to their operations, and to promptly take whatever steps are required to achieve full compliance by the May 25 enforcement date.  

Conclusion

In cooperation with Quality Digest, TÜV SÜD America will host a live webinar, entitled “Are You Ready for the EU’s General Data Protection Regulation?” on Tuesday, Feb. 13, 2018 at 2:00 p.m. Eastern, 11 a.m. Pacific. There is no charge to participate, and readers of this article can find out more information about the webinar or register to attend by clicking here.

Discuss

About The Author

Martin R. Voelk’s picture

Martin R. Voelk

Martin R. Voelk is a senior security analyst, with TÜV SÜD America. He is an IT Security veteran with more than 20 years of experience in the IT industry. Martin spends his time on Penetration Testing and Security Audit Services to clients around the globe. Martin has taught Penetration Testing Training Courses, Cisco authorized Security Courses. He has also established Security policies and performed Ethical Hacking and Penetration Tests for governments and other businesses. He provided IT Security Services as a consultant to organizations such as the German Railways Group, Cable & Wireless, Hypo-Vereinsbank, Motorola, Fast Lane, Cisco Systems, Apple, the U.S. Army, the British Army and various other government bodies and private sector clients. Martin is also a regular speaker at Security conferences and works with the press on giving people an insight into current IT Security issues.