The General Data Protection Regulation (GDPR) was effective since 25 May 2018 and it apply to both, companies within the European Union, as well as to companies outside the European Union under certain conditions. As a complement to GDPR, member states are required to adopt national data protection laws to accompany and abide by the GDPR.
In accordance with the GDPR, organizations which process the personal information will be the designated controller of the personal data it processes, in the course of provisioning its services. As the data controller, the organization is required to decide the purposes and means with regard to this processing, and is responsible for the treatment security and accountability of this personal data. All organizations functioning as partners or as service providers and have access to or process personal data and accordingly act as a data processor will be included in the scope of the data controller. The data controller will provide specific guidance on how the personal information processed will have to be secured.
The General Data Protection Regulation (GDPR) is a data privacy regulation that primarily safeguards EU citizens data no matter where its stored in the world and by whom.
GDPR harmonizes data privacy law & regulation across Europe and is related to processing and controlling personal data. GDPR is applicable to entities holding or monitoring European Citizen’s personal data. The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.
GDPR presents organizations a framework to define and design their approach to privacy of data for all personnel, harness the value of the data and ensure that the organization is fit for tomorrow’s digital and cloud economy. If personal data is processed on behalf of the data controller, it is required to include an SLA which elaborates all the techniques, processes and responsibilities which will be followed by the organizations to abide by the GDPR. The concluding of such an agreement is a legal obligation and the agreement can be amended to suit the specific situation in order to fit the cooperation with the data controller and the service provider/partner. This SLA will be applicable on all the data which is processed on behalf of the data controller.
To facilitate the data controller’s understanding on the practical ramifications of such agreements, partners and service providers must facilitate access and know how the organization security policies, points of contact and how communication is handled, demonstration on how data security technologies such as data encryption are effectively implemented.
GDPR Compliance Requirements
GDPR (General Data Protection Regulation) as proposed by the European Commission was proposed to promote data protection for all individual residing in the European Union (EU). This new EU Regulation significantly enhances the protection of the personal data of EU citizens and increases the accountability of organisations who collect or process personal data of EU citizens. The regulation built many requirements for data privacy and security, and adds severe penalties for violations.
The primary objective of the GDPR is to give citizens back control of their personal data. If you control or process the data of EU citizens and based in or outside of the EU, the GDPR will be applicable to you. Under the GDPR, if your organization suffers a breach of information assets related to EU citizen, the entity would be charged heftily and would need to notify the local data protection authority and potentially the owners of the breached records resulting in loss of reputation.
- Strategy and governance by design to manage privacy data: Define an overarching privacy program governance structure, roles and responsibilities for Data Protection Officer to coordinate, operate and maintain the program on an ongoing basis.
- Policy management: Define formal Privacy policies, procedures and guidelines which are consistent with applicable laws and regulations.
- Data Identification, transfer, management & protection: Identify the locations of your privacy data. Define cross-border data transfer strategy based on current and future planned data collection, use, and sharing, and have current data flow diagrams. Create ongoing mechanisms to identify new personal data processing and use technical and organizational measures and internal controls to safeguard data.
- Individual rights processing: Enable the effective processing of consent and data subject requests, such as data access, deletion and portability.
- Privacy by design: Personal data protection must be implemented in the design stage of a security measure. Organization should develop a strategy for “privacy by design” to incorporate privacy controls and impact assessments throughout the data lifecycle for new and changing data use initiatives.
- Information security: Identify existing security information protection controls and align security practices with security considerations, such as scanning assets for vulnerability, penetration testing (Network/Application) as applicable, defense in depth with firewall reviews, segmented networks for Privacy data holding assets, Logging and Monitoring and other information security controls.
- Privacy incident management: Align incident response processes with GDPR specifications and reporting requirements. Establish a methodical approach to evaluating and reporting potential privacy breaches and incidents.
- Data processor accountability: Establish privacy requirements for third parties to mitigate risks associated with access to the organization’s information assets and organizations data.
- Training and awareness: Define and implement a training and awareness strategy at the enterprise and individual level to employees and contractors on how to manage and treat privacy of European Citizen data.
- Create and maintain a data protection plan:Most companies already have a plan in place, but they will need to review and update it to ensure that it aligns with GDPR requirements. Review and update periodically.
- Document your GDPR compliance progress:With the clock ticking, organizations must demonstrate that they are making progress against completing the Record of Processing Activities (RoPA)—article 30 of the GDPR regulation which is centered around taking inventory of risky applications—to avoid being an easy target for regulators.
- Set up a process for ongoing assessment:You want to ensure that you remain in compliance, and that will require monitoring and continuous improvement.
What is SecurWires Offering?
SecurWires Technologies and Services LLP is a PCI SSC Authorized Qualified Security Assessor (QSA) Company, CIS SecureSuite Member Company and a Member of Data Security Council of India (DSCI). SecurWires is a pure-play Cyber Security and Information Security Company which is dedicated to help businesses run Cyber Security and Information Security Programs more effectively. SecurWires is vendor neutral; we do not resell any software or hardware and will always recommend the best solution for the organization. Our professionals provide industry-leading expertise to help organizations meet their evolving Data Security and Privacy needs.
SecurWires consults on the industry best practices for implementation of security controls to achieve the objectives of GDPR. This includes implementation of defense in depth practices spanning network architecture, application security, IT infrastructure security, policies and procedures in maintaining the security of the data, implementation of privacy principles, incident management, trainings and awareness etc.