Home Executive Bio Expertise NIST CIS GDPR Contact

GDPR Data Protection: Who Should Be Responsible

By: Greg Fowlds, CISSP, Security+, ITIL2011, MCSE

March 19, 2018, ©Greg Fowlds All Rights Reserved


Have you heard about the General Data Protection Regulation (GDPR)?  News and technical publications talk about the impact the new regulation will have on your organization.  Lawyers are talking about litigation protection and cyber-security insurance.  Your business plans to be ready for May 25, 2018, the enforcement date, however, where do you place your resources?  What is data protection?  Do your cyber-security and IT Operations teams take care of GDPR?  Understanding of the scope of GDPR and knowledge of your companies responsibilities are needed to focus efforts on the solution.

Enforcement of Regulation (EU) 2016/679 (Official Journal of the European Union, 2016) and administration of fines by supervisory authorities may ensue as early as May 25, 2018. GDPR is different in the fact that it extends as a fundamental right of all persons the protection of natural persons information in relation to the processing and use of personal data for the individual.  Regulation (EU) 2016/679, referred to as GDPR, is not merely a compliance issue; it is European law protecting the rights and freedoms of European citizens (data subjects) who are in the union.  Regardless of the global position of the data controller or data processor, the GDPR protects data privacy, including web surfing habits and more.  Thus, to ensure adherence to the regulations set forth within the GDPR, companies will need to assemble a team under the direction of a GDPR expert.   CISSP certified GDPR experts assure knowledge and comprehensive understanding of cyber-security, risk, compliance, and data protection, to bring together and encompass Security, Development, Operations, Compliance and the Legal departments (See Figure 1).  A GDPR expert directing respective responsibilities and guidance of procedures while incorporating GDPR policy into the Corporate Security Policy ensures successful implementation of the new law.

 Companies in violation of articles contained within Regulation (EU) 2016/679 after May 25, 2018, risk fines and penalties up to 4% of their annual turnover or €20 Million Euro whichever is higher.  While these examples represent the maximum fine, it is used here to accentuate the scope of the regulation and the possible consequences.  Thus, European law enacts legal implications, requiring education of Legal Counsel to include the 99 articles imposed.   Expert Legal Counsel knowledgeable in international law competently mitigates issues as they arise.  The Legal department intelligibly deciphers controversial articles and questionable applicability within the GDPR.

The compliance department ensures GDPR compliance compatibility within the already complicated HIPAA, PCI DSS, SOX and other governmentally regulated policies.  While GDPR is not compliance but a European law, a compliance team understands the integration of data privacy with the GDPR law.  When faced with possible infractions of the GDPR, the compliance team provides solutions through the enforcement of data privacy protection, mitigating potential offenses.

The development team, particularly software and web development are accountable to the GDPR via “Article 25 Data protection by design and by default” (Official Journal of the European Union, Regulation (EU) 2016/679, Ch.IV, § 1, Art. 25, pp. L119/48).  Paying particular attention to “Chapter 3 Rights of the Data Subject” (Official Journal of the European Union, Regulation (EU) 2016/679, Ch.III, § 1, Art. 12 -22, pp. L119/39) keeping in mind articles 12 -22 when developing any applications, and data collection routines.  The development team gives careful consideration to the information collected, the purpose of the collection, storage location and how data arrives at storage containment.  Further attention to disaster recovery locations, backup systems, third-party processors, decommissioned data, and processes for erasing/destroying data assists the development team in securing data within regulatory guidelines.  Auditory compliance of software and web development by the development team increases the necessity for teamwork within Security, Operations, Compliance, and the Legal departments.     

Next, the Operations Department assesses the limits of where the data resides and procedures for the rectification of the data.  The data subject or supervisory authority may request changes to the data according to the data subject rights, such as the right to be forgotten, right of rectification and erasure.   In addition to the mapping of data discovered in the development phase, the operations department plays a significant role in the security of data in transit (DIT) and data at rest (DAR).  The operations team is responsible for the safekeeping of daily digital data operations including data transmission to a processor (DIT), and stored data, data backup, disaster recovery sites, storage data silos’ (DAR).  Other types of Personally Identifiable Information (PII) include paper file, metadata, data subject agreements, decommissioned data, and destruction of the end of life data.  Protocols require documentation and change control associated with the data mapping in the event involvement of operations personnel becomes necessary to contact the data custodian or data owner regarding the data subjects’ request for rectification or erasure of the subjects’ data.  

However, GDPR is a data protection law. Therefore, projects require GDPR Project Manager Experts, individuals certified in data protection/cyber-security and compliance to lead the team integrating the GDPR regulation and cyber-security frameworks.  The GDPR Project Manager Expert is particularly knowledgeable regarding the 99 articles contained in Regulation (EU) 2016/679.  The GDPR Project Manager Expert facilitates the integration of cyber-security frameworks such as the National Institute of Standards Technology: SP800-53R4 (U.S. Department of Commerce, 2013) to work together with the GDPR streamlining the cyber-security and GDPR efforts.  Cyber-Security frameworks fall short of covering all the requirements detailed in the 99 articles of the GDPR.  However, the GDPR Project Manager Expert understands the optimal starting point of the GDPR program as well as the necessary flow of program development to meet the scope and budget of the project.  There are no apps that will gain corporate compliance with GDPR requirements.   However, the cyber-security frameworks will help in the efforts to become GDPR compliant, with modifications to existing cyber-security policies and procedures.

A final piece of the plan, Training, is vital to the success of implementation of the regulation.  The GDPR Project Manager Expert develops a program for training the staff and the Data Protection Officer.  Additionally, the GDPR Project Manager Expert monitors the ongoing GDPR compliance user training and consults with all departmental leadership, as well as collaborates with the legal team should litigation arise.  Therefore it is essential to retain the expertise of a GDPR Project Manager Expert in the development of corporate internal GDPR controls, policies, and procedures.

An interdepartmental approach for the development of the GDPR compliance program strengthens the integrity of the program providing cooperation throughout the organization.  The partnership grounded in the security department offers the basis for the entire framework.  For other issues, the GDPR Project Manager Expert has the knowledge and guidance necessary to mitigate any data protection GDPR concern.  Thereby keeping the data protection cycle moving on an annual refresh program.



References

European Parliament and the Council of the European Union, (2016).  Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance).  Official Journal of the European Union, (L119), 1-88. Retrieved from http://data.europa.eu/eli/reg/2016/679/oj


European Parliament and the Council of the European Union, (2016).  Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance).  Official Journal of the European Union, (L119) Ch. III, §1, Art. 12 - 22, 39.  Retrieved from http://data.europa.eu/eli/reg/2016/679/oj


European Parliament and the Council of the European Union, (2016).  Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance).  Official Journal of the European Union, (L119) Ch. 4, §1, Art. 25, 48.  Retrieved from http://data.europa.eu/eli/reg/2016/679/oj

U. S. Department of Commerce, National Institute of Standards and Technology (2013). Security and Privacy Controls for Federal Information Systems and Organizations. NIST Special Publication 800-53 (4). Gaithersburg, MD: National Institute of Standards and Technology.  doi: 10.6028/NIST.SP.800-53r4