GDPR Data Protection: Who Should Be Responsible
By: Greg Fowlds, CISSP, Security+, ITIL2011, MCSE
March 19, 2018, ©Greg Fowlds All Rights Reserved
Have you heard about the General Data Protection Regulation (GDPR)? News and technical publications talk about the impact the new regulation will have on your organization. Lawyers are talking about litigation protection and cyber-
Enforcement of Regulation (EU) 2016/679 (Official Journal of the European Union, 2016) and administration of fines by supervisory authorities may ensue as early as May 25, 2018. GDPR is different in the fact that it extends as a fundamental right of all persons the protection of natural persons information in relation to the processing and use of personal data for the individual. Regulation (EU) 2016/679, referred to as GDPR, is not merely a compliance issue; it is European law protecting the rights and freedoms of European citizens (data subjects) who are in the union. Regardless of the global position of the data controller or data processor, the GDPR protects data privacy, including web surfing habits and more. Thus, to ensure adherence to the regulations set forth within the GDPR, companies will need to assemble a team under the direction of a GDPR expert. CISSP certified GDPR experts assure knowledge and comprehensive understanding of cyber-
Companies in violation of articles contained within Regulation (EU) 2016/679 after May 25, 2018, risk fines and penalties up to 4% of their annual turnover or €20 Million Euro whichever is higher. While these examples represent the maximum fine, it is used here to accentuate the scope of the regulation and the possible consequences. Thus, European law enacts legal implications, requiring education of Legal Counsel to include the 99 articles imposed. Expert Legal Counsel knowledgeable in international law competently mitigates issues as they arise. The Legal department intelligibly deciphers controversial articles and questionable applicability within the GDPR.
The compliance department ensures GDPR compliance compatibility within the already complicated HIPAA, PCI DSS, SOX and other governmentally regulated policies. While GDPR is not compliance but a European law, a compliance team understands the integration of data privacy with the GDPR law. When faced with possible infractions of the GDPR, the compliance team provides solutions through the enforcement of data privacy protection, mitigating potential offenses.
The development team, particularly software and web development are accountable to the GDPR via “Article 25 Data protection by design and by default” (Official Journal of the European Union, Regulation (EU) 2016/679, Ch.IV, § 1, Art. 25, pp. L119/48). Paying particular attention to “Chapter 3 Rights of the Data Subject” (Official Journal of the European Union, Regulation (EU) 2016/679, Ch.III, § 1, Art. 12 -
Next, the Operations Department assesses the limits of where the data resides and procedures for the rectification of the data. The data subject or supervisory authority may request changes to the data according to the data subject rights, such as the right to be forgotten, right of rectification and erasure. In addition to the mapping of data discovered in the development phase, the operations department plays a significant role in the security of data in transit (DIT) and data at rest (DAR). The operations team is responsible for the safekeeping of daily digital data operations including data transmission to a processor (DIT), and stored data, data backup, disaster recovery sites, storage data silos’ (DAR). Other types of Personally Identifiable Information (PII) include paper file, metadata, data subject agreements, decommissioned data, and destruction of the end of life data. Protocols require documentation and change control associated with the data mapping in the event involvement of operations personnel becomes necessary to contact the data custodian or data owner regarding the data subjects’ request for rectification or erasure of the subjects’ data.
However, GDPR is a data protection law. Therefore, projects require GDPR Project Manager Experts, individuals certified in data protection/cyber-
A final piece of the plan, Training, is vital to the success of implementation of the regulation. The GDPR Project Manager Expert develops a program for training the staff and the Data Protection Officer. Additionally, the GDPR Project Manager Expert monitors the ongoing GDPR compliance user training and consults with all departmental leadership, as well as collaborates with the legal team should litigation arise. Therefore it is essential to retain the expertise of a GDPR Project Manager Expert in the development of corporate internal GDPR controls, policies, and procedures.
An interdepartmental approach for the development of the GDPR compliance program strengthens the integrity of the program providing cooperation throughout the organization. The partnership grounded in the security department offers the basis for the entire framework. For other issues, the GDPR Project Manager Expert has the knowledge and guidance necessary to mitigate any data protection GDPR concern. Thereby keeping the data protection cycle moving on an annual refresh program.
References
European Parliament and the Council of the European Union, (2016). Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance). Official Journal of the European Union, (L119), 1-
European Parliament and the Council of the European Union, (2016). Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance). Official Journal of the European Union, (L119) Ch. III, §1, Art. 12 -
European Parliament and the Council of the European Union, (2016). Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance). Official Journal of the European Union, (L119) Ch. 4, §1, Art. 25, 48. Retrieved from http://data.europa.eu/eli/reg/2016/679/oj
U. S. Department of Commerce, National Institute of Standards and Technology (2013). Security and Privacy Controls for Federal Information Systems and Organizations. NIST Special Publication 800-