Personal Data = any combination of items that can uniquely identify an individual.
EU Directive - EU goal, attempt to implement - country chooses how to reach the goal.
EU Regulation - All EU states must follow the law.
Data Controllers - Companies who are responsible for user data they capture (social networks, ecommerce sites, companies, etc...)
Controllers Own the data, are responsible to users, and must implement technical measures and process for managing the data.
Data Processors - third party companies who "Process the data" like ESP's, Marketing Partners, HR Sass partners. They're are responsible to the controller and must implement security measures for safe guarding the data they use. They're required to have written permission to pass any of the controllers data onto additional third parties.
Lots of contracts. Controllers can inspect the property of any processors. Contracts which outline the respective roles and responsibilities state what the controller is responsible for and what the processor can do with that data.
A new Role - DPO Data Protection Officer (Perm position). DPO can't be Controller. They need to have no conflicts of interest.
It can be a side role of someone in the company.
They basically , inform data subjects of their rights and raise awareness. Tell their company about GDPR . Keep a list of actions the company is taking to comply with the rule set. "Help the organisation be accountable to the governing body" = keep the EU informed of any information needed regarding the regulation. Handle complaints and answer questions.
GDPR has 99 articles - article 24 has DPO responsibilities
Implement technical and organizational measures
data mapping process. What we have, why, nature, scope , purpose.
Implement a data protection policy.
Article 40 - Core responsibilites of a data controlller.
- Fair and transparent processing
- Legitimate interests
- Consider Rights
Article 28 - Security Measures, Sub Processors (can only be done by consent), ensure contracts with controllers. Process only inscope data.
Basis for processing data for GDPR.
- Contractual Necessity
- Compliance with legal obligation
- Project vital interest
- Legitimate interest
- Public Interest
Documentation Activities: Data policy impact assessment.
- Data Collection Life Cycle, how is it used? Could the data collected be used outside of it's intended purpose in the future.
- Map the flow of data and determine the appropriate safeguards.
- Nature, Category (digital, physical, database?), Retention policy, location, who's accountable.
Technical Controls (article 32)
- Anonymize and Encrypt Personal Data (In transit and at rest)
- CIA = Confidentiality, Integrity, Availability. (Resilience) : NIST, ISO 2002.
- Critical Security Control
- Ability to restore critical data.
- Regular testing (Restores and Penetration (hacks))
Breach Notification (article 33)
- If data subject privacy is at risk , they need to be notified.
- This could be data spilled, data theft and reasonable belief of breach.
- 72 hours, the data subject needs to be notified.
- Nature of the breach and likely consequences, proposed mitigation.
EU Peoples rights - Access : Article 15, 16
- Data Subjects can access their data for free and within reason.(not too many request)
- Can request to fix inaccurate information. They can put in a request form. Erasure and correction need to be possible by the data controller and the controller is responsible for pushing those request to the processors.
- Right to be forgotten. This is damn near impossible.
- Article 8 : Children under 16. Parental Consent for everything.
- Transfer data from one controller to another with ease.
- Storage on personal devices - the format given to the data subject (user) should be able to fit on a personal device if requested.
- Data Transmission - subject request direct transmission of their data between data controllers. (Does not include inferred or derived data)
In general, there needs to be process put in place to store data, transmit data, notify of breaches, remove data, restore data and transfer user data and notifying users about specific data breaches.