GDPR

  • GDPR
  • Data subject rights
  • ISO Handling - ISO27701
  • Data breach with GDPR´s eyes
  • Data Mapping
  • ISO 27701: 2013

    GDPR = General Data Protection Regulation

    Effective May 25, 2018

    The General Data Protection Regulation (GDPR) is a law that deals with data protection for all citizens of the European Union (EU) and the European Economic Area (EEA). The purpose of this law is to enable individuals to have control over the personal information provided.

    Obligations of the data controller

    As a data controller in collaboration with your possible data processors, you must, among other things, ensure that you:

    • Allowed to process the information that you and your data processors are in possession of (if you have a treatment authorization) Keeps a record of your treatment activities
    • Is able to comply with the rules on the data subjects' rights, such as the duty to provide information or the right of access.
    • Report any breaches to the Danish Data Protection Agency within 72 hours
    • Have a data processor agreement with the data processors that process personal data on your behalf
    • Can document to the Danish Data Protection Agency that you have ensured data protection with appropriate technical and organizational measures so that no unintentional, unreasonable or illegal processing takes place.

    The 7 data protection principles

    1 Transparency and legitimacy:

    personal data must be processed in a lawful and secure manner and must be easily accessible.

    Transparency

    • It must be communicated how data is collected and how data is used. If data is passed on to third parties, this must be stated.
    • Openness and honesty are the key words here.

    Justification

    • Data The controller is open and honest about function and its operation.
    • Processes data only in the direction one would expect and does not misuse data
    • Does not use data in directions not described or justified.

    2 Purpose Limitation:

    Data should only be collected and used for the stated purposes.

    • The regulation describes that personal data can be collected for specific and explicitly described purposes
    • Terms and conditions for the protection of privacy, must inform the user about how extensive data is processed (If data is collected, then these must not be brought to sister companies that can use data for marketing)
    • However, data may be stored for archives, for statistics, security, historical research (Data must be Pseudonymised and encrypted, will be valid methods to anonymize data)

    3 Data minimization:

    Only necessary data are collected for processing.

    Data collected and processed must be relevant, sufficient and limited. Do not collect more data than is absolutely necessary.

    Book example Applying for a job, it will not be appropriate to ask for health data

    Reference is made to data mapping (chapter 9 in the book) (It is not a requirement, but a necessity to demonstrate below)

    Which covers

    • Data exist
    • Where the data is located
    • Under what regulations data is kept

    4 Accuracy:

    Users may request to delete or correct inaccurate personal data.

    Data must be kept up to date and accurate

    • Which ensure that data processing and becomes more accurate.
    • Which requires processes that ensure data is kept up to date. (We know this from emails sent from our service providers who want us to update the information they have about us) Inaccuracies can occur, as if a buyer has placed an order and he changes address subsequently. Then data does not need to be updated. Unless buyer makes new order.
    • Inaccuracies sometimes have to be saved, for the sake of history. Such as in the case of misdiagnosis. As this will be important for future treatments. Track history is saved.

    Notice: 47 Recital 71 of the Regulation makes this abundantly clear: 'The data subject must have the right not to be subject to a decision which may include a measure which assesses personal aspects relating to him or her which are based solely on automated processing, and which produces lawful effects relating to him or her, similarly significantly affecting him or her, such as automatic rejection of an online credit application or e-recruitment practice without any human intervention. Do not make machine cuts without the influence of a person.

    5 Storage period limitation:

    Personal data should only be stored for the period necessary for the purpose of processing purposes.

    • Personal data may no longer be stored for the purpose for which the data is used.
    • How data is stored (not on which media) but how data is stored. it is stored encrypted or in multiple instances across multiple databases. Do not use data (or can justify it) .... Delete it!
    • Data stored must be subject to legal and contractual requirements. Which can demonstrate that data is deleted and that Automation ensures data deletion after eg a given period.
    • Data that is saved falls under DSAR (Data Subject Access Request) better known as data portability. As secure we as customers have access to the stored data.

    6 Confidentiality and Integrity:

    Organizations must protect personal data from unauthorized or illegal processing under the GDPR.

    • The most important principle from a financial point of view.
    • If data breaches occur, then it is relatively easy to prove that data has not been secured properly. If this had been done correctly, then the breach would not have occurred in the first embrace. (In Denmark, it will be the Data Inspectorate that can assess this)
    • Companies need to secure data so that it can not be misused or leaked. For example, data can be encrypted and a log is kept of who accesses data at a given time. Integrity must ensure the consistency of data while data is stored
    • Reference is made to the CIA model and ISO 27001 ISMS

    7 Accountability and compliance

    • Article 5, para. 2, is short but extremely important: The controller is responsible for and able to demonstrate compliance with § 1 Accountability
    • This is a seventh principle, which claims that the data controller is responsible for ensuring compliance with the previous six data processing principles and for being able to demonstrate this compliance.
    • It places demands on its own suppliers (Read supplier agreements on compliance with GDPR rules)

    Data subject rights

    A few points about the rights of data subjects.

    • Duty to provide information
    • Right of access
    • Right to rectification
    • Right to delete ("right to be forgotten")
    • Right to limitation of treatment
    • Right to data portability
    • Right to object
    • Prohibition of automatic individual decisions and profiling

    Duty to provide information

    Articles 13 and 14

    The data subject has the right to receive information when the data controller collects information. A distinction is made between information obtained directly from the data subject or the information received from others than the data subject. In both cases, the data controller has a duty to provide information, unless the data subject knows the information in advance.

    Right of access

    Article 15

    The data subject has the right to receive the data controller's confirmation of whether personal data about the data subject and the right of access are processed therein.

    Right to rectification

    Article 16

    The data subject has the right to have incorrect personal data about himself corrected by the data controller without undue delay

    Example We see it when we have set up a website, or log on to a page where it has been a while. Then we are asked to correct the information, or check if the information is correct.

    The right to be forgotten

    Article 17 states that the data subject has the right to request that personal data about him / her be deleted if one of several alternative grounds is present.

    The "right to be forgotten" was replaced during the negotiations by a less comprehensive "right to erasure".

    One of the grounds is that the processing is not lawful, for example that Article 6 (f) of

    Right to limit treatment

    The data subject has the right for the data controller to restrict or block the processing of information about the data subject. This must be done through labeling of information so that future processing is limited, cf. the definition in art. 4, No. 3.

    The data controller is obliged to limit / block processing when the data subject disputes the accuracy of the information, in the event of illegal processing but not deletion, in the determination of a legal claim or when the data subject objects, cf. art. 18 (1a-1d).

    Data portability

    Article 20

    According to the Regulation, the data subject has the right to transfer his personal data from one system to another, without being prevented from doing so by the data controller. There is also a requirement that the information must be provided to the data subject in a structured and usable electronic format.

    Objection

    Article 21

    The data subject has the right to object to an otherwise lawful processing if special circumstances so require.

    Prohibition of automatic individual decisions and profiling

    Article 22

    The data subject has the right not to be the subject of a decision based solely on automatic processing, including profiling, which has legal effect or similarly significantly affects the person concerned, unless the decision is necessary for the conclusion or performance of a contract, is authorized in EU law or the national law of the Member States or is based on the express consent of the data subject. [

    Article 12:

    https://www.retsinformation.dk/eli/lta/2018/502 (Dansk) https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679#page=39

    The clear and short https://en.wikipedia.org/wiki/Personal Data Regulation

    ISO Handling - ISO27701

    Relatively new standard, as it was released in August 2019, and should be able to merge ISO and GDPR better together.

    So that ISMS contains GDPR compliant personal data. The intended application of ISO / IEC 27701 is to expand the existing ISMS, with privacy specific controls and thus create PIMS to enable effective privacy management in an organization. The DPO (Data Protection Officer) can provide the necessary documentation that applicable personal requirements are met (PIMS = Privacy Information Management System)

    • The PIMS framework may look like an ISMS.
    • ISMS is targeted at several focus areas
    • PIMS can only target personal data processing
    • PIMS must support the core components of a Privacy framework.

    Data breach with GDPR´s eyes

    Violation of security, leading to erroneous or illegal destruction, loss, alteration, unauthorized disclosure of, or access to, transfer of personal data. Saved or processed.

    GDPR does not focus on other breaches, but only on loss of privacy.

    Anatomy of data breach

    Data can be transmitted online and TOR (refer to Darknet) Data corrupted or made inaccurate / altered In other words, a breach of the CIA model

    Data breaches do not happen by themselves and there have been breaches of vulnerabilities or threats have been overlooked. (Angry employees who smash data, or abuse rights)

    Or vulnerabilities that have been overlooked, ignored or were ignorant about.

    Data Mapping

    GDPR does not directly require data mapping It is considered a “best practice” to have a mapping of data, as it can be a difficult exercise to clarify data if one does not.

    As the book describes, "you can not protect what you do not know / know", here are 3 definitions

    • Data exist
    • Where is it and under what guidelines is it stored

    This will be a difficult task if you have not examined your data before.

    4 elements of data flow

    Data Items: The information itself and or a data set

    Format: How is data stored? USB, storage cloud etc.

    Transfer methods: transfer of data from A to B and how data is transported and which encryption.

    Locations: Where is the data physically located?

    Data mapping is significant in relation to DPIA and risk assessment. to inform about areas where we need to be vigilant

    ISO 27701: 2013

    GDPR proposes to introduce a PIMS (Personal Information Management System). There is an explicit requirement organizations must have below in place

    The ability to ensure ongoing confidentiality, treatment system integrity, availability and robustness and services The ability to restore the availability of and access to personal information in a timely manner in the event of a physical or technical incident Processes for regular testing, assessment and evaluation of the effectiveness of technical and organizational measures to ensure the safety of processing.

    This really means that organizations need to integrate data protection and privacy, which requires a more comprehensive approach to information security. Companies engaged in treatment systems and services. as with safety, continuity and continuous safety testing (primarily in the form of penetration testing). This is where ISO 27001 comes in.