The entire world, including Europe, is looking toward strong and unified data security under the General Data Protection Regulation (GDPR). Especially regarding exporting personal data to countries not in the EU, with GDPR Compliance now an essential consideration for businesses.
The fundamental objective that drives the GDPR is to give back control to individuals as to how their personal data is managed and used. The GDPR brings consistency and conformity to previous and existing European data protection laws.
Requirements for GDPR compliance
GDPR compliance results in extensive consequences for organisations and businesses worldwide including countries such as the U.S where the safe harbour provision is now invalidated. This means that such U.S. businesses that deal in the transfer and handling of personal data of European individuals will be compelled to comply with the GDPR or suffer the consequences.
Any breaches of data regulations or non-compliance under the GDPR will depend on their severity, but you will need to be aware of actions to remedy such breaches:
- Your establishment will be required to notify the relevant GDPR data protection authority together with the owner, individual or individuals whose data has been breached.
- Depending on the severity of the breach, there is the likelihood that your establishment may receive a GDPR fine of up to €20 million or 4% of annual turnover (whichever is higher).
- There are some exceptions to this under the GDPR and will be based upon whether there were adequate security measures in place.
A security measure to prevent unauthorised access such as encryption that renders data unintelligible will not be required to notify data owners. The risk of the likelihood of financial penalties is lowered if you have been subject to a security breach. The GDPR only mentions encryption in passing, but the benefits of encryption with regards to GDPR compliance will be an unavoidable reality to ensure the safekeeping of data & gdpr compliant policies.
Basically, encryption turns data into an unintelligible version of data, which can only be decoded by decryption. The actual basis of encryption comes from cryptography same as transactions using the blockchain model. In view of the GDPR and the question of compliance, the encryption of data whilst not mandatory is a valuable data protection method. The GDPR is not finite, as it will be further developed to evolve alongside the design and development of new technologies, especially cloud computing.
GDPR compliance is predicated on 7 key principles. We can break these down to improve your understanding of the subject by highlighting what each of these principles entails.
These are as follows:
- Lawfulness, fairness and transparency
- This refers to the requirement of the GDPR that all collected, processed and stored personal data must be lawfully collected, stored, used, and processed. The personal data must not be used for illegal or unlawful purposes. The usage must be fair and transparent.
- Purpose limitation
- This means that the personal data collected by the organisation must be limited in terms of its purpose. The data will and can be only used for the purpose it was collected for. It can not be kept once the original purpose has been met. Or else, new consent must be extracted for its prolonged and repurposed use.
- Data minimisation
- This refers to the requirement that all data must be limited in terms of the amount collected. Any organisation that is collecting and processing personal data must ensure that it is only collecting information that is absolutely necessary for the functioning of the project. Any personal data that is not really needed should not be collected or stored.
- The collected personal data and its processing must be accurate and not misleading in terms of the message. It should not be twisted to suit the needs of the collector.
- Storage limitation
- All personal data must be time-limited and erased after a period of time. This must be pre-defined and followed through securely.
- Integrity and confidentiality (security)
- The integrity and confidentiality of the data content and the data subject should be upheld through adequate anonymity and encryption measures.
- This means that the personal data subject may be able to request the use of the data and the organisation collecting the data shall be able to arrange for the request to be met in a timely fashion.
The above principles can be broken down into actionable and achievable goals. Seers has developed a simple route for GDPR compliance. The assessments & certifications tool kit can be used to identify the key risks and a recommendation to mitigate these risks.
However, the fact that it is not mandatory is often missed by many businesses who are being that encryption is an obligation and are themselves being misled and finding themselves the subject of the hard sell of encryption software solutions. Despite the fact there is no strict requirement for the use of encryption in data protection, using it is a good idea as the future of data protection, GDPR Compliance, and ePrivacy will evolve and be developed further on an ad hoc or case by case basis as and when breaches occur and new technologies develop.
Encryption has to be deemed an important weapon against security breaches as essential advancements in data protection grow alongside. Looking at what is actually stated about encryption (albeit on only four occasions) for GDPR compliance in the following provision:
“In order to maintain security and to prevent processing in infringement of this Regulation, the controller or processor should evaluate the risks inherent in the processing and implement measures to mitigate those risks, such as encryption”.
Businesses that wish to store or manage personal data in any way are now subject to very strict controls owing to the GDPR, it is the most comprehensive overhaul of the privacy legislation in EU history. It has a far-reaching impact on all businesses and industries, from banks and hospitals to corner shops and fitness centres, all of whom must ensure that their businesses are compliant under the GDPR.
There are many ways to protect not only your customers, employees, and any third-party whose personal information you hold, but also your business from incurring huge penalties.
- Pseudonymisation is the replacement of identifiable data such as names and addresses, dates of birth with other data which, although looks similar, does not reveal personal information about a real individual.
- Pseudonymisation is very helpful to organisations who wish to collect personal data for surveys and statistics but no specific information about individuals and preventing such organisations from falling foul of the GDPR.
Banks are utilising this concept aptly. A good example is Dutch bank Rabobank which accurately utilize the pseudonymization to develop a modern payment system using IBM’s cryptography software called “High Assurance Desensitisation Engine”, (The very name of the piece of software should bring peace of mind to organisations who wish to cherish the data of its customers).
In this way, the collection of essential data such as names, dates of births and account numbers using the pseudonymization method to build payment forms enabled the bank to transform its existing software rather than develop new software. IBM’s software works by replacing data with strings of numbers and letters with keys and hashes that behave in a similar way to the original data when running through the bank’s original software.
The bank holds the only key to the original data, which can be used to regenerate the original data from the hash but is never seen by anyone outside the bank.
Pseudonymisation is a tool that allows companies to process personal data in such a way that it ensures that they comply with the GDPR and protect them from incurring penalties.
Truata, a financial trust company set up by IBM and Mastercard acts as a conduit for third-party businesses who wish to analyze and establish that they comply with the General Data Protection Regulation (GDPR)
A survey report by Solix has revealed that less than 50% of firms cannot assure that they were GDPR compliant before May 25th, 2018. With personal data being an integral component of most businesses and the key to successful marketing and advertising, it is essential that there is an element of control, more so than mere adblockers!
Truata, therefore, has set itself up as an independent compliance analytical provision entity and is receiving some interest from mainly larger companies. The way in which it works for clients is that an online company may pass its customer list to Truata, firstly anonymizing the list using IBM technology so that the list may then be stored and analyzed by Truata.
There are many options with regards to analytical reporting of the data, including Truata analytical front-end tools or an interface, which allows the client to carry out the analytics themselves. Other options include requesting algorithms or model codes to be used alongside the client’s tools for analysing data.
There have been speculations about moving personal data outside the parameters of an organisation, thus risking privacy breaches, and the very antithesis of the GDPR, but IBM is keen to expel these reactions by emphasising that the trust acts with the utmost security in mind and stresses that it conforms to the guidelines set down by the Article 29 Data Protection Working Party.
A tool named pseudonymization allows companies to process personal data in such a way that it ensures they comply with the GDPR and free them from the strict privacy restrictions that previously would have disallowed this method.
- Data-at-Rest, including personal data in storage, archives, reference files, files stored on hard drives, servers, storage area networks, or files on backup service providers that are off-site. Encryption would need to apply to all access and control, wherever the personal data is held.
- Data-in-Motion, including email or any types of transportation of personal data, encryption is necessary so that all data that traverses across different networks is heavily protected preventing data from being heard, seen, or intercepted.
- In addition to protection by encryption, there has to be in place a strong element of management to protect not just the encrypted data, but to prevent any unauthorised retention of personal data in line with the individual’s legal right to have data completely erased and “forgotten.”
- Businesses will also be required to substantiate the legitimate identity and activity of an individual and verify that the organisation has strict security controls in place in line with the GDPR compliance management requirements.
Articles 5, 25 and 32 of the General Data Protection Regulation (GDPR) clarify that only authorised users may access personal data and only when appropriate. For GDPR compliance, it is expected that businesses need to be entirely in control of any personal data that is held or processed and that the data is accurate.
Businesses are urged to ensure that personal data is maintained in an illegible state, and encryption is one way to ensure this. The GDPR compliance requirements can be met by this simple method of control, which prevents identifying individuals through their personal data. Also, the manipulation of personal data is prevented by encryption when properly used.
Further security methods recommended for GDPR compliance for your organisation include the “multi-factor authentication” method, or “MFA”. Already very popular with applications such as Facebook and Google, and is sometimes referred to as the “two-step verification”. Proponents of this MFA method of identification argue that by doing away with only password verification, online fraud and identity theft is greatly reduced. There is no denying that MFA is far more superior when it comes to security.
However, some companies do not like the fact that it may be deemed as an arduous burden for the end-user. There are flexible and adaptable solutions such as biometric authentication methods, which do not compromise business activities.
Biometric authentication entitles an individual’s identity to be authenticated based on specific data unique to that individual. It is estimated that almost 90% of firms will be using biometrics by 2020, according to a recent survey by Spiceworks.
The new trend in this ever-increasing and sophisticated method of authenticating individuals has caused some controversy, especially in line with the recent launch of Apple iPhone X’s facial recognition functionality. Fundamentally, the question being asked is “Who are you?”
The question then begs, “How will such sensitive and private data be protected”? As such, the General Data Protection Regulation (GDPR) has brought even stringent protection of biometric data. Due to its infancy and palpable future advancement, the GDPR has provided a definition that will cover all eventualities for compliance. By defining biometrics in as broad a sense as possible, they are ensuring that this type of data is subject to stringent data processing control and impact assessment control for now and in the future.
After all, the data is very personal; it involves a
- A photo of a face.
- A record of a voice.
- An image of a fingerprint.
This will be compared to the biometric data of a multitude of other individuals stored in a database. Very sensitive indeed!
A further category of biometrics is data taken from the collection behaviour rather than physiological. Behaviour data collecting is narrower regarding logistics, as “behaviour” is not usually unique to one person, and could be attributed to many people such as certain gaits, lip motion, typing/keystroke motion.
Any organisation actively using such physiological or behavioural biometric data should look carefully and define exactly what personal data is being processed and to what end. It is important to be proactive and take necessary precautions by putting into place measures to ensure that such processing is justified and that relevant consent and contracts are correctly in place.
Subsequently, any organisation actively or contemplating processing biometric data will need to keep abreast of developments in the future of biometric data to ensure they are up to date in this rapidly developing field of technology. Due to the extreme sensitivity of such data, to ensure ongoing compliance, the General Data Protection Regulation (GDPR) has introduced the necessity for data controllers to carry out mandatory and continual privacy impact assessments, to ensure that there is no privacy risk at all to these individuals whose data is being held.
This is pertinent for organisations who are continually developing new technologies alongside the use of biometric data. Also where biometric data is collected and used on a large scale and/or in public settings such as the retail or fitness sector where facial recognition is becoming more commonly used. In such circumstances, data controllers will be required to be fully aware of the data processing risks involved and be able to implement tailored measures to ensure any risks are mitigated to the absolute bare minimum. Also, they need to ensure that staff are fully trained on GDPR.
Showing integrity as a business is important under the GDPR, but also your customers, employees and any other third-party data that you hold personal data for will be confident that your organisation is doing its utmost to protect their personal data and will trust the organisation more. For this very reason, GDPR Compliance is an essential part of your business for the foreseeable future. Ensure that your policies, processes and procedures are compliant with GDPR, you are utilising a GDPR compliant cookie consent banner on your website and that your staff are fully trained on GDPR.
If you need tailored advice to help you become GDPR compliant then Seers can help you with our team of privacy experts.