Data protection is in the news daily. Reports on data breaches are common and the damages involved are substantial, in the Philippines, in the Eropean Union, the United States and in other important partner countries of the Philippines. In general, we are talking about a combination between data-privacy breach and cybersecurity breach. More specifically, let’s look at the incoming law in the EU, which is not far away from the data-privacy law of the Philippines, as you will see.
The General Data Protection Regulation (GDPR) in the European Union is a sweeping new law that applies to all companies that collect and process data belonging to EU citizens, even if this is done outside of the EU. This includes companies with operations in the European Union and/or a web site or app that collects and processes EU citizen data.
Key areas of the legislation cover privacy rights, data security, data control and governance. The good news is the law will be pretty much identical in all 28 EU member- states, meaning they only have to comply with one standard. However, the bar is set high and wide—forcing most companies to invest considerable resources to becoming compliant.
Failure to comply with GDPR could result in a hefty fine. If a company is found guilty of a breach that compromises an EU citizen’s data, the penalty could be up to €20 million or 4 percent of an enterprise’s worldwide revenue, whichever is larger. Putting that in perspective: A large enterprise could be fined hundreds of millions of euros for a single breach.
In addition, two pain points are conspicuous: a requirement to notify EU authorities within 72 hours of a breach, and another to prove your company’s security approach is state of the art.
It is important to note in this context that the Philippine Data Privacy Act is imposing similar pressure/regulation on local companies! Are you ready?
What is mandated?
Data control
To preserve subjects’ privacy, organizations must:
■ Only process data for authorized purposes;
■ Ensure data accuracy and integrity; minimize the exposure of subject identities; and
■ Implement data security measures.
Data security
Data security goes hand-in-hand with data control. The regulation puts security at the service of privacy. To preserve subjects’ privacy, organizations must implement:
■ Safeguards to keep data for additional processing; and
■ Data-protection measures, by default
security as a contractual requirement, based on risk assessment and encryption.
Right to erasure
Subject data cannot be kept indefinitely. The regulation requires organizations to completely erase data from all repositories when:
■ Data subjects revoke their consent;
■ A partner organization requests data deletion; or
■ A service or agreement comes to an end.
It is worth noting, however, that subjects do not enjoy a carte blanche right for their data to be erased. If there are legal reasons —specified in the regulation—an organization can retain and process a subject’s data. Exceptions are few, however.
Risk mitigation and due diligence
Organizations must assess the risks to privacy and security, and demonstrate that they’re mitigating them. This requires that they:
■ Conduct a full risk assessment;
■ Implement measures to ensure and demonstrate compliance;
■ Proactively help third-party customers and partners to comply; and
■ Prove full data control.
Breach notification
When a security breach threatens the rights and privacy of a data subject or
subjects, organizations must:
■ Notify authorities within 72 hours;
■ Describe the consequences of the breach; and
■ Communicate the breach directly to all affected subjects.
Six steps to data-protection compliance:
- Understand the law—Know your obligations under GDPR as it relates to collecting, processing and storing data, including the legislation’s many special categories.
- Create a road map—Perform data discovery and document everything—research, findings, decisions, actions and the risks to data.
- Know which data is regulated—First, determine if data falls under a GDPR special category. Then, classify who has access to different types of data, who shares the data and what applications process that data.
- Begin with critical data and procedures—Assess the risks to all private data, and review policies and procedures. Apply security measures to production data containing core assets, and then extend those measures to back-ups and other repositories.
- Assess and document other risks—Investigate any other risks to data not included in previous assessments.
- Revise and repeat—Repeat steps four to six, and adjust findings
where necessary.
For chief security officers, the GDPR and the Philippine Data Privacy Act impose an upgrade on the organization’s security capabilities to both meet the regulation’s requirements and improve overall security vis-á-vis data confidentiality and privacy.
If companies need assistance, we have a compliance team in place to assist in data-privacy protection and in cybersecurity/cybercrime—please contact Schumacher@eitsc.com.
Flashback: On July 11 I wrote about ‘Open Government Partnership – Part of Fighting Corruption’ and made extensive reference to reports prepared by the Independent Reporting Mechanism (IRM) of the local Open Government Partnership implementation group. The reason why I used the IRM source is that the Integrity Initiative is part of the Civil Society Groups supporting the OGP Program and the reporting of the IRM. In fact, the Integrity Initiative has added progress information to the latest IRM report.
Image credits: A-PAPANTONIOU | DREAMSTIME.COM