“The six core principles show us that it is simply to ensure that the personal information and attributes of people, like you and I, are afforded the care and protection they deserve and we expect.” –The Six Commandants of GDPR, Tripwire Blog, March 2017It is important for organizations to make sense of the GDPR given the steep potential fines for lack of compliance. This blog series will provide some guidance on understanding how to respond to the GDPR.
Cloudy and Clear Direction for GDPRWhat is interesting about the regulation is the language. In some cases, it’s vague and intentionally future-proofing, and in other cases, it’s very prescriptive. For example, Article 37 states, "The controller and the processor shall designate a data protection officer (DPO) in any case where…." So, hire a data protection officer if your organization meets the criteria. What has been confusing is what organization size is required to appoint a DPO. The regulation alludes to organizations that are "processing on a large scale." Either way, as noted in a recent blog, the DPO is here to stay whether it is a full-time position at a larger and better-resourced organization or a virtual part-time job for smaller organizations that are less resourced. In Article 33: "In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent." (Meaning a fine is possible if you do not report a data breach within 72 hours.) One phrase recently noted by our experts, “adequate measures,” strongly suggests that monitoring and controls for data processing are needed to ensure the confidentiality and integrity of their processing systems and the information they contain. A security strategy should be in place, one that potentially aligns with a security framework and/or standards. For the purposes of this blog series, (And yes, we need a series to thoroughly discuss this adequately.) we will focus on the vague language in the GDPR related to security provisions. Why? Sounds like many folks are struggling with this. A recent IDC survey noted that "defining state-of-the art" was a top five GDPR challenging requirement. And it is important for all stakeholders to understand each other’s viewpoint to all happily become compliant. This Making Sense of the GDPR blog series will focus on the various points of views on some of the vague language seen in the GDPR:
- Legal Point of View
- Marketing Point of View
- Data Protection professional Point of View
- Point of Views from organizations responding to the regulation
- Viewing the GDPR from a Security Framework Lens
Navigating the FogThe comprehensive regulation is also riddled with lots of fog. Folks are walking away with very different understandings. There are two vague words that appear quite frequently in GDPR. They are "appropriate" and "state-of-the art." We can all look these terms up in a dictionary, but we need to really understand what they mean in context. Let’s start this blog series and review the words at hand in the regulation context. Here are the terms in the regulation context:
GDPR: Article 32 Security Processing Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: (a) the pseudonymisation and encryption of personal data; (b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services (c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; (d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.