General Data Protection Regulation

WHAT IS THE GDPR

Any organisation processing European citizens' data would need to comply with the General Data Protection Regulation (GDPR).

Article 3 of the regulation defines the territorial scope as;

This Regulation applies to the processing of personal data in the context of establishing a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.

This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:

the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or

the monitoring of their behavior as far as their behavior takes place within the Union.

This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.

"In July 2019, the ICO announced its intention to issue a
€204,6 million (£183.39 million) fine to the British Airways for violation of Article 31 of the GDPR."

Information Commissioner's Office, https://ico.org.uk

The General Data Protection Regulation sets out seven key principles;

Lawfulness, fairness, and transparency
Purpose limitation
Data minimisation
Accuracy
Storage limitation
Integrity and confidentiality (security
Accountability

These principles should form the core of your data processing policies and approach to handling personal data.

The GDPR defines a mandatory breach disclosure time constraint; a breach must be reported within 72 hours of its discovery. Along with potentially hefty fines of up to 4% of your global turnover for anyone that has not shown due care to their customer's data.

Initially, the GDPR is seemingly void of any mention of penetration testing. However, it does have a statement under Article 32;

"(d) a process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing."

Laneden can help build a program of works to help your organisation achieve regular security testing, understand your technical controls' effectiveness, and help ensure security risks are defined, and mitigation understood.

Providing a thorough and independent examination to identify security vulnerabilities within the software, systems, and network configurations.

Laneden can provide an on-site debriefing of the findings explaining how attackers could potentially gain control of your systems and exfiltrate data.

A comprehensive report is written containing an executive summary and is consumable by anyone in the organisation regardless of their technical background.

Along with enough detail to allow you to understand the risks and concise and clear guidance on how to either mitigate or remediate those risks.

"People's personal data is just that - personal.

When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience.

That's why the law is clear - when you are entrusted with personal data you must look after it.

Those that don't will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights. "

ICO|Elizabeth Denham, https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2019/07/ico-announces-intention-to-fine-british-airways/

Methodology

Deliverables

FREQUENTLY ASKED QUESTIONS

WHAT ARE THE KEY GDPR PRINCIPLES

Article 5 of the GDPR sets out seven key principles that lie at the heart of the general data protection regime.

Article 5(1) requires that personal data shall be:

Processed lawfully, fairly, and transparently concerning individuals ('lawfulness, fairness and transparency');

Collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes shall not be considered to be incompatible with the initial purposes ('purpose limitation');

Adequate, relevant, and limited to what is necessary for relation to the purposes for which they are processed ('data minimisation');

Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that inaccurate personal data, having regard to the purposes for which they are processed, are erased or rectified without delay ('accuracy');

Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to the implementation of the appropriate technical and organisational measures required by the GDPR to safeguard the rights and freedoms of individuals ('storage limitation');

Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and accidental loss, destruction, or damage, using appropriate technical or organisational measures ('integrity and confidentiality').

Article 5(2) adds that:

The controller shall be responsible for and be able to demonstrate compliance with p

For further details, please refer to the Information Commissioners Office website.

HOW DO I BECOME GDPR COMPLIANT

In 2018, the European Union enacted new legislation to protect its citizens' personal data, potentially affecting every organisation worldwide.
The Information Commissioners Office has suggested the following 12 steps in preparing for GDPR compliance.

Awareness
It would be best to make sure that decision-makers and key people in your organisation are aware that the law is changing to the GDPR. They need to appreciate the impact this is likely to have.

Information you hold
It would help if you documented what personal data you hold, where it came from, and who you share it with. You may need to organise an information audit.

Communicating privacy information
You should review your current privacy notices and put a plan to make any necessary changes in time for GDPR implementation.

Individuals' rights
You should check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.

Subject access requests
You should update your procedures and plan how you will handle requests within the new timescales, and provide any additional information.

Lawful basis for processing personal data
You should identify the lawful basis for your processing activity in the GDPR, document it, and update your privacy notice to explain it.

Consent
You should review how you seek, record, and manage consent and whether you need to make any changes. Refresh existing consents now if they don't meet the GDPR standard.

Children
It would be best if you started thinking now about whether you need to put systems in place to verify individuals' ages and to obtain parental or guardian consent for any data processing activity.

Data breaches
You should make sure you have the right procedures in place to detect, report, and investigate a personal data breach.

Data Protection by Design and Data Protection Impact Assessments
You should familiarise yourself now with the ICO's code of practice on Privacy Impact Assessments as well as the latest guidance from the Article 29 Working Party, and work out how and when to implement them in your organisation.

Data Protection Officers
You should designate someone to take responsibility for data protection compliance and assess where this role will sit within your organisation's structure and governance arrangements. It would help if you considered whether you are required to designate a Data Protection Officer formally.

International
If your organisation operates in more than one EU member state (i.e. you carry out cross-border processing), you should determine your lead data protection supervisory authority. Article 29 Working Party guidelines will help you do this.

For further details, please refer to the Information Commissioners Office website.

Professional Services

Get In Touch

Laneden - A Cyber-Security Company | Penetration Testing Services | Social Engineering Security Services | Ethical Hacking Services

Laneden - A Cyber-Security Company | Penetration Testing Services | Social Engineering Security Services | Ethical Hacking Services

0800 043 6967