The GDPR: Changing how we think about data protection

Cyber Security Month, October 2017

We live in a digital world, with access to information becoming a ubiquitous part of our daily lives. However, because of this unprecedented access, we are increasingly less likely to know where our data is, who is accessing it, what they are using it for, and, most critically in light of several high profile data breaches recently, how organizations are protecting it.

While the Canadian government has responded to these concerns by introducing amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA), it is critical that Canadian business owners familiarize themselves with the significant regulatory changes taking place overseas which may also impact their businesses, namely, the European Union’s General Data Protection Regulation (GDPR).

What is the GDPR?

In less than a year (May 25, 2018 to be exact), the European Union’s data protection framework will undergo its most substantial change in over two decades. The GDPR will replace the existing Data Protection Directive (Directive 95/46/EC, or DPD) with a new framework aimed to increase obligations for organizations processing personal information and to strengthen the control EU citizens have over the collection and use of their personal information.

The GDPR outlines the following rights for individuals with respect to their information:[1]

  • the right to be informed;
  • the right of access;
  • the right to rectification;
  • the right to be forgotten;
  • the right to restrict processing;
  • the right to data portability;
  • the right to object;
  • the right not to be subject to automated decision-making (such as profiling); and
  • the right to an explanation if an algorithmic decision was made about them

Further information on what these rights entail can be found here.

Why is it relevant to Canadian business owners?

The GDPR is applicable to any organization – no matter where it resides – that handles the personal data of European Union (EU) residents or citizens. Based on the idea that “the protection of natural persons in relation to the processing of personal data is a fundamental right”,[2] the GDPR then “raises the bar”[3] for Canadian organizations that handle or process such data.

Compliance with the Regulation requires organizations to examine their cybersecurity and privacy strategies, policies and procedures to ensure that they have implemented the appropriate controls and safeguards.

GDPR vs. DPD – What’s Changing?

Several key changes and/or enhancements will fundamentally alter the way in which we think about privacy and data protection:

Wider Scope

In addition to covering organizations that may not have operations in the EU but still process information on EU citizens, the GDPR also:

  • Expands the scope of personal information to mean “any information relating to an identified or identifiable natural person”,[4]meaning that data might be considered personal information even if the data controller might not be able to identify an individual themselves using this information or if they have currently classified it as such;
  • Introduces specific provisions related to ‘data processors’ – organizations which may handle information on behalf of, or at the request of, another organization. Not only will data processors be required to abide by the same rules (i.e. implement appropriate safeguards, conduct regular impact assessments, etc.), they will also be subject to the same sanctions as controllers.

Consent

Under the new Regulation, consent must now be “freely given, specific, informed, and unambiguous”[5] in order to be considered valid. This means that implied consent – an important element of the Canadian privacy landscape – may no longer be acceptable under specific circumstances. The GDPR also outlines specific requirements for obtaining consent from children (such as obtaining parental consent).

Data Breach Notification

In light of the increased likelihood of personal information being subject to unauthorized disclosure, the GDPR includes very specific breach notification provisions, meant to act as a standard for all EU organizations regardless of location. The GDPR requires organizations and businesses to:[6]

  • Notify their Supervisory Authority of any breach within 72 hours (where feasible);
  • Notify individuals if their personal information has been lost/stolen/compromised;
  • Maintain records of all breaches and be able to provide said records to the supervisory authority upon request; and
  • Allow their supervisory authority to audit their internal processes and procedures upon request

The Right to be Forgotten

An important change from the DPD to the GDPR is the introduction of the right to erasure or, as it is more commonly known, the right to be forgotten. While this right can only be exercised in limited circumstances, it still provides data subjects with the ability to request deletion of their personal information.

Data Protection Officers

The GDPR requires that all organizations appoint a Data Protection Officer (DPO). According to the Regulation, the DPO must perform the following functions:

  • monitor compliance with the Regulation, including training and awareness for staff;
  • advise on/conduct Privacy Impact Assessments; and
  • act as point of contact with the Supervisory Authority

Accountability & Governance

Under the GDPR, accountability and governance are two fundamental pillars. In order to promote this level of accountability, organizations are expected to be able to show:

  • detailed records of all processing activities;
  • evidence of completion of impact assessments prior to processing;
  • evidence of implementation, testing and evaluation of appropriate security safeguards;
  • appointment of a Data Protection Officer (as noted above);
  • detailed records of any and all data breaches, including notifications to the supervisory authority and/or impacted individuals

What is the risk of non-compliance?

Non-compliance with the GDPR carries with it potential for fines of up to €20,000,000 or 4% of worldwide annual revenue (whichever is higher) based on the specific violation. In addition, the GDPR makes it considerably easier for data subjects (individuals) to bring forward private claims against data controllers and processors. Needless to say, the GDPR and the risks surrounding cybersecurity breaches should be top of mind for any organization that falls under the jurisdiction of the GDPR.

How can you prepare?

According to UK Information Commissioner Elizabeth Denham, “we’re all going to have to change how we think about data protection”.[7] In order to prepare for the GDPR, as an organization, you should:[8]

  1. Engage your organization’s security and privacy leaders
    These individuals will be critical in helping your organization establish its overall compliance strategy, accountability framework, and in identifying any security/privacy gaps within your existing processes. In addition, these individuals can help you identify your supervisory authority under the GDPR and will more than likely act as your organization’s Data Protection Officer (DPO) or support this individual. If your organization doesn’t have such individuals already, find a trusted advisor with these capabilities. Early discussions can help ensure you are on the right path.
  2. Identify and classify sensitive data
    Understanding your data is a crucial first step in protecting it. Only after identifying and classifying such information can your organization assess the applicability of the Regulation (i.e. do you handle personally identifiable information on European Union citizens?), determine the data protection requirements for the data you have, and develop the appropriate response plan should that information ever be compromised. It is also recommended that wherever possible, your organization takes steps to anonymize the personal data in its possession in order to minimize risk.
  3. Review policies, processes and procedures
    Your organization should review its existing privacy, security, and data handling policies, notices, and procedures to ensure they adhere to the requirements outlined in the Regulation (such as how to handle access requests, how to identify your organization’s lawful basis for processing, obtaining appropriate consent, breach notification, etc.). Implementing effective security/privacy policies and plans allows your organization to comply with its (new) legal requirements, while simultaneously reducing overall risk.
  4. Perform Privacy Impact Assessments
    Privacy Impact Assessments (PIAs) can help your organization understand a) what personal information it has; b) why it is being collected; and c) how the information will be collected, processed, and stored. Conducting a PIA helps minimize any privacy risks that may arise in the day-to-day operations of your business and demonstrate that all commercially reasonable efforts have been taken to safeguard the personal information under your control. Also consider implementing Privacy by Design[9] into your day to day operations to institutionalize the proactive identification of any privacy impacts.
  5. Evaluate service providers
    Your organization should review its existing service providers. As “a firm’s level of cybersecurity is only as good as the cybersecurity of its vendors”,[10] it is imperative that you determine whether any of them present an unacceptable level of risk due to a lack of necessary information security controls, policies, and/or procedures. It is also advisable to review your procurement procedures and incorporate cybersecurity/privacy requirements into your selection process and all future service contracts. For existing vendors, it is highly recommended that amendments be made to existing contracts to ensure these new legal requirements have been called out.
  6. Implement a security/privacy awareness training program
    Schedule educational seminars and provide team members with appropriate reference documents and training materials. Employees have a critical role to play when it comes to safeguarding your business and your data. Not only should they have the proper training on how to collect, process, and store information in accordance with the Regulation (and to prevent data breaches), they should also know how to identify and report potential breaches. They are your first line of defense.
  7. Consider Security Information and Event Management (SIEM) solutions
    Security Information and Event Management solutions are designed to support threat detection and incident response through the real-time collection and analysis of security events, while also supporting compliance reporting. As the Regulation requires organizations to maintain records of all breaches, it would be wise for organizations to look to in-house technological solutions or outsourced managed services to assist with their detection and compliance efforts.

How can Richter help?

It’s not too late.  Our GDP Compliance Roadmap below outlines the necessary tasks your organization should complete to become compliant with GDPR.  While the timelines are illustrative, we can work with your organization to assist in accomplishing these tasks in time to become compliant.

GDPR Compliance Roadmap with the necessary tasks an organization should complete to become compliant.

At Richter, we have a team of professionals that possess the right expertise to meet your organization’s needs. We will assign individuals who will be dedicated to delivering solutions that align with your high quality expectations. Our professionals hold relevant professional designations, including:

  • Certified Information Systems Security Professional (CISSP)
  • Certified Information Security Manager (CISM)
  • Certified Information Privacy Professional (CIPP)
  • Certified in Risk and Information Systems Control (CRISC)
  • Certified Cloud Security Professional (CCSP)
  • Certified Information Systems Auditor (CISA)
  • Chartered Professional Accountant (CPA, CMA)
  • Certified Internal Auditor (CIA)

About Richter

Founded in Montreal in 1926, Richter is a licensed public accounting firm that provides assurance, tax and wealth management services, as well as financial advisory services in the areas of organizational restructuring, transactions, and insolvency, business valuation, corporate finance, litigation support, risk management and cybersecurity, and forensic accounting. Our commitment to excellence, our in-depth understanding of financial issues and our practical problem-solving methods have positioned us as one of the top independent accounting, organizational advisory and consulting firms in the country. Richter has offices in both Toronto and Montreal. Follow us on LinkedIn, Facebook, and Twitter

[1] https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/key-areas-to-consider/

[2] http://ec.europa.eu/justice/data-protection/reform/files/regulation_oj_en.pdf

[3] https://www.priv.gc.ca/en/opc-news/speeches/2016/sp-d_20160705/?wbdisable=true

[4] http://ec.europa.eu/justice/data-protection/reform/files/regulation_oj_en.pdf

[5] Ibid

[6] Ibid

[7] Quote. Denham, Elizabeth, Information Commissioner, ICO

[8] https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf

[9] https://www.ipc.on.ca/wp-content/uploads/Resources/7foundationalprinciples.pdf

[10] http://www.reuters.com/article/us-regulator-cybersecurity-lawsky-idUSKCN0IB03220141022