The European Union’s General Data Protection Regulation (GDPR), one of the strictest security measures to date, comes into effect May 25, 2018. Even though you’re already PIPEDA-compliant as a Canadian organization, you’ll have to gear up on data security to ensure compliance under the broad scope of this new mandate.
In this article, we’ll outline some differences between the GDPR and PIPEDA, what steps PIPEDA-compliant organizations have to take to ensure GDPR compliance, and how the GDPR will affect IT departments.
Why should I be concerned about the GDPR?
Whether your business is from the EU or offers goods and/or services to EU citizens, it will be subject to the GDPR.
How will the GDPR affect my business?
The GDPR defines personal data as any information related to a person; this can include a person’s name, photos, email address, bank details, updates on social networking websites, location details, medical information, or IP address.
Due to the GDPR’s requirements, many organizations will lose unrestricted access to their databases of personal information on customers, vendors, employees, partners and other individuals related to business operations. Organizations that depend on databases for marketing activities or to process data subjects’ personal information to perform other activities, such as to calculate individual credit scores, will end up being monitored more closely since they possess sensitive data.
Penalties for non-compliant companies range from a prison sentence for the members at fault to huge fines of more than 20 million euros or four percent of annual global turnover, whichever is higher. And don’t forget the ruined reputation.
What role does my IT department play in all of this?
The recent increase in data breaches and data theft has led to information security taking the front seat in every IT strategy, and it’s the IT folks who handle personal data security. Now, all the details that go into purchasing decisions — such as choosing between agent vs. agentless deployments, cloud vs. on-premises, etc. — are made based on the security implications they have on company data.
The GDPR requires organizations to demonstrate compliance by recording all activities performed in relation to stored personal data. All organizations must ensure those records are available to authorities at any moment, meaning every activity — such as data modification, access, deletion and creation — must be collected, processed, reported and stored by IT teams.
As a result of the GDPR, organizations will now have to report breaches to authorities and the data subjects involved within 72 hours of learning about them. This puts pressure on IT departments to be alert 24×7 and to come up with plans to prevent and mitigate any potential damage.
Isn’t complying with PIPEDA enough? Why do I have to comply with the GDPR too?
Thanks to PIPEDA, the European Union Commission has granted Canada “partial adequacy” status for the GDPR, meaning commercial organizations in Canada will be able to accept personal data transfers from the EU immediately after the GDPR goes into effect. However, the GDPR still applies to all personal information that relates to EU citizens. Let’s take a look at what IT departments in Canada have to do to ensure GDPR compliance.
Both PIPEDA and the GDPR let individuals access the personal information that organizations have on them. But, the GDPR lets people access, download and upload/send their data in an understandable format to another data controller. This kind of data portability isn’t specified in any clause in PIPEDA. Although individuals can access their information stored in an organization’s databases under PIPEDA, organizations aren’t required to enable easy data portability.
The GDPR’s data portability requirements mean that organizations need to improve how they store personal information so that it is not only easily accessible but also can be downloaded in a machine-readable and common format.
While individuals should be able to get to their information easily, that information also needs to be secure. This warrants the need for better security, password policies, and tools. Organizations as a whole will be gearing up for this provision with added applications that enable individuals to access their personal information. For IT teams, that means preparing for added application support and monitoring abilities to accommodate these data access requests without impacting their organization’s overall performance.
Right to be forgotten
PIPEDA specifically mentions that organizations should retain personal information for only as long as necessary. This means that organizations must get rid of personal data as soon as the purpose for collecting, holding or processing that data is over. Article 17 of the GDPR, on the other hand, outlines the right to erasure, which gives data subjects the right to demand organizations erase their data.
Under the GDPR, if a data subject requests their personal data be deleted, organizations are required to erase that information once it’s served its purpose. Once an individual withdraws consent and there are no legal grounds for holding or processing that data, the data controller must not only erase the data from their own records but also must take reasonable steps to inform other data controllers with whom this information may have been shared that they need to erase the data from their databases as well. If the data has been made public, this could become an especially cumbersome process.
While data controllers take the brunt of “erasing” the information, it’s IT teams that must keep track of who has access to personal data; what is happening in business-critical files and folders; who has modified, changed, created or deleted information in each of these files; and when these events took place — all to ensure that their organization is secure and audit-ready. After doing all of this, an IT team will then be able to see how many users have accessed a data file and drill down to find out if that data has been duplicated or used elsewhere. IT teams also have to monitor “delete” events, leading many teams to invest in tools that can help them audit and report on these kinds of events.
Data breach reporting
PIPEDA requires organizations to report security breaches to the Office of the Privacy Commissioner of Canada if the organization believes that a breach could cause significant harm to the individuals involved. It also mandates that organizations notify data subjects about security breaches related to their personal information and take steps to mitigate the damage. While it is compulsory for organizations to report a breach to the authorities and the individuals involved, PIPEDA does not specify when this action must be taken; it merely states that “the notification shall be given as soon as feasible after the organization determines that the breach has occurred.” On the other hand, the GDPR requires organizations to notify individuals and the authorities of a breach within 72 hours of becoming aware of it.
Thanks to the rise in data breaches and ransomware attacks, the world has shifted its focus to security. IT teams now need to monitor, log and analyze user activity to identify suspicious actions in real time. IT departments are looking into faster security breach identification and resolution to comply with the GDPR’s 72-hour deadline. Investing in strong and flexible SIEM software that aids with monitoring and alerting in real time can help you achieve this. A SIEM solution will also help you quarantine a breach and change passwords as well as analyze an attack and track the perpetrator.
With GDPR coming into effect, enterprises should turn to gearing up with the right toolset to comply with one of the strictest regulations to date. To ensure compliance with the GDPR, even if you’re already PIPEDA-compliant, IT teams should:
- Expect an influx of applications and IT infrastructure to support data accessibility for data subjects. This will require privileged password management capabilities to strengthen your data security and an application management solution that provides complete visibility into your application environment.
- Monitor data that has been accessed, modified, created or deleted in real time to stay on top of data breaches and theft. Not only will this help you identify and mitigate malicious events sooner, it will also help you find the perpetrators.
- Inform concerned parties about breaches within 72 hours. Real-time monitoring tools that provide visibility into your IT environment, detect patterns and send notifications about suspicious activities can help you detect breaches as soon as possible.
- Lastly, keep track of vulnerabilities and update your organization’s software, especially the tools you use on a daily basis.
Dhwani Parekh is a marketing analyst at ManageEngine, a division of Zoho Corp. For more information on ManageEngine, the real-time IT management company, please visit www.manageengine.com; follow the company blog at blogs.manageengine.com/ and on LinkedIn at www.linkedin.com/company/manageengine-, Facebook at www.facebook.com/ManageEngine and Twitter @ManageEngine.
SAMSUNG GALAXY S8 PLUS
The Samsung Galaxy S8 Plus is a beautifully crafted smartphone with nearly no bezel, curvaceous in design and reflects a…
How to: Connect to Exchange Online Using Multi-Factor Authentication
Using PowerShell to manage your Microsoft cloud services like Exchange Online and using multi-factor authentication (MFA) separately is awesome. Using…