GDPR 2016/679
EUR-Lex
 

EUROPEAN UNION'S GDPR CYBER­SECURITY CHECK

EU's General Data Protection Regulation (2016/679) will be enforced on 25 May 2018 - Is your company ready? - Can you prove it?

Table of Contents
  1. Introduction
  2. Spending
  3. Background
  4. Goals
  5. Scope
  6. Definitions
  7. What GDPR Means for your organization / company
  8. GDPR getting started list
  9. GDPR in three bullets
  10. Safeguard your companies back & remove security threats
  11. Max fine €20M - Don't take any chances
  12. Zen-mode Solutions GDPR package
  13. How to proceed - Call us
  14. GDPR key changes
  15. Finland's Data Protection Authorities
  16. More information
  17. Pre GDPR fine examples
Introduction

Zen-mode Solutions offers it's cybersecurity knowhow to make sure that your company for-fills the GDPR require­ments

Make GDPR be a business opportunity instead of a problem

    It's a clear way of showing that your company knows what it is doing. Use it to increase your clients trust in your company. Add it to your homepage and slides and tell your clients about it:

     

    We are a GDPR 2016/679 compliant company. Your data is safe with us. For more information please see our privacy page.

GDPR SPENDING
Over 80% expect GDPR Spending to be at least Six-Figures
Depending on which GDPR readiness studies your look at, between 40-80% of the IT professionals working at Medium to Fortune 500 sized companies expect GDPR-related spending to be anywhere between $100.000 - $10 million [ 1, 2, 3, 4 ].
Pick your GDPR consulting company carefully. Shortly put: (1) Big consulting companies: big bills; (2) Startups / SME's: lighter bills. Contact us and we'll give you a competitive offer!
Background

The General Data Protection Regulation (GDPR 2016/679) is a regulation created by European Commission which aims to unify data protection within the EU and to govern the export of personal data beyond EU’s boundaries.

GOALS
DATA PROTECTION BY DESIGN AND BY DEFAULT

One of the main goals of the GDPR regulation is to give the EU citizens / residents (data subjects) more control over their personal data and in doing so, increase their rights and freedoms. It harmonizes the data regulation across EU (and also Non-EU based companies doing business in the EU) which simplifies things, but at the cost of more strict data protection rules and sever penalties for breaking them.

 
 
Scope
ALL COMPANIES PROCESSING EU CITIZENS PERSONAL DATA

The regulation concerns any organization who is processing personal data of a EU citizen, regardless if the company who is doing the controlling / processing is EU-based on not. The same but put in another way: Any company that has a customer database of some-sort which contains personal data of a EU citizen.

 
Definitions
Definition of personal data [ * ]
Personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a photo, an email address, bank details, your posts on social networking websites, your medical information, or your computer's IP address. The EU Charter of Fundamental Rights says that everyone has the right to personal data protection in all aspects of life: at home, at work, whilst shopping, when receiving medical treatment, at a police station or on the Internet.
 
Definition of controller [ 4(7) ]

A controller is the entity that determines the purposes, conditions and means of the processing of personal data.

Example 1: Company-A with a customer user database on their hard drive.

Example 2: Company-A which provides e-mail & work schedules to their workers.

‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data;
 
Definition of processor [ 4(8) ]

A processor is an entity which processes personal data on behalf of the controller.

Example 1: Cloud Company-B which rents virtual machines to Company-A.

Example 2: Cloud Company-B which provides e-mail & working schedules services to Company-A.

‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
 
What GDPR Means for your organization / company

Overview of GDPR actions

  1. Assign resources for your GDPR effort
    - Requires (reoccurring) time & effort
    - Not a one person job (board, legal etc)
    - inhouse and/or out-source work?
  2. A inventory of your personal data and the processing of it
    - Personal data transparency
    - What, Why, Who, Where
  3. A inventory of your customers consent
    - Can you demonstrate that you have it?
    - Contracts may need to be renewed
  4. Personal data & Cybersecurity check
    - is your personal data safely stored & accessed?
  1. Data Privacy Impact Assessments
    - Creation of DPIA, IRP, PD access logs etc
    - These are the documents which should prove that you are GDPR compliant
  2. Data protection by design and by default
    - Should be inbuild / part of your normal software development & product development chain
  3. Assigning a data protection officer (PDO)
    - Mandatory for public authorities / big personal data processing organization
  4. Be prepared for user requests
    - are you able to easily export / update / delete your users personal data?
GDPR GETTING STARTED LIST

    The new regulation will mean big changes for many companies. Your company might need to be a lot more careful when working with customers personal data than before. If your company has it's fingers all over the place, the GDPR effort might be quite painful at first.

    Make sure that your companies cybersecurity is in order and that your customers personal data is safe & secure. Verify that all your solutions are using encryption and that the devices are running with the latest security patches. Double and tripple check that only the designated people have physical access to your systems containing personal data + log all access (when, what, why, who, where).

    Create a complete map of your companies personal data usage (creation, update and deletion). Remember to include who is responsible / owns the different data sets and where & how it is stored. Remember how broad the definition of personal data is: you might have to re-arrange your databases etc to comply with the new regulation. Make sure your personal data is secure through it's whole life-cycle: initialization, update, deletion. Also remember to check that all of your backup systems comply with the tight rules.

    Document everything related to the GDPR area. Your personal data inventory & map will come in handy here. Create a up-to-date DPIA and IRP documents. Remember to clearly document all work which touches your customers persona data (why, who, where, how) etc. In case of a breach / other problems, these documents & logs (when up-to-date and accurate) might prove more valuable than you think... (Article 35, Article 30)

    Make sure that you have clear information about how your company is using your personal data and keep your promises. You do not need to renew your current customers consent, but any additional consents that you need, must be asked for + clearly marked as OK. Do not overstep your customers consent. Heavy fines await if you get caught doing things with your customers personal data without having permission to do it. Consent for children (data subjects below 16 years) must be given by the child’s parent or custodian (Article 7, Article 8).

    Make sure that all of your employees understand and follow the GDPR regulation. Minimize the access to the personal data and write accurate logs of those who do access it and why. Remember that a single person (who might be breaking the GDPR rules badly...) can create huge problems even if you the worlds best cybersecurity in place...

    Make sure you that can prove that you cybersecurity is in order and that you are on top of things. Train your employees for a cybersecurity breach, what actions should be done, what documents should be filed etc. In the case of a personal data breach you will have 72 hours to inform supervisory authority about the incident. You may also need to inform all affected users. Be prepared for this. Have the right procedures and documents in place and proceed accordingly to minimize the damage.

    Be prepared for user requests related to their personal data: Right to rectification, Right to erasure - Right to be forgotten, Data Portability - Data migration. See GDPR KEY CHANGES for more details.

    Depending on your business model it may or may not be mandatory for your company to have a designated Data Protection Officer (DPO, Article 37). To simplify and clarify things we recomend that all companies should have designated PDO (Company internal one-stop-shop mechanism related the personal data & privacy area). NOTE: before assuming the DPO role be sure to read the WARNING text regarding the possible legal risks.

    All privacy switches which are present in the solutions that your company is selling should be set to high by default.

GDPR in three bullets

A continuous cycle of

  1. Keep your companies cybersecurity & personal data safe & secure
  2. Always treat all personal data with adequate respect
  3. Maintain up-to-date documents & logs that verify bullets 1 and 2
 

The good news: The above sums it up quite nicely. Any company which has managed to correctly implemented the three "rules" mentioned above, should (to a large extent) have captured the essence of the GDPR regulation.

The bad news: That the devil is in the details. The complexity of any given solution tends to grow rapidly when you open up the simplified version of the concept. The real scope of the bullets mentioned above is a lot bigger than just the 88-paged GDPR document itself...

POINT BEING

GDPR is more like a continuous process
than a one time effort
*

Your alertness, security and personal data awareness is the main goal. The documents and logs are there to help your organi­zation in it's personal data work and to verify your appropriate & correct usage of it (Note: Cheating here may end up in game-changing administrative fines).

A well implemented GDPR cycle = Fewer problems

* like all security related problems

SAFEGUARD YOUR COMPANIES BACK & REMOVE SECURITY THREATS  

 
 

Protect your companies back against administrative fines via becoming GDPR compliant. It is no longer enough to say that your company is safe & secure. Or that you are complying with the laws & regulations and that you have your customers consent - You must soon be able to prove it.

Let Zen-mode Solutions help you (A) verify your cybersecurity and (B) create the required GDPR documentation that proves that your company is safe & secure and that your company for-fills and is following the GDPR regulation.

Pros / Cons

It can generally be said that the GDPR is good thing for all EU citizens, but at the same time it also creates big challenges for many companies...

When the regulation is well implemented and understood; it helps to (A) clarify your business model (B) remove possible security problems and (C) it might even create new business opportunities for your company. It also clarifies what you can and cannot do with personal data.

When poorly implemented and understood; your company risks receiving "game-changing" fines in case of (A) a personal data breach or (B) when overstepping your powers or (C) when running into other GDPR listed problems which you should have been prepared for...

MAX FINE €20M - DON'T TAKE ANY CHANCES  

Earlier, if a company experienced a breach of their customer's personal data, the company might have received a warning letter from the authorities. As of 25.5.2018 the penalty for the most serious GDPR infringements can be up to €20 Million or 4% of the companies annual global turnover (whichever is greater) (Article 83) - Can you afford a slip-up?

Commission Zen-mode Solutions to perform a thorough GDPR Cybersecurity readiness check for your Company / Innovations.

Let us help you create your Data Protection Impact Assessment (Article 35, a.k.a PIA: Privacy Impact Assessment) and IRP (Incident Response Plan) documents, test and secure your IT / IoT / main solutions. We will investigate, pinpoint and help you remove possible security problems before you run into trouble...

We can help out in different parts of your GDPR effort or you can outsource the whole problem to us (includes cyclic cybersecurity checkups + required documents & log updates + your customers GDPR contact point).

Helping you in your GDPR & Cyber­security effort

ZEN-MODE SOLUTIONS GDPR PACKAGE  

1. Cybersecurity Forensics & Risk Analysis

Mapping your companies cybersecurity status & GDPR readiness

Investigating & Analyzing what parts of your company & products are affected

2. Cybersecurity Solution / Code Audit

Assuring your solutions & code safety

Making sure your used platforms, frameworks, library and code are safe & secure

3. Products Network Cybersecurity Check & GDPR compliance check

Assuring your solutions network safety

Regression testing your solutions different platforms + IP-packet analysis

4. Report + End Report

Documents containing our Cybersecurity & GDPR findings & recommendations.

The end report contains our verification of the selected GDPR & cybersecurity areas

HOW TO PROCEED - GIVE US A CALL  

We would gladly come and talk some more about how your company can benefit from our GDPR cybersecurity check. Give us a call at +358 50 486 7636 or sign up for our 2018 GDPR check package and we will call you back.

 
 

GDPR KEY CHANGES  

The General Data Protection Regulation is a big regulation which will change a lot things for many companies.
Below is Zen-mode Solutions view on the key things that you should pay close attention to.
Creation of a Data Protection Impact Assessment (DPIA)s

    The assessment shall contain at least:

  1. a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller;
  2. an assessment of the necessity and proportionality of the processing operations in relation to the purposes;
  3. an assessment of the risks to the rights and freedoms of data subjects referred to in paragraph 1; and
  4. the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation taking into account the rights and legitimate interests of data subjects and other persons concerned.
Security of personal data - Security of processing
Records of processing activities

The assessment shall contain at least:

  1. the name and contact details of the controller and, where applicable, the joint controller, the controller's representative and the data protection officer;
  2. the purposes of the processing;
  3. a description of the categories of data subjects and of the categories of personal data;
  4. the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations;
  5. where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;
  6. where possible, the envisaged time limits for erasure of the different categories of data;
  7. where possible, a general description of the technical and organisational security measures referred to in Article 32(1).
Conditions for consent
Conditions applicable to child's consent in relation to information society services
Principles relating to processing of personal data

Personal data shall be:

Data Portability - Data migration
Right of access by the data subject
Right to rectification
Right to erasure - Right to be forgotten
Right to restriction of processing
Increased territorial scope
Penalties / Fines - Both controllers and processors
Data protection by design and by default
Notification of a personal data breach to the supervisory authority
Communication of a personal data breach to the data subject
Data Protection Officer (PDO)
Controller and processor
Processor
"Data Processing Agreement"

FINLAND'S DATA PROTECTION AUTHORITIES  

  1. The Finnish Data Protection Ombudsmans (DPA, Data Protection Authority, Tietosuojavaltuutettu)
  2. The Finnish Data Protection Board (DPB, Data Protection Board, Tietosuojalautakunta)

FOR MORE INFORMATION  


PRE GDPR FINE EXAMPLES  

Below are some (pre-GDPR) administrative fine examples related to privacy:

Find your Zen