We keep you up-to-date on the latest tax changes and news in the industry.
The GDPR Overview
The is Regulation lays down rules relating to the protection of natural persons regarding the processing of personal data and rules relating to the free movement of personal data. The GDPR protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data. This Regulation applies to:
the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.
the processing of personal data in the context of the activities of an establishment of a controller or a processor in the European Union (EU), regardless of whether the processing takes place in the Union or not.
the processing of personal data of data subjects who are in the EU by a controller or processor not established in the EU, where the processing activities are related to:
a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the EU; or
b) the monitoring of their behavior as far as their behavior takes place within the EU.
The GDPR is considered an extraterritorial regulation and is inclusive of data stored offshore from the EU. Potential fines for violation are up to four percent of organization’s worldwide gross sales based upon last year’s financial statements, with a limit of €20 million.
Under GDPR, data is classified as:
Personal Data – Any information relating to an identified or identifiable natural person (data subject).
Sensitive Data – Also called special categories of personal data, the processing of which could create significant risks to data subject’s fundamental rights and freedoms. GDPR prohibits (with certain exceptions) the processing of sensitive data revealing race or ethnic origin, political opinions, religion or beliefs, trade-union membership, the processing of genetic data; or data concerning health or sex life, or criminal convictions and offenses or related security measures.
Processing
As defined by the regulation, processing is any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
Protecting personal data is a big deal
A survey coordinated by the European Commission, Directorate-General for Communication[1] in 2016 reveals how much people care about their privacy. Survey result from over 26,000 respondents showed that:
92% says it is important that the confidentiality of their e-mails and online instant messaging is guaranteed,
90% wants the encryption of their messages and call to assure confidentiality
89% wants the default settings of their browser to stop the sharing of their information
82% wants online activities monitoring tools (e.g., cookies) to be used in monitoring their activities only with their permission.
Together, the expectation of data subjects, far reaching regulation such as the GDPR, and the emerging best practices create a compelling driver for organizations to take personal data protection seriously. The GDPR secures a broad range of rights specific rights for data subject which include:
Right of access
Right of rectification
Right of erasure (right to be forgotten)
Right to restriction of processing
Right to notification regarding rectification, erasure, or restriction of processing of personal data
Right to data portability
Right to object
Right not to be subject to a decision based solely on automated processing, including profiling
Right to lodge a complaint with a supervisory authority
Right to an effective judicial remedy against a supervisory authority
Right to an effective judicial remedy against a controller or processor
Right to compensation for the damage suffered
Pathway to Compliance
Supporting most of the data subject rights under the GDPR requires a combination of technical function and well-defined organizational measures and processes. Achieving GDPR compliance is a journey that needs to be well-planned in terms of approach(es), strategy, and resources. The compliance journey will have to be carried out in a phase: Preliminary phase and Implementation phase
Preliminary Phase
In this phase of the journey, you will need to:
Secure senior management support, identify and involve key stakeholders in each affected business unit, assign responsibilities, and appoint a Data Protection Officer if required based on the nature and scale of your processing
Identify, analyze, classify, and inventory personal data held across the organization
Document processing activities to cover relevant details in Article 30 of the GDPR, including purpose of processing, types of processing, categories of data subject, and categories of personal data (details would depend on whether the organization serves as Data Controller or Processor)
Identify and document existing process and controls for:
Communicating privacy policy, data protection policies, and data subject rights
Assuring that personal data is processed lawfully (lawful basis), including obtaining data subject consent
Assuring that personal data is adequate, accurate, limited to what is necessary for the intended purpose, and only stored for as long as necessary for purpose.
Protecting personal data against unauthorized or unlawful processing, accidental loss, destruction, or damage throughout data lifecycle.
Data subject access, rectification, erasure, restriction, and transfer requests
International data transfers
Data breach detection, investigation, and reporting, including sending notifications to Supervisory Authority and data subjects
Governance practices
Perform Data Protection Impact Assessment (DPIA)
Determine and develop compliance approach (whether it would be full compliance, targeted enclave, reduced functionality, or combined approach).
Fully Compliant Approach (FCA): The goal of this approach is to ensure the IT infrastructure and associated processes across the organization are fully compliant with GDPR protection requirements and allows for cost-effective execution of data subject rights upon demand. This approach may be cost-effective for entirely new organizations or for organizations already operating in highly regulated industries.
Targeted Enclave Approach (TEA): This approach involves the creation of GDPR compliant enclaves or bounded areas within the larger organizational IT infrastructure. Access to the GDPR enclaves is restricted to a subset of staff with explicit need to access the data, and information systems within the enclave are designed to easily implement functions to support exercise of data subject rights. The targeted approach serves to control costs and limit risk to a defined area of the IT infrastructure and allows legacy systems and processes to continue where the costs of updating those systems or processes is prohibitive.
Reduced Functionality Approach (RFA): This approach involves reducing data with GDPR requirements in the organization’s environment or stopping to perform operations that require the use of data covered by the GDPR. For this approach, the value of processing GDPR-covered data would be weighed against the costs of GDPR compliance. If the cost-benefit analysis shows that the cost of compliance outweighs the business value, the best approach may be to cease or curtail business functions that involve GDPR-covered data
Combined Approach: In most realistic circumstances, a fully compliant infrastructure approach may be too impractical or too expensive to employ across the entire IT infrastructure. A combination of the TEA and RFA may therefore become the most expedient strategy.
Approaches to GDPR Compliance
Your organization will need to assess its unique data scenario to determine the most cost-effective and lowest-risk approach(es) to employ for GDPR compliance. Following the selection of the best approach would be the implementation phase.
Implementation Phase
This phase focuses largely of identifying and closing gaps between the current state and the target GDPR compliant status. You will need to:
Identify and close gaps related to documentation requirements for:
Communicating privacy policy and data subject’s rights
Data subject consent
Purposes (basis) of collection and processing
Procedures related to processing activities
Implemented technical and organization measures for protecting personal data and for ensuring compliance with the regulation
Identify and close gaps related to implementation of safeguards for protecting personal data
Identify training gaps and implement employee training programs to close identified gaps
Identify and close gaps related to governance practices to maintain ongoing GDPR compliant status
Helpful Resources
Without leveraging available relevant resources, to determine, implement, and document technical and organization measures for protecting personal data to fulfill GDPR requirements may be daunting. Articles 40 and 42 of the GDPR allow a Controller or Processor to leverage adherence to an approved Code of Conduct and data protection certification mechanism administered by an approved authority to facilitate and demonstrate compliance with the GDPR.
The Cloud Security Alliance (CSA) has developed a Code of Conduct (CoC) and Code of Practice (CoP) Template (awaiting necessary approval by Supervisory Authority) for privacy and data protection transparency, assurance, and compliance. The CSA CoC identifies, in an organic, structured, and systematic manner, all relevant GDPR provisions which Cloud Service Providers (CSPs) must comply with when handling personal data. The CoC goes beyond the GDPR’s requirements and provides a higher standard for adhering CSPs’ data protection practices. Combining adherence to the CSA CoC for GDPR Compliance with the CSA Cloud Control Matrix (CCM) and ISO 27001 or SOC 2 STAR certification (or attestation) should provide the needed help envisioned by article 40 and 42 for GDPR compliance.
How can we help?
CAS Assurance, LLC team provides necessary supports for organizations that need help with readiness assessment for SOC 2 audit, or assistance to complete and submit their self-assessment for Level 1 listing in the Cloud Security Alliance STAR Registry. We provide independent audit services for SOC 2, including SOC 2 + CCM attestation for level 2 listing in the CSA STAR Registry, and other security and privacy regulations, standards, and frameworks. For assistance, contact us at 954-362-7113 or schedule a free initial consultation to get started.
Each month, we will send you a roundup of our latest blog content covering the tax and accounting tips & insights you need to know.