by: Mitchell H. Levine, CISA
Audit Serve, Inc.
The General Data Protection Regulation (GDPR) project as discussed in our previous three articles should necessitate the compliance and audit departments to conduct pre-implementation reviews to ensure that they are proceeding at the proper pace to ensure that the GDPR project will be completed by May 25, 2018.
The fourth part of this article focuses on the regulations previously not discussed in which the pre-implementation review should focus its attention to ensure that proper project initiatives have been established within the organization to meet the requirements of these regulations.
Within GDPR, a personal data breach is defined as “a breach leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or processed”. This scope of the GDPR personal data breach goes beyond the breach definition of GLBA, HIPAA and State privacy/breach notification laws. These US-based laws/directives focus strictly on breach notification for accidental & unauthorized disclosure but not for destruction or alteration of personal data. This is an important point since an accidental deletion or change of an attribute of individual’s personal information would now require escalation within an organization to allow the data controller to notify the supervisory authority and the impacted individual (i.e., data subject). In addition, the personal data subject to these notification are not just the PII and PHI data defined within the US-based laws/directives but any information relating to an identified data subject which will increase the number of conditions in which breach notification will be required. Overall GDPR goes beyond the US laws/directives which focus only on fraud or identity theft.
The mandate that notification is required no more than 72 hours after having become aware of it will require organizations to establish an organizational structure which extends to the lowest levels of an organization to ensure that all inappropriate disclosure, alteration or deletion of personal data are identified and escalated to the data controller. The required mechanisms also need to be extended to all third-parties used by the data controller in which personal data is shared. This requires not only contract provisions in place to ensure the third-parties are required to notify the data controller of each individual incident of a data breach as defined by GDPR but the data controller should also perform independent reviews to ensure the third-parties have these control measures in place.
If your organization has completed most of its GDPR initiatives, Audit Serve, Inc. is scheduling GDPR Project Assessments to determine the degree in which your organization has completed these initiatives. Contact me @ Levinemh@auditserve.com to discuss our proposal of services or visit our website
Unfortunately specific examples are not provided as part of GDPR to allow for a consistent set of standards to be established to determine the type of situation in which accidental/unauthorized disclosure or alteration of data is considered an “actionable” case which needs to be reported as a security breach. GDPR uses the words “access to” which implies that if a person had inappropriate access to the data (e.g., identified during an access recertification review) and if there were no audit trails to support that the person did not use this access, then it could be interpreted that this type of situation would need to be reported as a security breach. Another example in which most organizations do not have controls established to be able to identify unauthorized disclosure or alteration/destruction of data would be the use of an emergency ID by a support person (e.g., to make a direct change to data) which has global privileges to view or alter data. Since in most organizations, audit trails have not been established at the database table/record level to identify the data that was accessed or altered, there would be no ability to determine whether an unauthorized disclosure, alteration or deletion of personal data occurred.
GDPR provides a key exception to the breach notification to the supervisory authority in a situation where the personal data breach is unlikely to result in “a risk for the rights and freedoms of natural persons”. This terms which is used in GDPR has not been interpreted yet within the legal circles. Until this occurs, each organization needs to establish their own risk assessment process to drive the decision as to risk level of each incident.
Overall, based on the additional control measures which need to be established by US-based organizations in which only a small subset of the individual data they store or process are of naturalized citizens of the EU, a decision needs to be made immediately as to whether system changes will be implemented to clearly identify data records which pertain to naturalized citizens of the EU in order to establish the additional control measures which are necessary to meet GDPR. The alternative is to establish the same control measures regardless of the country origin of the individual. Regardless, when it pertains to meeting the breach notifications requirements, business and IT processes need to be established to ensure that incidents which require escalation occur within the required timeframes.
GDPR also provide the data subject the right to request the data controller to provide all of their personal data in structured format that would allow the data subject to transfer their data to another data controller. Upon request, the data subject can request the data controller to directly transfer their data to another controller. The data controller can reject the request to transfer their data to another controller if it is not feasible. However, they must at a minimum provide all of the data to the requestor in a machine readable format. This provision will require organizations to establish a complete data profile of the data that they are storing and processing for each type of data subject. This provision will require organizations to establish a complete data inventory and data schema that is documented in a manner which the data subject can understand meaning of all data elements which are stored which represents the data subjects data profile. This initiative will be especially difficult for those data controllers which use third-party vendor products in which the software vendor does not publish the data schema they use for the application’s database. In this case, agreements with third-party vendors will need to be amended to make these data schemas available or these third-party vendors will need to established data repositories derived from the application’s databases to allow for the data subject’s data to be offloaded upon request.
As discussed during these four articles, there are significant IT and business initiatives which need to be established in order for an organization to be GDPR compliant. It is critical that the pre-implementation review focuses on these initiatives to ensure that the proper project initiatives have been established and are being managed properly to ensure they are completed within the required timeframes.