How to comply with the new EU Data Protection Regulation

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.information-age.com/it-management/risk-and-compliance/123458546/how-comply-new-eu-data-protection-regulation?utm_desttype=twitter%

For the first time in many years, the European Commission is reevaluating
the European Union's data protection regulations.

While technology has moved on, the current regulations have remained
stagnant and woefully inadequate to protect an individual's or an
organisation's data.

Aside from updating the regulation to align with the technology changes in
the market, the EC is also aiming to create a single, pan-European law for
data protection, replacing the current patchwork of national laws across
the EU.

It also aims to create a one-stop-shop approach, allowing organisations to
deal with one single supervisory authority (at a local level, generally
where the organisations' European main base is located), not 28.

IDC believes a single Europe-wide data protection regulation is a step in
the right direction. It is also good for organisations doing business in
Europe, as it cuts down on the overhead of complying with multiple local
data protection acts.

However, the new EU Data Protection Regulation forces organisations to
apply a different perspective toward compliance and risk management.

The EU Data Protection Regulation places a greater weight in organisations
needing to demonstrate the deletion of data linked to an individual (the
data subject) under the right to erasure clauses.

Therefore, organisations will need to ensure it fully understands the flow
of its data throughout the data life cycle.

Business leaders within an organisation have to take more responsibility
toward risk ownership. Increasingly, stakeholders within an organisation
(and external stakeholders such as shareholders) are asking questions not
only from technology leaders but also from business leaders when there is a
failure of security controls.

The regulation introduces larger fines for noncompliance — up to 2% of
global turnover or €100,000,000 – and will require organisations to build
and implement new processes to satisfy the breach notification clauses that
are currently in place.

Organisations need to notify the supervising authority once it has become
aware of a breach. Crucially, however, they will also need to communicate
the breach to the data subjects.

Privacy by design and privacy impact assessments will become mandatory.
Therefore, organisations need to ensure that risk analysis is embedded into
business processes.

Developing a data-protection framework with appropriate governance assures
that data protection is tied into business processes and that business
executives are forced to continually assess the risk of noncompliance.

Future outlook

The current timetable for the EU Data Protection Regulation is for it to be
finalised in 2014, with organisations expected to be compliant two years
later. However, IDC does not believe that will happen.

In an increasingly connected economy, the regulation is necessary to make
sure that the rights of data subjects are not abused nor protected with the
appropriate security controls.

The large fines that will be introduced will ensure organisations will have
a real impact to their bottom line as a result of noncompliance. However,
the exhaustive process that the regulation needs to go through within the
EU does mean that constant delays are to be expected before the final
version is published.

While the regulation brings in stricter legislation (e.g. increased fines
and breach notification), there are questions on the availability of
resources from data protection authorities.

Enforcing the new regulation will require a high number of training
resources to ensure compliance to the regulation.

As a result of the potential lack of resource, IDC believes data protection
authorities will be selective on the enforcement of the regulation. For
example, larger multinational organisations will be initially targeted
because of the potential for levying larger fines for breaches.

Despite all the rhetoric in Europe — primarily as a result of the NSA
leaks, of having a separate European Internet or forcing international
organisations to keep European citizen data within Europe — the reality is
that the dominant technology firms are mostly US based.

As a result, US organisations will continue to process European citizen
data and host that data in datacenters located in the US.

Indeed, global organisations such as Microsoft and Amazon are taking steps
toward setting up European data centres. However, this is not as a result
of a particular European regulation.

It should be noted that the EC is working closely with the US to allow for
some guarantees to be in place to ensure appropriate enforcement of
European regulation on European citizen data hosted in the US.

Compliance

To prepare for compliance to the regulation, an organisation's goal must be
to proactively identify risks and provide a level of assurance that
controls are in place to provide compliance toward the regulation.

To be able to proactively identify risks, organisations must be able to
build out a holistic view of the data processed within the organisation and
the subsequent controls that are applicable to mitigate risk throughout the
data life cycle.

Once the organisation has built a picture of the type of personal data it
processes and the respective data flows throughout the data life cycle, it
will then be able to more accurately identify the controls it has in place
at key points throughout the data life cycle.

Data-protection governance and strategy ensures alignment to the business
and also has ownership of policies and processes, risk assessments, and
others. It also drives compliance and control requirements.

The data-protection controls link to respective steps within the data life
cycle. To ensure effectiveness of the controls implemented, regular testing
of the controls will need to be conducted.

Internal audit must also be engaged to make sure that the controls testing
are appropriate and relevant, and that the processes and policies
implemented are appropriate for continued compliance to the regulation.

Although the EU Data Protection Regulation is yet to be passed, it is
highly recommended for organisations to get the building blocks in place in
preparation for the regulation.

Knowing your data (i.e., understanding the data flows of your data),
identifying the risk owners, developing and implementing new processes, and
maturing the data protection framework will make compliance toward the
regulation a less daunting and, in the long run, a financially more
efficient method toward compliance.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!