The General Data Protection Regulation (GDPR) is a highly complex piece of legislation, but entities should pay particular attention to ensure they have a clear overview of Article 35 and understand how their activities may create risks for individuals, as well as for themselves.

The GDPR is a wide-ranging European privacy law, governing and protecting the data of people living in the EU. It will come into effect on May 25, 2018. Article 35, Data protection impact assessment, is the first Article in Section 3, Data protection impact assessment and prior consultation.

As certain data processing activities use novel techniques or include the processing of more sensitive data, they may present a high risk to data subjects – the people the data refers to. Article 35 describes when and how a data controller should carry out a data protection impact assessment in order to identify and minimize or address these risks.

What Type of Data Requires an Assessment?

The processing of certain data types will always require a data protection impact assessment prior to any processing being executed. Article 35 notes that large scale automated processing of “personal aspects relating to natural persons” will require an impact assessment if the results of the processing “produce legal effects concerning the natural person or similarly significantly affect the natural person”. Importantly for many organizations, the Article clearly states that this includes automated profiling processing. Some have raised the question of whether this means offering discounts to certain customer profiles – which could constitute a legal effect – would require an assessment.

Other data that is specified in the Article is the large scale processing of “personal data relating to criminal convictions and offences” and  – through referral to Article 9 – “personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation”.

More broadly, Article 35 requires impact assessments for “systematic monitoring of a publicly accessible area on a large scale”. This could mean monitoring footfall on the street outside of a retail location or car traffic in a publicly accessible car park or road would require an assessment.

What Must be Included in a Data Protection Impact Assessment?

Should the organization include a data protection officer, they must be involved and consulted during the impact assessment. There are four main pillars that must be addressed in the assessment:

1. A description of how the processing will be carried out as well as the purpose of the processing.

2. A report of the “necessity and proportionality” of the processing compared to the intended outcome e.g. if you are processing web traffic by browser and money spent with the goal of ensuring website optimization for higher paying customers, then processing the physical orIP location of these customers might not be necessary or proportional to your stated goal.

3. An in-depth assessment of the risks that processing the data may create for the data subjects. For example, could your browser/spending study data increase the risk of these customers or browsers being targeted by viruses or malware?

4. The security measures that will be put in place to reduce or address the identified risks.

Best Practices for Compliance

There are some steps that organizations can take to help them to comply with the GDPR standards, such as:

– Auditing data in order to identify what types of data are being stored, how they are being stored, and how they are being processed. An employee should be appointed to manage and take responsibility for processing activities.

– We mentioned above that certain data is more sensitive than others. Different assessment procedures will work better in identifying the risks for different types of data. Determining the optimum procedure prior to commencing the assessment will ensure a more robust result.

– Explore certification or approved codes of conduct. Article 35 states that “compliance with approved codes of conduct referred to in Article 40 by the relevant controllers or processors shall be taken into due account in assessing the impact of the processing operations”.

These three steps can increase the relevance and efficiency of the assessment process, saving time and money while facilitating compliance.

The post Overview of GDPR Article 35 appeared first on HIPAA Journal.

The European General Data Protection Regulation (GDPR) will take effect from May 25, 2018 and will naturally involve GDPR password requirements. The regulation deals with how to safeguard and appropriately process the personal data of people living in the European Union (EU). An important aspect of data and account protection is the system that is being used to access the data – with a critical component of this being whether passwords are part of the access requirements and how passwords can be stored or reset.

While the word “password” itself does not appear anywhere in the text of the GDPR, Regulation (EU) 2016/679, it is stated that “a high level of protection of personal data” must be ensured and that safeguards must be in place “to prevent abuse or unlawful access or transfer”. The law also states that “personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data, including for preventing unauthorised access to or use of personal data”.

The law frequently refers to “appropriate safeguards”, “appropriate security”, and “appropriate measures”. This gives entities a certain level of freedom in what approach they take to protect the data. It also acts to somewhat “future-proof” the legislation, by avoiding naming certain technologies or practices which may become obsolete as technology progresses.

One of the sections of the law remarks that “measures should ensure an appropriate level of security, including confidentiality, taking into account the state of the art and the costs of implementation in relation to the risks and the nature of the personal data to be protected”. This is probably the “in a nutshell” version of the GDPR’s security requirements.

Importantly for our purposes, the use of passwords is not prohibited by this approach, nor are there any specific requirements mentioned e.g. minimum lengths, capital letters, numbers, maximum periods of validity/required change frequency. With the right support systems in place, passwords can be argued to ensure security and confidentiality, while remaining feasible in terms of cost and technology. What support systems would be required for this to be the case?

As we mentioned above, how passwords are stored and reset is a critical aspect of GDPR compliance. Clients and staff members may legitimately forget or need to reset passwords for a number of reasons. GDPR requirements mean that companies must be able to demonstrate that their password reset processes and procedures are secure. Systems must be in place, for example, to prevent help desk employees that may be involved in resets from directly accessing passwords.

Perhaps the optimum way to ensure this is through the use of a secure “self-service” reset system. These systems can make use of two- or multi-factor authentication to check that the person requesting the reset is the legitimate owner of the account. A common method to implement this for online services is to transmit an automatically generated reset code to the telephone number associated with the individual account name. If used within a certain period of time, this then opens a temporary window when a password reset may occur using the account name or email address.

Other “external” factors which can be used alongside the user’s identification to securely reset a password may be voice recognition, fingerprints, or smart-cards. If the person requesting the reset can show they have two or more specific elements –  such as knowledge, a possession, or something inherent to the user and only the user – that only the account holder should have, then the password reset mechanism can be triggered.

In our example above, these specific elements would be the account name/email address and access to the user’s pre-registered telephone. While there is a risk of a third party gaining both knowledge of the account name/email address and possession of the legitimate user’s telephone, it can be considered to be low enough (for now) that this form of password reset can be reasoned to be quite secure. The temporary nature of the reset code and reset window add to the security. As extra layers or factors are added, the safety of the account is increased.

How passwords are stored is not directly addressed. The previously quoted sections relating to appropriate measures still apply. It is also mentioned that “in order to maintain security and to prevent processing in infringement of [the GDPR], the controller or processor should evaluate the risks inherent in the processing and implement measures to mitigate those risks, such as encryption”.  From this, we can infer that passwords used to access data should be stored to standards that are comparable to storing them as encrypted data, at a minimum.

Should your organisation choose to use passwords as a security measure for data protected by GDPR, we advise the use of multi-factor authentication for identification and password resets, as well as encrypted storage of data and passwords.

The post GDPR Password Requirements appeared first on HIPAA Journal.

What Countries are Affected by the GDPR is a common GDPR question. The General Data Protection Regulation (GDPR) is a European Union (EU) Regulation that was accepted on April 27, 2016. The GDPR will come into force on May 25, 2018. While it is a piece of  EU legislation, even institutions located outside of the EU must be aware of its implications and be on their guard to avoid violating it. The physical location of the organization does not exempt or shield it from facing the consequences of non-compliance.

Institutions that have offices in an EU country or that process the personal data of anyone located within an EU country are obliged to follow the GDPR. As businesses and other organizations often have an international focus and reach, it is quite probable that your entity will be required to comply with the GDPR – especially if it is an entity that operates or offers services via the internet.

Main Countries Concerned by the GDPR

As mentioned above, the physical location of the group is not as important in determining the need to comply with the GDPR as the physical location of the data subject – the person whose data is being stored or processed. We have stated already that most groups will find themselves subject to or impacted by the GDPR. Having said that, organizations located within the EU will likely see their practices change to a greater extent. Logically, they are more likely to process a larger amount of data belonging to individuals located in the EU. Organizations in the following countries, the EU member states, will probably be most concerned by the GDPR:

• Austria
• Belgium
• Bulgaria
• Croatia
• Republic of Cyprus
• Czech Republic
• Denmark
• Estonia
• Finland
• France
• Germany
• Greece
• Hungary
• Ireland
• Italy
• Latvia
• Lithuania
• Luxembourg
• Malta
• Netherlands
• Poland
• Portugal
• Romania
• Slovakia
• Slovenia
• Spain
• Sweden
• United Kingdom

Even with the uncertainty following Brexit and the United Kingdom’s (UK) future legal status regarding EU laws, for now it remains an EU state. This means that the GDPR will become part of UK law and will remain so until such a time as it is changed by the British government. Accepted EU laws will not just stop applying to the UK once they have left the EU.

How the GDPR Will Affect Non-EU Nations

The GDPR will have a global impact even with the relatively small and localized nature of the EU itself. Despite EU countries being more likely to see the most change, non-EU countries are likely to see greater disruption following the introduction of the GDPR. This is due to the fact that organizations located within the EU are more likely to be prepared for the changes as they as more likely to be aware of the introduction of the GDPR. A large number of organizations located outside of the EU are still unaware of the coming change or are of the opinion that they are exempt or will be unaffected.

There is also a sociological difference at play: non-EU societies such as the United States (US) and others do not have the same expectation of privacy as many EU societies. Privacy laws are in place for certain types of “sensitive” data, such as the Health Insurance Portability and Accountability Act (HIPAA), which regulates healthcare information; or the Gramm-Leach-Bliley Act, which concerns financial information; but “general” data does not enjoy the same protections. This may place US entities at a disadvantage as they may need to have several procedures in place to correctly handle personal information depending on whether it originates from the EU or the US.

The need to implement, staff, and run parallel systems may introduce too much complexity and drive costs too high for US based organizations to continue offering their services to the EU market. A potential strategy may be for US based actors to adopt an “all or nothing” approach that protects “general” data in a way currently reserved for “sensitive” data. This may allow the same system to be used to comply with both HIPAA, for example, and the GDPR. As of now, it is unclear whether many US groups will attempt this strategy.

Transferring Data Outside of the EU

The GDPR places strict controls on data transferred to non-EU countries or international organizations. These are detailed in Chapter V of the Regulation. Data is allowed to be transferred only when the EU Commission has deemed that the transfer destination “ensures an adequate level of protection”.

Data transfers can also occur in situations where the receiving entity can demonstrate that they meet this “adequate level of protection”, subject to periodic review every four years. The necessary protections may include:

– Commission approved data protection clauses

– Legally binding agreements between public authorities

– Commission approved certification

– Binding corporate rules that are enforced across different entities within the same corporate group

The transfer of data is strictly regulated so as to offer each individual in the EU the same protections and rights under EU law regardless of the location of data storage or processing.

What Does GDPR Mean for Me?

Above, we have seen a brief description of the data concerned by the GDPR – personal data of an individual located within the EU. We have also touched upon who is affected and how groups in some non-EU countries may approach GDPR compliance in an efficient manner. Now, we will outline why compliance is important: the maximum fine for violating the GDPR can be as high as €20 million, or 4% of annual turnover, whichever is higher. Compliance is, therefore, a very important issue.

While some groups will need to adapt their methods of processing data to be GDPR compliant, a common EU legislation will make it easier to deal with data originating from different EU countries.

With the introduction of the GDPR fast upon us, groups must use the time they have left to ensure they will be compliant on May 25. They will need to audit their data and verify that the methods of collecting, processing, and storage – as well as the nature of the data itself – are GDPR compliant.

If the necessary systems are not in place by May 25, organizations run the risk of non-compliance, sanctions, and losing business from their European partners.

The post What Countries are Affected by the GDPR? appeared first on HIPAA Journal.