People have always cared about privacy—about the security of their personal data information. It’s just that the digital age made it infinitely easier than in the past to misuse someone’s private data. Events like high-profile breaches or matters like Cambridge Analytica brought this issue onto the front pages in the past decade. Misuses of private data have been a public relations debacle for businesses and a massive expense for both businesses and consumers. The solution? GDPR & privacy Compliance frameworks.
The EU saw the need to restore trust. It created GDPR, the General Data Protection Regulation, to protect EU individuals. Effective since May 25, 2018, the GDPR privacy framework was the first regulation in the new age of privacy to require transparency and give people rights over their data. Many privacy laws all over the world—including a growing number of state privacy laws in the US—have followed, and data privacy has continued to be a major concern to countries and organizations. Today, understanding and complying with privacy laws is essential in order to conduct business in jurisdictions where these laws are in effect.
The question is where and how to start a privacy Compliance program if you’re a Compliance leader who, until now, has focused on security Compliance. While a full guide on this topic is on its way (make sure to look out for it), we will focus here on understanding the privacy regulations and frameworks that can be the cornerstone of your business’s commitment to privacy.
There are some older privacy laws that relate to specific industries, including HIPAA for healthcare, FERPA for higher education, and GLBA for financial services. Those are still in use. But the newer, broader laws have a greater impact on business in general. For now, let’s focus on the GDPR privacy Compliance framework.
First, GDPR in brief. GDPR is a regulation that’s composed of a series of articles. It is widely considered the most comprehensive privacy and security law in the world. GDPR protects the processing of personal data of individuals. “Processing” is broad, covering a wide range of operations performed on personal data.
With specific exceptions, the GDPR privacy framework imposes obligations on organizations anywhere, if they handle data of persons within the EU. GDPR provides individuals with enforceable privacy rights. Again, the details of GDPR, particularly questions of who has Compliance obligations under GDPR and which information is protected, are much more complex than can be covered here.
Various aspects of GDPR demonstrate its broad scope and protectiveness, especially as compared to the privacy laws generally passed in states in the US:
Individuals in the EU who wants to share their data must check a box. In contrast, US states’ privacy laws often work on an opt-out basis: you share your data unless you uncheck the pre-checked box.
a. Who is protected by GDPR: The definition of covered individuals, “Data Subjects,” even covers individuals who are not residents or citizens of the EU. So if an individual travels to the EU and, while there, signs up on a website, that person is protected by GDPR.
b. Who could be subject to GDPR: The regulation applies to a “data controller” and a “data processor.” For example, a law firm collects data from employees when it hires them. It gives this data to a payroll company in order to process the payroll. The law firm is a data controller because it decides how to use its employees’ data. The payroll company is a data processor.
A broad array of data is protected under the GDPR controls framework, including data relating to genetics, religion, race, political affiliation, and ethnicity.
All privacy laws grant rights to protected individuals, including the right to object to the sale of personal information, to correct inaccurate information, and to delete information. But GDPR grants a right to private action. (Of the states’ laws, only California has a form of this right, for certain breaches.) So an individual can actually sue for noncompliance with GDPR. (US states’ privacy laws generally require an individual to go to that state’s attorney general to try to get redress if there’s been a breach.)
All privacy laws require affected businesses to adhere to certain rules, including keeping records, implementing data security, conducting assessments, managing consent, etc. But the GDPR Compliance framework features heavier obligations for businesses: a requirement to appoint a data privacy officer and for notifications about breaches (including deadlines).
What are the benefits of GDPR Compliance? Some state privacy laws allow time to fix a breach. GDPR doesn’t. Fines can be harsh. The law states a maximum fine of 20 million euros or 4% of revenue. In practice, the fine levied may end up reduced in negotiations.
All of the above may have put the fear of GDPR into you. But the reality is that an organization needs to take privacy Compliance into account as one of the key factors that will enable business growth. GDPR Compliance, in particular, is a game-changer; it’s necessary in order to do business with people who are in the EU, aside from the other benefits of GDPR.
Implementing GDPR is process-based, requiring that an organization create a data flow diagram around how they process data. The GDPR Compliance framework does not provide checklists of controls. How, then, can an organization know that it is complying with GDPR? The answer: Conform to one of the numerous standards created in order to allow organizations to confidently attest to GDPR Compliance.
The following four frameworks can help an organization comply with GDPR:
Note that since complying with the GDPR privacy framework does not depend on passing an audit or receiving a certificate, using these frameworks should be seen not as a guarantee of Compliance, but as evidence that an organization is doing its best to ensure that it is complying with GDPR.
Let’s take a closer look.
a. What it does: The full SCF consists of hundreds of controls—many of which are outside the scope of GDPR—and cross-maps them across dozens of frameworks. For the EGCC, SCF shows only the GDPR-relevant controls.
b. Who it’s for: Companies that:
1. have not adopted CSA STAR (see below), and
2. are not ISO/IEC certified.
a. What it does: The CSA CoC/CCM for GDPR Compliance offers a consistent and comprehensive framework for complying with GDPR, plus transparency guidelines regarding the level of data protection offered by a cloud service provider.
b. Who it’s for: certain companies that are data processors.
1. For companies choosing to undergo an audit (i.e., CSA STAR attested/certified), CoC/CCM enables a formal attestation of GDPR Compliance.
2. Companies not wishing to undergo a CSA STAR audit can submit a self-assessment and receive a certificate saying that GDPR Compliance is “declared,” as opposed to “certified.”
a. What it does: Creates a Privacy in Information Management System (PIMS). ISO/IEC 27701 offers an extended set of privacy controls, based on GDPR requirements, to the existing ISO/IEC 27001 Annex A controls. The framework is composed of 3 sections: The first is PIMS-specific requirements or extensions to the existing controls in an Information Security Management System (ISMS) under ISO 27001. The other two sections are additional annexes—one for data controllers, and the other for data processors. Note that an organization can function as both.
b. Who it’s for: Companies that:
1. are data controllers and/or data processors,
2. are ISO/IEC 27001 certified,
3. process personally identifiable information (PII), and
4. want an auditable standard to give validation to their attestation of Compliance with GDPR.
a. What it does: It’s the standard for protecting PII in cloud storage. It gives further helpful implementation guidance for the controls published in ISO/IEC 27001 and sets out extra guidance for PII protection for the cloud.
b. Who it’s for: Cloud service providers that are ISO/IEC 27001 certified
c. Note: An organization that’s entirely cloud-based can implement either this standard or ISO/IEC 27701, but ISO/IEC 27018 is less rigorous and easier to implement.
GDPR and business growth go hand in hand. Privacy is too important for an organization to settle for a check-the-box certification. One of the major benefits of GDPR Compliance is that it reassures a company’s stakeholders that the company takes data privacy seriously. Not just because businesses have been ruined for breaking their customers’ trust, but because taking on privacy frameworks allows a business to expand.
With a system that uses automation to ensure continuous privacy Compliance, privacy posture is continually monitored so that an organization can demonstrate its full-time commitment to safeguarding data privacy. Not looking for more hard work? anecdotes has unparalleled data infrastructure that can automate, manage and mature your privacy Compliance for you. Safeguarding privacy should become as integrated into your company as your security Compliance is. (Or as it should be, at least.)
Consumers want to be able to trust the organizations handling their data. Adopting GDPR privacy Compliance frameworks lets a business take on new opportunities and make new alliances. Because people have always cared about privacy. So be a business that takes its customers’ trust seriously.
*The information provided in this blog, like all other content on this website, does not, and is not intended to, constitute legal advice.