navigating the data privacy maze - security first corp · grandfather of every other privacy...

1 © 2019 SecurityFirst Corp. All rights reserved.

Navigating theData Privacy Maze

By Paul Russert

June 2019


Executive Summary

According to the United Nations Conference on Trade and Development (UNCTAD) 107

countries have put in place legislation to secure the protection of data and privacy, not to

mention all 50 U.S. states having their own laws. The span of data protection laws around

the world often creates confusion, not just for global enterprises but for all organizations

that collect and process personal information.

While meeting with large global enterprises through our OEM and channel partners, and

with many small to medium size companies directly, we often hear things such as, “I don’t

do business in the EU, so their laws don’t impact me” or “I outsource my credit card processing so I don’t need to support payment card regulations”.

The challenge is that new privacy laws in California and Brazil, not to mention new

legislation being debated on a global basis every day, are changing the playing field.

Organizations shouldn’t wait to start implementing processes to protect privacy rights,

secure personal information and be able to respond to a security incident.

The intent of this paper is to look at what we can learn from the work that has been

and continues to be done for compliance readiness. Compliance is not just about using

technology A, B or Z, ...but creating replicable processes that will build trust with your

customers. Giving customers a say in how their own data is used, and by whom, as well

as protecting that information from unauthorized access is an important start.

Every company should ask the following questions, and build a plan to address them,

because sooner or later they will be impacted by new data protection and privacy

legislation.

• Whose data do we collect and what jurisdiction do the data owners fall under?

• What data do we collect, for what purpose and does it include personal information?

• What compliance regulations legally impact us?

• How much data do we have and is it still needed?

• Is the data protected responsibly today? By us? By our processing partners?

• Are we ready for incident detection, response, recovery and notification?


Contents

INTRODUCTION 4A Look Back at Data Protection Regulations

CHAPTER 1 10Privacy and Security – Separate but Connected Paths

CHAPTER 2 13Entering the Maze - Develop Your Compliance Roadmap

CHAPTER 3 19Choose the Right Path - Implement your Compliance Roadmap

CONCLUSION 24Completing the Maze


Introduction

Imagine you are the Chief Privacy Officer (CPO) of a global enterprise headquartered

in California that does business with customers and consumers around the world. You

need to comply with a wide variety of laws like the European Union’s General Data

Protection Regulation (GDPR) -- which you may still be working on well over a year

after it came into effect -- the California Consumer Privacy Act (CCPA), the Brazilian

Lei Geral Proteção de Dados Regulation (LGDP), China’s Personal Information Security

Specification and the expectation of many new, but similar regulations.

GDPR went into effect May 28, 2018, and while barely a year old it looks like the

grandfather of every other privacy regulation that has and will follow. GDPR’s “DNA” is

clearly evident in both the CCPA and especially LGDP. To help understand this alphabet

soup jumble of data protection acronyms, we will focus on some fundemental elements

they share. But first, let’s look at how we got here in the first place.

A Look Back at Data Protection Regulations

At the end of the twentieth century, rapidly advancing technologies and automation

triggered an exponential growth of data with more and more personal information being

collected and processed around the world. Growing concerns about protecting the

confidentiality of personal information led to the implementation of new data protection

guidelines, regulations and laws, but that was just the tip of the iceberg.

Following World War II, many European countries and subsequently the European

Union (EU) were determined to protect individual privacy rights. The EU Data Protection

Directive 95/46/EC (the Directive) enacted in 1995, was the first major legislation that

impacted a large population. The Directive’s focus was for personal information to

flow freely from one member state to another, while still safeguarding the fundamental

rights and freedoms of the individual, in particular their right to privacy with respect to

the processing of personal information. Most regulations, including the Directive were


influenced by the 1980 Guidelines on the Protection of Privacy and Transborder Flows

of Personal Data, from the multi-national Organization for Economic Co-operation and

Development (OECD).

Two key parts of the Directive have laid the foundation for most other legislation that

followed.

Rights of the Data Subject - The individual has the right to know what data has been

collected, the purpose for which it is being used , other parties the data has been

shared with and access to the data with the ability to have it corrected or deleted. Data

subjects must have the ability to opt out of having their data collected or shared with

third par-ties. In addition, the amount of data collected should be minimized and only

kept for the period of time it is needed.

Security of Processing - The controller must implement, or where processing is

carried out on their behalf, choose a processor with the appropriate technical and

organizational measures to protect personal information against accidental or unlawful

destruction, accidental loss, alteration, unauthorized disclosure or access, at a level

of security appropriate to the risks of processing and the nature of the data to be

protected.

The Directive was a solid foundation for data protection, but it

itself was not a law. Each member state had three years to pass

local legislation per the Directive and while it was an important

first step, total uniformity of data protection across the EU had to

wait over 20 years until the introduction of the GDPR.

In the United States (US), there was no parallel legislation

at the federal level like the Directive, so data protection has

been driven at the state level1. California has a long history of

recognizing the rights of the individual and the state Constitution

was amended in 1972 to include the right of privacy among the

inalienable rights of all Californians. In 2003, California passed

the first breach notification law in the US that defined the

requirements for protecting computerized personal information

and breach notifications.

In 2003, California passed the first data protection law in the US that defined the requirements for protecting computerized personal information and breach notifications.

1. The United States Privacy Act of 1974, established guidelines for the collection, maintenance, use, and dissemination of personalinformation by Federal Agencies. It did not extend to public corporations, businesses, organizations or individuals.


Unlike the general definition for the “security of processing” in the Directive, California

law was more specific as to personal information, data breaches and beach notification

requirements. The following is a brief summary of what the law covers.

A person or business conducting business in California, with computerized data that

includes personal information, shall disclose a data breach to a resident of California

whose unencrypted personal information was acquired by an unauthorized person,

or whose encrypted personal information and the encryption key was acquired by an

unauthorized person with a reasonable belief that the encryption key could render that

personal information readable or useable.

Many security and legal professional agree that under this law, the use of encryption,

external key management, monitoring and access controls authorizing the processing of

data for the purpose it was created – can negate the requirements to notify customers,

state authorities and even the media for a breach of a perimeter, network or host where

the data remains unreadable and unusable.

The California law became the guide for all other states, and after 15 years, with Alabama

passing legislation in 2018, every state in the union as well as the District of Columbia

now have similar breach notification laws in place.

In addition to the US and EU, the world has seen the passage of numerous data

protection laws over the past 2 decades in all leading economies such as Australia,

Argentina, Brazil, Canada, Japan, China, Korea and more.

2018 – The Year of Privacy

2018 included several very important actions in support of privacy as a fundamental

human right for over one-tenth of the world’s population – the citizens of the EU, Brazil

and the State of California. May 25, 2018 finally brought the long anticipated GDPR into

full effect, while in June, California passed the CCPA that takes effect January 1, 2020

and in August Brazil signed the LGDP that goes into effect in 2020. Let’s take a brief look

at these major data protection laws.


General Data Protection Regulation

The GDPR replaced the Directive, building upon the basic tenets with a number of new

protections for EU data subjects and significant fines and penalties for non-compliant

data controllers and processors. In addition, as a regulation instead of a directive, the

GDPR is directly applicable in each EU member state to unify data protections and

make e-commerce easier throughout the EU.

Under the GDPR, data subjects have privacy rights that must be explained in clear and

simple language they can understand. Data subjects must be informed what data is

being collected, the purpose it is collected, how it will be processed and how long it will

be retained. In addition, they must be able to get a complete copy, request correction

and even deletion of the collected data.

GDPR expanded the roles and responsibilities of controllers (Article 24) and processors

(Article 28). Controllers are essentially the entity that has the relationship with the data

subject and determines the purposes and means of the processing of personal data.

Processors are typically vendors who process data on behalf of the controller. It also

strengthened and better defined the responsibilities of the processors and requirements

for the “security of processing” under Article 32.

The other major change from the Directive is that the penalties for not complying can be

as high as 4 percent of global revenues or €20,000,000, whichever is higher depending

upon the violation.

California Consumer Privacy Act (CCPA)

The CCPA builds upon existing California breach notiification laws that provide for the

confidentiality of personal information and require a business or person that suffers

a breach of personal information to disclose that breach. The CCPA is focused upon

the online collection and management of consumer personal information for business

applications.


Beginning January 1, 2020, the law will grant a California consumer

the right to request a business (it does not specifically differentiate

between controllers or processors), to disclose what personal

information is being collected, whether the information is sold

or disclosed and to whom and to say no to the sale of personal

information. In addition, they have the right to access the collected

information and request data be deleted.

The CCPA requires businesses to allow Californians to “opt out”

of a business’ ability to collect or sell their personal information

and to provide equal service and price, even if they exercise their

privacy rights.

The CCPA also defines the right for a Californian to pursue

civil action against businesses for the breach of a consumer’s

nonencrypted or nonredacted personal information, as currently

defined in California law.

Similar to how California was the impetus for all other US states to

pass breach notification laws and looking at the current legislative

calendars in a number of states, CCPA may do the same for

privacy rights.

Brazil - Lei Geral Proteção de Dados Regulation (LGDP)

The LGDP has a close family resemblance to the GDPR but there are also a number of

key differences that make the LGDP more advanced and flexible.

It sets roles for data controllers and processors, applies to organizations both inside

and outside the country that process information on Brazilian data subjects, requires

consent for processing and sets steep penalties up to 2% of prior year total revenues.

The LGDP has a similar definition of personal information to the GDPR but expands

protections to cover health and credit data. LGDP like GDPR excludes anonymized

data from the protections but does differentiate when anonymous data used for

Similar to how California was the impetus for all other US states to pass data protection and breach notification laws and looking at the current legislative calendars in a number of states CCPA may do the same for data privacy rights.


profiling purposes which may or may not impact big data analytics, machine learning or

behavioral modeling.

Based upon the commonality between GDPR and LGDP, it is likely that Brazil will meet

the “suitable level of data protection on the basis of an adequacy decision” to make data

transfer easier with EU countries.

While the legislative momentum seems to be all about privacy rights, it

does not mean that data security has been pushed to the back-burner. In

the following chapter we look at the goals of privacy and security with the

concept of “security of processing”.


Chapter 1

Separate but Connected Paths – Privacy and Security

Data privacy and data security have often been used interchangeably, but they really are

two different concepts and are important distinctions when looking at the regulatory

landscape.

Data privacy is about the trust relationship between the data collector and the GDPR

data subject (or the consumer under CCPA), pertaining to the collection, processing

and retention of personal information -- for the purpose it was collected, for the time it

is needed and for defining who can use it. It concerns the “authorized use” of personal

information.

Data security is all about the technology and processing safeguards that ensure your

private data stays private. It concerns securing the data and preventing “unauthorized

access or misuse” during collection and processing.

When looking at data protection laws and regulations it is important

to understand that you cannot have true data privacy without

implementing and maintaining data security. This goes hand-in-

hand with supporting two key concepts outlined in the Directive and

the regulations that followed, the rights of the data subject and the

security of processing.

The rights of the data subject are what I like to view in my simple way

as the trust relationship agreement between the data subject and

data controller for a specific interaction. It is really about data privacy as it defines what

is authorized in terms of collecting and processing personal information.

Shortly before May 25, 2018, anyone using the web suddenly saw a popup with

language to the effect, ‘this website uses cookies to…(perform some action)…and for

You cannot have true data privacy without implementing and maintaining data security.


more information please review our Privacy or Cookie Policy’. While I leave the matter

of cookies to another discussion, this appeared to be a quick means to give easy and

clear access to the Privacy Policy. Most Privacy Policies were updated to inform the

data subject about the purposes for which data is collected, how it is used, shared and

retained.

When someone performs an action such as requesting this paper or making an online

purchase the controller needs to outline the purposes for which the data is collected

and provide the option for the data subject to cancel or opt-out.

Using this paper as an example, you may be asked for specific personal information

such as your name, email and phone number. The purpose may state something like, ‘by

downloading the whitepaper you agree to be contacted by SecurityFirst’. This may also

be where you have the option to allow or deny having this data shared with a third-party

or for another purpose. It’s a two-way agreement and must be clear as to what the data

subject information is being used for and whether it is being shared.

Other key rights concerning data collection have to do with the data subject being

able to access the data collected, receive the data in a standard transferable format for

portability and ask for corrections or deletions. In most current implementations the

processes to make this happen are defined in the privacy policy itself. This basically

allows the data subject to amend the original agreement with the data controller, but

most of what I have seen to date are very manual, email processes that must be initiated

by the data subject.

The security of processing is what I like to view as simply keeping

private data private. It is the data security part of the equation. Along

with discovering and minimizing data, security of processing seems

to be the biggest hurdle for GDPR readiness.

In the example of an online purchase, in this case a pair of shoes,

the data subject searches the website for the shoes they want. They

get suggestions and advertisements, finally selecting a pair and

putting them in the shopping cart. The data subject supplies the data

required to purchase the shoes and have them delivered.

Along with discovering and minimizing data, security of processing seems to be the biggest hurdle for GDPR readiness.


At a glance the data subject has given authorization to have their personal information

used to simply buy shoes, but there are a lot of steps in the actual processing of

this purchase and personal information. The idea of unauthorized access is not just

about some outside element or hacker, but also understanding that there is a defined

purpose at specific steps in the processing for data access based upon job function or

application, and only for a specific time.

For instance, name, address and credit card data are used by a processor to make the

purchase, but that same data may be needed for a refund or store credit if the shoes

don’t fit. Also, there are taxes and other localized requirements that may require access.

In addition, other functions such as shipping, returns or warranties have an impact on

access and retention of specific data. All of these functions may be processed by the

data controller company or multiple third-party processors, and each item adds to the

complexity of securing the data from unauthorized access or misuse.

The challenge of making data privacy and data security part of your day-

to-day business can be overwhelming, unless you build a good plan.


Chapter 2

Entering the Maze - Develop Your Compliance Roadmap

We opened this paper with the challenge of a global enterprise having to sort through

the jumble of different data protection and breach notification regulations across

numerous organizations, industries, states, regions and countries. The question I often

get asked is if there is a key element running through all these regulations, where if they

focus on that element, they will comply with most of the requirements that apply to their

business.

Essentially, organizations just want to know where to focus and how to start.

We will start with the simple concept that your organization and how you do business

is unique. Your team, products or services, processes, intellectual property, sales

marketing and so much more have been put together to give you an advantage over

your competition or to build completely new markets. Those differences are also

why there isn’t a really a simple answer to <add compliance regulation name here>

readiness like “everybody must use this tool, process, form, consultant… and you will be

compliant”.

Compliance readiness most likely will be supported by cross-functional teams,

documented processes, numerous software products and considerable professional

consulting engagements – all aligned with the organization’s business and security

goals.

What are the compliance must haves for privacy and security?


Privacy

Granted, while you, your competitors and partners may be unique in many ways, when it

comes to compliance everyone must support privacy rights by providing:

• knowledge as to what data you are collecting, the purpose for its collection, whom that data is shared with, minimizing the data and retaining it only for the time required;

• the ability for customers to opt-in or opt-out related to how the data may be used, including whether it can be shared or sold;

• the ability for customers to access to their data in a format that can be portable, request data corrections, data deletion or forgotten; and

• notification in the event of a data breach based upon severity and determination of a data controller.

Security

While most compliance regulations don’t specifically define how to protect personal

information, they do define tasks required for the security of processing such as:

• pseudonymize and encrypt personal information;

• only allowing data access based upon need to know or job-function per processing

tasks;

• ensuring the ongoing confidentiality, integrity and availability of processing systems

and services;

• restoring access to personal information in a timely manner in the event of a physical

or technical incident; and

• regularly testing, assessing and evaluating the effectiveness of these measures to

ensure the security of the processing.

Where to start?

From my discussions with customers and partners, I would describe the most common

starting point as

“We don’t know what we don’t know.”


They need to have at least a basic understanding of the following to even begin.

• Whose data do we collect and what jurisdiction do the data owners fall under?

• What data do we collect, for what purpose and does it include personal information?

• What compliance regulations legally impact us?

• How much data do we have and is it still needed?

• Is the data protected responsibly today? By us? By our processing partners?

• Are we ready for incident detection, response, recovery and notification?

There are many companies and individuals who are focused on GDPR readiness across

specialties such as technology and security assessments, legal reviews and regional

data transfer law. The good news is that you do not have to go it alone and reinvent the

wheel.

Companies, both large and small have been succeeding, as well as failing, in the

development of processes, practices and procedures for over three years and that

experience is very valuable whether for GDPR, CCPA, LGDP or future compliance. Even

if you haven’t been focused on GDPR because you currently don’t do business with the

EU, GDPR and lessons learned is a good place to start for any regulation.

Another important aspect is that building and implementing

a compliance roadmap will require input from the data

controller business line managers, compliance team, legal

team and especially the data processors, whether internal or

third parties–because compliance is about more than a

single regulation. For example, while a data subject can

request personal information be deleted or forgotten under

GDPR, other obligations and laws for retaining that data

may override that action. Legal counsel well versed in

compliance laws can help decide the best options for your

particular business and customer relationships.

...while a data subject can request personal information be deleted or forgotten under GDPR, other obligations and laws for retaining that data may override that action.


Lawful processing

As stated earlier, it seems like you can’t visit a website without being told have updated

their privacy policy. This appeared to be a quick response for many companies to

identify how they support lawful processing, what information they are collecting and to

provide clear ways for data subjects to request what information companies have, ask

for a copy of the data and ask for corrections or deletion. The harder part is aligning the

data subject responses to the actual processing of the data.

The best place to start for each business line or application is by capturing what type

of data is being collected and for what purpose. Unfortunately this also may be the

most complex issue companies have today. The basic question should be, what is the

minimum amount of information I need to run this business and deliver my expected

output. At this point it is not about where the data is specifically located, but what the

data is.

I recommend classifying data very simply;

1) personal or private data that needs to be protected

2) public or anonymized data that falls outside the scope of the regulation(s).

If the data “needs to be protected”, then I would next look at

how that data is processed, and what data is required for each

specific step in the processing. Going back to our example of

purchasing shoes.

The data controller, the company with the website selling

shoes has a customer or data subject that purchases a

specific pair of shoes. The customer logs in or creates

an account to make the purchase. The account data may

include name, email address, password, password recovery

information (mother’s maiden name, first pet, etc.). At this point

the account data is required, but no access is needed to the

credit card or personal residence information.

The basic question should be, what is the minimum amount of information I need to run this business and deliver my expected output.


Assume the purchase itself is handled by an external credit card processor. They need

first and last name, credit card number, security code, address, product id, amount of

sale and a confirmation or consent to process the sale. Another department or third

party handles the shipping, so they need name, address, product ID, and shoe size

so they can drop the shoes in a box and ship. Meanwhile the data controller finance

team needs to know that the sale was concluded, what was sold, the price and tax

information. While this doesn’t include everything, it shows the complexity of a sale

and that everyone or every application doing the processing does not need all of the

collected data. At this point you just need to map out what goes where.

Now that we know the minimum amount of data required and who needs what data

for specific tasks, we must assess where we have gaps that need to be addressed by

mapping the privacy must haves above to each of the processing tasks. This allows us

to see what modifications are necessary to meet requirements for lawful processing.

This is also an opportunity to identify where contracts, privacy policies and other

agreements need to be updated as well as review data transfer requirements and

implemention of the role of a Data Protection Officer (DPO) as required.

Security of processing

Most organizations are also struggling with the requirement for security of processing

personal information. Organizations must understand how personal data is processed

and implement the security measures to make sure data is constantly secure and

monitored as it moves through the process.


They must continuously protect personal information and only process it under a legal

bases for lawful processing, with access based upon processing role or function, only

for the purpose the data was collected and only for the time needed per function or

upon the user’s delete/forget request. They also must have the observability required to

meet the notification requirements of a data breach, which in the case of GDPR is within

72 hours.

We have already assessed what data is required and who needs that data for specific

processing tasks. At this point we would want to map what security measures are

currently in place and assess the gaps to meet the must haves above for data security

and notification.

The goal is to build a basic compliance roadmap that highlights the

directions you need to put in place and verify the interfaces and security

measures required for applicable regulations. While there will be

speedbumps, detours and potholes along the way, you can move forward

knowing that many others have already gone down this road successfully.


Chapter 3

Choose the Right Path - Implement your Compliance Roadmap

While I don’t want to minimize the rights of the data subject and lawful processing

of their personal information, most of what I am going to focus on is the security of

processing, access monitoring and breach response and notification. Because whether

you are the data controller or data processor under GDPR or LDGP, or a business

under CCPA, you have the requirement to implement and maintain reasonable security

procedures and practices appropriate to the nature of the information to protect,

according to the wishes of the data subject.

How the data controller or business interfaces to the data subject and how the

agreement or consent is given or denied will vary greatly depending upon an

organizations business model.

Let’s say for example, under the CCPA, a consumer does not give consent to the sale of

their personal information. How is that data processed differently than for the consumer

who does give consent? How does consent apply to security methods that must be

addressed for each step in the processing?

We can start by identifying some of the key security tasks and actions required:

• Discover and map location(s) where personal information is stored

• Classify data to be protected and its viability based upon collection purpose

• Minimize the amount of data based upon processing, retention and recovery needs

• Encrypt identified data and control encryption keys separately from data

• Implement controls restricting data access / usage as needed for processing

• Implement data subject’s right to access, port, restrict, rectify, erase or forget

• Track data access / usage for compliance audits

• Ability to identify, rectify and notify in response to incident or violation


And while most of these functions are traditionally thought of as responsibilities of the IT

organization, compliance will require input from your cross-functional team of business

line managers, security and privacy executives, legal team, compliance team and data

processors, whether internal or third party.

In addition, the implementation of security of processing should be looked at as

part of the overall design so new data and business lines have access management,

encryption, key management, monitoring, secure recovery and incident response plans

built in by default.

How you implement, maintain and continuously verify your security

of processing needs to be documented as it is important to both

training and possible audits by compliance authorities.

The last thing I want to discuss before going a little deeper into the

above actions is about penalties and fines. One of the most talked

about parts of GDPR has been the large administrative fines of up to €20,000,000 or up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher. Unfortunately,

I’ve heard from conversations that these fines in particular had

many companies thinking they had to protect everything at once.

Something like -- if out of the millions of records they protect, and three were not

protected, they would have to pay the maximum amount.

These are maximum amounts and there are a number of factors that go into how or if a

supervisory authority assesses a fine. Many people have been surprised that over the

first year GDPR has been in effect, fines have been relatively small. But in actuality this

fits with the overall goals of lawful processing, reporting an infringement a quickly as

possible and rectifying to mitigate the effect on the data subjects.

I have no basis for a legal opinion, but in my own reading of the laws I would say that not

starting to support lawful processing and at the very least protect some data, is a major

infraction. Doing nothing is both intentional and neglectful, for which I would expect a

major fine.

...these fines in particular had many companies thinking they had to protect everything at once.


No matter what regulation you need to support, pick a department, business line or

application and implement your compliance roadmap as-soon-as-possible. Then you

will be ready for the next, and the next, and then it will be easier to integrate security into

all future businesses and offerings.

What, Where, When and How

Organizations working on compliance readiness face a major challenge in determining

what data they have, where it is located, when it was stored and how it is currently

secured, accessed and used. It can be a daunting process depending upon the size

of the organization or business model. If you manage your own data center where you

control the servers, storage and archives directly, it may be much simpler than for an

organization with data spread across multiple clouds, locations and vendors. You may

need to implement data discovery and classification tools, or it may be doable with a

basic spreadsheet.

You want the outcome of this to be a data map, not just of where the data is but how the

data flows. The same personal information, whether structured or unstructured may be

on a mobile device, laptop or server. It may be backed up locally, archived to the cloud

(where the cloud service provider may make multiple copies for resiliency) or on stacks

and stacks of archive tapes stored in some offsite location.

Understanding this flow and what data you have not only allows you to minimize data

repositories that are no longer needed and bring this data under your new security

measures, but also document these processing steps to minimize ongoing data

collection.

Who

We’ve discussed a lot about lawful processing, and now we need to tie that

authorization to both the rights of the data subject and security of processing. In terms

of processing, in Chapter 2 where we used the shoe purchase as an example, we saw

there were many different steps to completing the purchase and delivery.

As the data controller or business under CCPA that collects the personal information,

it is your responsibility to verify the data is only used for the purposes the data subject


authorized, and that the level of security used by the data processors is appropriate

to the nature of the information to protect. This is where mapping the data flow to the

processing steps enables you to put in place the controls required to restrict data

access.

Per requirements, the data should always be encrypted or pseudonymized, and

therefore your security measures should only give access to data in a decrypted state,

only for the time needed and only for authorized processing.

The other part of authorized access is in relation to the rights of the data subjects

themselves. While there are differences between the regulations, in general you need

to establish a process for a data subject to request and for you to comply in relation to;

what data has been collected, provide access to the data, to correct or rectify the data

(GDPR/LGDP), block or restrict processing (GDPR/LGDP), getting data in a portable

format (GDPR/LGDP) and/or have the data erased.

Visibility and Response

One of the key rights in GDPR, LGDP and California law is that as soon as a controller/

business is aware that a breach of personal information has occurred, they should

notify the supervisory authority without undue delay, and under GDPR where feasible

not later than 72 hours after having become aware of it. Unless the controller is able to

demonstrate that the breach is unlikely to result in a risk to the rights and freedoms of

natural persons.

Under GDPR, communication to the data subject in the event of a breach is not required

if appropriate technical protection measures were applied to the personal information

affected, in particular those that render personal information unintelligible to any person

who is not authorized to access it, such as encryption.

Under CCPA, breach notification is only required when unencrypted personal

information was acquired by an unauthorized person, or when encrypted personal

information was acquired by an unauthorized person and the encryption key was

acquired.


Under LGDP, the controller shall notify the supervisory authority and data subject of any

security incident that may result in any relevant risk or damage to the data subjects. The

supervisory authority determines the severity of the incident and assess if appropriate

technical measures were adopted to make the personal information unintelligible to third

parties not authorized to access them.

You need the ability to detect, respond and recover from a security incident or

violation of the regulation. This applies to all parties as processors are required to

notify controllers in the event of an incident. Documented and validated processes that

demonstrate security measures are in place, as well as having an incident response

team are very important for notification and the assessment of administrative fees.

In terms of your compliance roadmap security metrics, my recommendation

would be to look at it as simply as possible. Implement access management

controls, encryption, key management and access tracking to:

• Keep private data private,

• Minimize the scope of notification and

• Track data access violations or anomalies for early detection of a security

incident.


Conclusion

Completing the Maze

I set out to try and take a practical look at some very complex, legal regulations in terms

of data privacy and data security. These are not new concepts, nor is the idea that privacy

is a fundamental human right, but the business model of sharing and selling online

consumer information to create new revenue streams and the highly publicized Facebook

and Cambridge Analytica scandal appears to have spurred a race to enact new data

protection laws.

This certainly was the motivation for voters in my home state of California when they

qualified a ballot proposal to add consumer privacy rights the state constitution. In

response, the California legislature wrote and passed the CCP A as-soon-as-possible.

More and more personal information is collected online, and whether the reason is that

citizens truly value their privacy or they see the financial value of their data and want their

fair share, privacy rights are certainly at the forefront of data protection legislation

worldwide. The collection and processing of data requires a clear statement of purpose

to the data subject or consumer, so they can give or deny consent to collect and process

that personal information. It comes down to trust between the parties. Trust that the

business will only use the data for the authorized purpose and trust the business will

protect that data at all times.

One certainty is that you cannot have data privacy without data security. Almost every

organization falls under current data protection or breach notification regulation by

locality, industry or international law. They have the responsibility to maintain reasonable

security procedures and practices appropriate to the nature of the information to protect.

I know there are a lot of items to consider when it comes to compliance

regulations, but I recommend you start by protecting the data itself. Because

if it wasn’t for Data Protection, GDPR would just be a General Regulation.


From the Author

With over forty years of experience in cybersecurity, learning management and

semiconductor software companies, as well as delivering professional services to

hundreds of customers, I feel have a good understanding of the fine line between the

promised benefits and unplanned downside that technology can bring based upon how

it is used or abused.

I am not a lawyer or representing myself as a legal expert. I just have the opportunity

to speak with many clients about their business challenges and work with them to

translate those concerns into a technical solution. My current focus is around how the

use of learning management and cybersecurity practices can help protect data privacy.

Disclaimer

This paper is a collection of ideas to try and make the compliance process less

frightening and complex for some readers. SecurityFirst™ does not provide legal advice

or represent that its products or services ensure customers comply with any law or

regulation. It is the responsibility an organization to get the advice of legal counsel as

to what laws and regulations may apply to their business and how best to comply with

those laws and regulations.

About SecurityFirst

SecurityFirst delivers advanced security solutions that build a firewall around your data

to protect against ever increasing threats and aid in meeting regulatory requirements

such as GDPR, CCPA, HIPAA, NYDFS and many others.

SecurityFirst’s flagship product DataKeep™, serves as your data firewall by using

advanced encryption, scalable hierarchical key management, extensive policy

enforcement and monitoring of unauthorized access to deliver the highest levels of

availability, resiliency and time to value. Security requires a layered approach and

protection of the data itself is your last line of defense.

navigating the data privacy maze - security first corp · grandfather of every other privacy...

Documents