A Deeper Dive Into GDPR: Due Diligence and Risk Mitigation

In the last entry in this series we covered GDPR’s breach notification requirements. Breach notification should be, for all of us, the scenario of last resort. Fortunately, GDPR treats it as such and emphasizes preventative steps that protect data privacy. One of these steps is the expectation that organizations conduct due diligence to mitigate the organizational and technical risks to their data.

As we covered in our blog post on data control and integrity, Article 5 lays out a set of data protection principles. Section 2 of that article first step in understanding GDPR’s chain of data protection responsibility. It state:

“The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).”

The ‘controller’ – as referenced throughout the regulation – is the organization that collects data from the data subject. GDPR naturally lays responsibility for properly processing and controlling data at their feet. Yet it compounds that responsibility with a requirement to demonstrate their compliance – an obligation we explore in the data control blog post.

Their responsibilities continue in article 24 (Responsibility of the controller) section 1 which states (emphasis mine):

1. Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organizational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary.”

For controllers, Article 24 section 1 joins the basic due diligence demanded by Article 5 with the obligation to mitigate risks based on the context of their operations.

GDPR doesn’t prescribe an approach to mitigating risk. Intimated here and articulated elsewhere in the regulation, GDPR expects organizations to conduct risk assessments and adopt accordingly the necessary technical and organizational measures. This is both a blessing and a curse for most organizations. While this gives organizations the freedom to choose solutions as they see fit, there is also no excuse for shirking their responsibilities. Here, again, GDPR is clear that the controller’s solutions must also allow them to demonstrate their compliance. This flexibility is the root of GDPR’s severe penalties – both its fines and breach notification obligations. Penalties are severe, but only because the level of negligence involved resulting in a data breach would be correspondingly significant. So, to satisfy GDPR, preventative efforts need to be demonstrable.

Yet, controllers aren’t the only ones on this journey. Part of what makes GDPR so far reaching is the fact that security responsibilities travel with the data. GDPR makes data processors responsible at the same time as controllers. No longer can a processor push security responsibility back on to their customers or vice versa. Article 28 (Processor) includes the following sections:

1. Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.
2. The processor shall not engage another processor without prior specific or general written authorisation of the controller. In the case of general written authorisation, the processor shall inform the controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes.
3. Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller. That contract or other legal act shall stipulate, in particular, that the processor:
   1. processes the personal data only on documented instructions from the controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by Union or Member State law to which the processor is subject; in such a case, the processor shall inform the controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;
   2. ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
   3. takes all measures required pursuant to Article 32;
   4. respects the conditions referred to in paragraphs 2 and 4 for engaging another processor; (e) taking into account the nature of the processing

In plain language, Article 28 essentially says

1. Organizations can only use processors that offer sufficient security guarantees
2. Data processors cannot use other data processors without their customers’ agreement
3. Processors and their clients must have contracts that articulate what data is involved and which security measures are in place.

The moral of the story is that whether your organization collects data or processes it, there is no escape from GDPR. Its obligations attach to the data itself and travel wherever that data travels no matter how many steps removed from its origin.

So, how can controllers and data processors more easily manage this web of responsibilities? Much like the other topics we’ve covered, encryption and key management have a role to play.

As we pointed out earlier on this blog, encryption and key management is an effective tool for establishing control of your data and ensuring its integrity. Unlike other security approaches, demonstrating compliance using encryption is relatively straightforward. By virtue of its central role in managing encryption, enterprise key managers offer a full view of an organization’s data and how it is accessed, handled, moved, etc. The auditing and logging tools available in many key management solutions can be used to demonstrate compliance. When assessing data processors, organizations should consider how they are using encryption and key management in their service.

Since encryption attaches security directly to the data itself, as a solution, it addresses a wide range of risks – both known and unforeseen. As organizations conduct their risk assessments to decide the appropriate level of security, they can choose encryption to mitigate a wide range of risks. As a solution, encryption is a high-value option; it addresses a broad range of challenges, and it shows a proactive best effort approach to security that will reflect well in regulators’ eyes.

Lastly, encryption ensures the secure transfer of data between controllers and processors. Controllers that use encryption will be able to securely pass data to processors while retaining a measure of control. Either through key management or policy backed access controls, controllers can ensure that the processors don’t use the data without their express written authorization – an explicit GDPR requirement. In the capacity as the new guarantors of the data’s security once authorized, encryption and key management will keep data processors in full control in order to preserve the data’s integrity and security.

May 2018 will be here before we know it; preparations need to start now. For nearly everyone, that will start with a risk assessment. The information from this assessment will play a critical role in the majority of GDPR security related decisions. GDPR demands that organizations proceed diligently, both in their own approach and their partners’ approaches to security. Fortunately, organizations like Gemalto are available to help navigate GDPR’s varied requirements and the solutions in the marketplace available to meet them. For more information on GDPR’s due diligence requirements along with other topical issues such as breach notification, security, and data control obligations, check out our expanded ebook, The General Data Protection Regulation.