This article has been written by Shreya Mazumdar, pursuing a Diploma in Cyber Law, FinTech Regulations and Technology Contracts from LawSikho.
Table of Contents
Introduction
If you have data relating to users, customers, clients, employees or suppliers who fall under the jurisdiction of the European Union then keep reading because under the new law you could be charged EUR 20 Million for the breach of GDPR compliance.
Let us begin with the meaning of cybersecurity. Cybersecurity is a procedure of protecting servers, electronic systems, computers, network and data from malicious attacks. The other terms for cybersecurity are information technology security or electronic information security. This is used in a myriad of contexts which extends from business to mobile computation. This can be divided into the following categories:
Firstly, network security is a practice in which computer networks are secured from intruders by way of targeted attackers or opportunistic malware.
Secondly, application security helps in keeping software and devices free of threats. A compromised application may provide the access to protect the data for which it is designed.
Thirdly, information security shall protect the integrity and privacy of the data both in storage and in transit.
Fourthly, operation security includes processes and decisions to handle and protect data assets. The users have the permission to access a network and the procedures that determine how and when data may be stored and shared fall under the same category.
Fifthly, disaster recovery and business continuity define how an organisation will respond to a cyber-security incident and any other event which may cause losses of operation and data.
Sixthly, end-user education points out the most unpredictable cyber-security factor, that is, people. Anyone can almost accidentally introduce a virus to a security system by failing to follow good security practices.
GDPR requires that personal data ought to be processed securely by use of appropriate technical and organisational measures. GDPR specifically does not mandate a specific set of cybersecurity measures but it mentions that “appropriate” action must be taken, that is, there has to be appropriate risk management. This “appropriate” action depends on the circumstances as well as the data that is being processed and the risk that is posed although it is expected that a minimum-security measure is in place. The GDPR mentions a set of security-related outcomes that all organisations processing personal data should seek to achieve. This approach has top-four level:
- Manage security risk
- Detect security events
- Protect personal data against cyber-attack, and
- Minimise the impact
GDPR and privacy rules
The complete GDPR rules are intensely wordy and lengthy therefore the following is a summary of the rules. The following section is not meant to be an exhaustive list but an epitome of GDPR rules to understand the need for GDPR compliance solutions available for cybersecurity.
- Data Portability: As the term mentions it means that individuals have a right to transport the personal data from one organisation to the other, therefore the term ‘portability’. GDPR grants rights to EU individuals to have control of their data. Any personal data that is collected by an organisation must be provided to the individual in a structured, commonly used and machine-readable format. The rules also make it clear that the organisation must facilitate the electronic transfer of personal data from one organisation to another if the individual has requested so.
- Data Breach Notification: All organisations that are involved in the business of processing personal data needs to make sure that this data is properly safeguarded against cybercrimes like loss, theft, unauthorised access etc. The safety of personal data is absolutely important and if there is a breach, GDPR has made it a rule that personal data breach notification has to be given, that is, if there is a breach of security that has occurred then the breach should be reported to the supervisory authority within 72 hours. In cases where the security breach is likely to result in a higher privacy risk for the individuals than in such cases, even the individuals should also be informed of the breach.
- Data Protection by design and by default: Both of these are covered under GDPR. This highlights two aspects, firstly compliance with GDPR will be mandatory when designing a new system, process service and anything that processes personal data to make sure that the data protection consideration will take into account from the nascent stages of the design process. The organisation has to prove that they have made this compliance. Secondly, in situations where system, process, service etc., which is to be designed will include choices for the individual on the sharing of personal data with others and the default setting is supposed to be the most privacy-friendly one where there is no sharing of any information at all. The data minimisation principle is included in this data protection by default notion.
- Processors: GDPR brings in an extra compliance burden on the processor (the processors of the personal data which is done on behalf of another organisation). The processor will now be directly responsible under the law and will be accountable as well. These compliances include that a processor must appoint a Data Protection Officer and keep records of the processing activities that are performed on behalf of clients. The supervisory authority also has a right to go to the processor with a direct request and demand. This is done to shift the balance of power between controller and processor to a more equal playing field.
- Right to be Forgotten: One of the main ingredients of GDPR that grabs a lot of attention is the right to be forgotten. As per the new regulation, all organisations which processes personal data shall be removed if one of the criteria are met. These criteria include the following:
- If the personal data is not essential for the requirement of the organisation that is originally collected or processed.
- In case the organisation is relying on the individual’s consent as the lawful basis to process the data and the individual withdraws their consent.
- If the organisation is basing upon the legitimate interest as its justification for the processing of an individual’s data, the individual’s object to this processing and that there is no legal objective for the organisation to continue with the processing.
- The organisation is using the processing of personal data for direct marketing purposes and the individual’s objective to process it.
- There is unlawful processing of personal data by the organisation.
- The organisation has to erase personal data to comply with legal ruling or obligation.
- In case an organisation has processed a child’s data to offer information society service.
- Privacy Impact Assessment (PIAs): GDPR has introduced Data Protection Impact Assessments (DPIA) as a means to identify high risks to the privacy rights of individuals when processing their personal data. Once this is identified the GDPR is expected that the organisation formulates measures to address the risk that is taken. This assessment shall only happen after the start of processing the personal data and the highlight of the matter shall be a systematic description of the processing activity and the necessity and proportionality of the operation. Thus, DPIA resembles PIAs that many organisations already execute regularly. The contents of PIAs however was never strictly defined therefore this is supposed to be the more uniform assessment.
- Security: This has been one of the most highlighted parts of the GDPR. These security measures have been so valuable that it has been specifically mentioned in the text of the act. It is highlighted that security should be based on the risk assessment, that is, the risk faced for the rights and freedom of a natural person where the risk of an individual’s privacy is compromised.
- Sanction: One of the most difficult problems that will have to be faced by the organisation for non-compliance with GDPR is administrative fines. The GDPR details down what administrative fines can be incurred for violating articles of the GDPR. The maximum amount of fine depends on the “category” in which the violation has occurred. For a less serious violation, the maximum amount is EUR 10 million or 2% of the total annual worldwide turnover of the preceding year (whichever is higher). If the breach is serious then the consequence for the violation goes to EUR 20 million or 4% of the total annual worldwide turnover of the preceding year (whichever is higher).
- One-Stop Shop: GDPR has brought in a co-operative system between supervisory authorities. The ‘Lead Supervisory Authority’ is supposed to be the supervisory authority of the country in which the data controller or the processor has its head establishment. The job of the Lead Supervisory Authority is the primary authority organisation that needs to deal with but under circumstances, local authorities can step in as well.
- Approval Certification Mechanism: For an organisation to adhere to the GDPR data protection certification mechanism and data protection seals and marks are introduced. The GDPR also talks about the possibility of having a common European Data Protection Seal.
GDPR and cybersecurity in the business world
As per a research study after the implementation of the GDPR, it resulted that 62% of the business invest more in cybersecurity in preparation for the GDPR, 49% have no faith that it has made their business safer and 26% of the businesses not believe that their business is fully compliant.
As per the GDPR, the organisation must exactly know what, when and from where the information that has been collected is from when the organisation has collected information from the covered person, processing the information as well as storing the information (and for how long) as well as sending information to others which includes cross borders. Besides this, the information that is collected is sufficiently documented, the risks assessed and appropriate technical as well as organisational measures that are implemented to bring residual risk within tolerable levels.
As there is detailed documentation required under GDPR it is unlikely that an organisation can fulfil their liabilities under GDPR and demonstrate their compliance using spreadsheet and word processing documents. The compliance required under GDPR that the businesses can follow for cybersecurity is as follows:
- The GDPR related infrastructure, business processes, policies and procedures, third-party information, control, business resiliency plans, outstanding issues and remediation plans must be documented.
- Ensure a proper level of security for appropriation to the risk documenting the implementation of appropriate technical and organisational measures should be taken. There are appropriate technical as well as organisational measures that could be taken to protect covered data against accidental or unlawful destruction or accidental loss and to prevent any unlawful forms of processing and any unauthorised disclosure, dissemination or access or alteration of personal data.
- The risk analysis concerning GDPR must be assessed by every IT infrastructure business process, element and third party which has information relating to processing, stored and transmitted. In assessing risk, consideration should be provided for both electronic and physical; security as well as accidental or unlawful destruction, loss unauthorised disclosure of or access to covered data, alteration.
When it comes to cybersecurity the businesses are not confident and are not able to anticipate the threat that might be caused as the hackers might just be a leap ahead. The threat is becoming stronger every passing day where the criminal organisations across the globe are joining forces and collaborating by way of the dark-web quite often geopolitically. Being unaware is not an option and steps towards security is a must. The first exercise is to understand that investing in security tools and technology may not prevent an attack but a strong user education and awareness may help to monitor, detect early and deal quickly once the breach occurs. Following are the few methods for taking a step towards cybersecurity:
Conclusion
Cybersecurity is the need of the hour. This will ensure staying safe even before a breach happens. This will play a crucial role in mitigating the potentially damaging effects. Prioritising cybersecurity once the breach has occurred is a tardy action. GDPR is the key driver to cybersecurity and it is because of GDPR the world has become more concerned about the business that may conduct data breaches resulting from cybercrimes and the need for protection.
GDPR has of course succeeded in forcing us to take action that was long overdue. Although it has a downside. GDPR has put a lot of pressure on the organisation to meet the complex requirements. As the organisations are overwhelmed by the pressures from stakeholders, industry bodies, press, many of the organisations have given up and reverted to previous working practices. So, the unregulated industrial sectors just make an effort to take a more ‘tick box’ approach to get the work done resulting in lower effective protection and a false sense of security.
Another issue with GDPR is that it took a ‘one-size-fits-all approach which has left the requirements to be too wide and vague leaving the business more vulnerable.
Therefore, it can be concluded that a lot of work has to be done under pressure and once the audit is carried out, fines and press coverage will spill.
References
- Everything you Need to Know About the “Right to be Forgotten”, https://gdpr.eu/right-to-be-forgotten/, (last visited Mar. 29th 2021).
- How has GDPR affected cybersecurity since it became law? (Mar. 22nd 2019) https://www.gdpr.associates/how-has-gdpr-affected-cyber-security-since-it-became-law/.
- Gregor Strobl & Sheila Pancholi, The Consequence of GDPR on Cybersecurity, (Sept. 12th 2019) https://www.rsm.global/catch-22/consequences-gdpr-cybersecurity.
- GDPR: What it means to Your Cybersecurity Strategy, https://www.rsa.com/content/dam/en/white-paper/gdpr-what-it-means-to-your-cybersecurity-strategy.pdf, (last visited Mar. 29th 2021).
- General Data Protection Regulation (GDPR), https://www.ncsc.gov.uk/information/GDPR#:~:text=The%20GDPR%20requires%20that%20personal,to%20take%20’appropriate’%20action.&text=protect%20personal%20data%20against%20cyber,detect%20security%20events%2C%20and, (last visited Mar. 29th 2021).
- General Data Protection Regulation, https://www.fireeye.com/current-threats/gdpr.html, (last visited Mar. 29th 2021).
- Michael Nadeau, General Data Protection Regulation (GDPR): What You Need To Know To Stay Compliant (Jun. 12th 2020), https://www.csoonline.com/article/3202771/general-data-protection-regulation-gdpr-requirements-deadlines-and-facts.html.
- The General Data Protection Regulation, https://www2.deloitte.com/global/en/pages/risk/articles/gx-general-data-protection-regulation.html, (last visited Mar. 29th 2021).
Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skill.
LawSikho has created a telegram group for exchanging legal knowledge, referrals and various opportunities. You can click on this link and join: