Trillium Insights

Thoughts and Insights from Trillium's Practice Leaders

How do you respond to GDPR security incidents?

How do you respond to GDPR security incidents?

General Data Protection Regulation (GDPR) is the set of legal guidelines for the collection and processing of personal information by organizations within the European Union (EU.) GDPR also applies if personal data of an EU resident is maintained, regardless of where the organization is located, so it’s impacts are far-reaching. One of the tenets of GDPR relates to response and reporting of security incidents. Specific guidelines for organizations include:

  • Reporting breaches to supervising authorities within 72 hours of the incident’s occurrence
  • Following your organization’s documented procedures for handling GDPR security breaches
  • Following rules for notice to individuals in the event of a breach. Notice to individuals is not required if personal data is encrypted, high risks were already mitigated, or reporting would involve disproportionate effort. In that case, a public communication could suffice unless the supervising authority requires individual notice.
  • Showing proof that you followed the mitigation strategies you previously established
  • Demonstrating that you are establishing new or revised mitigation procedures to counteract for this specific breach

While the GDPR has rules related to incident management and reporting, specific procedures for addressing and reporting on breaches are not defined within the GDPR. However, failure to respond and report breaches can pose significant costs to your organization, including getting a warning, receiving a temporary or definitive ban on processing personal data, and/or being assessed fines of up to 4% of an organization’s global annual revenue, or EUR 20Million, whichever is greater. It is critical that you have a strategy in place for response and reporting on GDPR security incidents.

Trillium has significant experience in privacy, cybersecurity, as well as process and procedure mapping and implementation. We can assist your organization in determining your level of risk related to GDPR, whether your response and reporting procedures are adequate, and what your path forward should be.

How do you mitigate GDPR security incidents?

How do you mitigate GDPR security incidents?

General Data Protection Regulation (GDPR) is the legal set of guidelines for the collection and processing of personally identifying information (PII) by organizations within the European Union (EU.) GDPR also applies if the PII of an EU resident is maintained, regardless of where the organization is located, so it’s impacts are far-reaching. GDPR has rules related to incident management and reporting; therefore, it is critically important to be proactive and have a mitigation strategy in place since failure to report and respond to breaches can have a significant financial impact on the organization. How can your organization establish the proper processes to mitigate the risk of GDPR breaches before they occur? Below are some initial thoughts:

1. Using techniques such as information mapping, decision charts, and workflows or playbooks to track where personal data is maintained and determining the need to maintain such data

2. Having a repeatable, documented root cause analysis process in place so that the process can be used in the event of a breach

3. Ensuring the requisite controls and processes are in place, as well as repeatable and defensible, in the event of a breach. This includes following the National Institute of Standards and Technology (NIST) framework for cybersecurity to establish security processes. The framework consists of five (5) core functions that are applicable to GDPR, and which are generally addressed concurrently:

  • Identify - Develop an organizational understanding to manage the GDPR risks to systems, people, assets, data, and capabilities to prioritize and focus efforts. Categories within this function include Asset Management, Business Environment, Governance, Risk Assessment, and Risk Management Strategy, all of which would apply within GDPR response.
  • Protect – Develop and implement safeguards to protect delivery of critical services, to contain the impact of a cybersecurity breach. Categories within this function include Identity Management and Access Control, Awareness and Training, Data Security, Information Protection Processes and Procedures, Maintenance, and Protective Technology. These categories are critically important in GDPR compliance, and would include activities such as security assessments and action plans related to the outcomes of the assessments so that any gaps can be addressed.
  • Detect – Develop and implement appropriate activities to identify the occurrence of a GDPR cybersecurity breach, to enable timely discovery of a cybersecurity event. Categories within this function include Anomalies and Events, Security Continuous Monitoring, and Detection Processes.
  • Respond - Develop and implement an action plan regarding a cybersecurity incident, to contain its impact. Categories include Response Planning, Communications, Analysis, Mitigation, and Improvements. Communications and disclosure are specifically required by GDPR.
  • Recover – Develop and implement activities to maintain recovery plans for capabilities that were damaged due to a cybersecurity breach, including timely recovery to normal operations. Categories include Recovery Planning, Improvements, and Communications. Your organization’s ability to be GDPR-compliant rely on planning and continuous improvements to your infrastructure.

4. Maintaining structured records of your organization’s compliance and mitigation to demonstrate it to regulators if necessary

Trillium has significant experience in privacy, cybersecurity, procedure mapping, and implementation, including NIST processes. We can assist your organization in determining your level of risk related to GDPR, whether your response and reporting procedures are adequate, and what your path forward should be.

How do you obtain and maintain GDPR consent?

How do you obtain and maintain GDPR consent?

General Data Protection Regulation (GDPR) is the legal set of guidelines for the collection and processing of personally identifiable information (PII) by organizations within the European Union (EU.)  GDPR also applies if personal data of an EU resident is maintained, regardless of where the organization is located, so it’s impacts are far-reaching.  The deadline for implementation (May 25, 2018) is quickly approaching (or may have passed, depending on when you’re reading this) so if your organization are impacted by GDPR regulations, your preparations should be well underway.  One of the rules surrounding GDPR relates to obtaining explicit consent to retain PII, as well as for opting out.  What are some ways to deal with collecting permission to maintain PII?

  • Setting up a method for obtaining explicit permission to maintain PII depends on how the data will be used.  You could use electronic forms, emails, or scanned documents with customers’ signatures.
  • Maintaining consent information as an integral part of your compliance records in the event of an audit by regulators.  However, any method of consent must be provable with a clear audit trail in the event proof must be required.  Oral consent is NOT considered proof.
  • Providing a method for your customers to provide permission or opt out, and maintain that information as well.  This is especially important as data can be used “behind the scenes” for profiling purposes.
  • Noticing that there are some similarities between GDPR and the United States’ Health Insurance Portability and Accountability Act (HIPAA) data rules for Protected Health Information (PHI.)  If your organization already deals with HIPAA, you undoubtedly already have some procedures for handling PII.  However, GDPR is much more far-reaching so your existing processes will require review and revision.      

More specific guidelines are contained within the GDPR articles.  As you obtain consent and add controls in your systems to secure data, be proactive and contact your mailing list to indicate your organization’s commitment to and compliance with GDPR. 

Trillium has significant experience in privacy, cybersecurity, as well as process and procedure mapping and implementation.  We can assist your organization in determining your level of risk related to GDPR consent, what you can do to obtain and prove consent, and what your path forward should be.

GDPR is here – are you compliant?

GDPR is here – are you compliant?

General Data Protection Regulation (GDPR) is a legal set of guidelines for the collection and processing of personal information within the European Union (EU,) and is scheduled to come into effect on May 25, 2018.  GDPR rules impact companies, government agencies, non-profits, and any other organizations that offer goods and services to people in the European Union (EU), or collect and analyze personal data tied to EU residents, and failure to comply can result in financial penalties or prohibition on data collection.  One way to view GDPR is like the Health Insurance Portability and Accountability Act (HIPAA) data rules for Protected Health Information (PHI), only for other organizations that collect personally identifiable information (PII.)    GDPR is applicable regardless of where your company is located – including the United States.    

If your organization does business with the EU and collects or uses personal data in an automated manner, here are some of the key issues/ concerns you need to be aware of.  They include:

  • PII must be protected prior to being processed, so that PII can’t readily be attributable to an individual
  • Where PII is routinely used, such as in human resource records, it must be protected so that it cannot be identified
  • Where data is aggregated for warehousing, that data must be protected from identification, which may minimize the amount of data that organizations collect to only that which is pertinent to complete a specific transaction  
  • Organizations must keep records of their compliance and demonstrate such compliance to regulators
  • Organizations are required to notify supervising authorities about data breaches and must document the incident, its impacts, and actions taken to remediate the breach
  • Depending on the type and size of the organization, a Data Protection Officer may be required

While GDPR was passed in 2016, it is still a work in progress, and regulations and processes will likely be clarified to meet the demands of the regulations.  However, it does mean that your organization needs to be vigilant and ready to minimize any penalties.

Trillium has significant experience in privacy and cybersecurity, and can assist your organization in determining whether GDPR impacts your organization, and what may be required to bring you into compliance.