GDPR at first glance is a regulation, meaning it will be effective without the interference of implementing legislation. It is built on the existing eight Data Protection principles. Lawfulness is the theory that for personal data to be lawful you would need to specify the ground for processing (ICO 2020). If there is not a lawful basis applied, then your process would be deemed unlawful and in breach with principle. Fairness is the theory of processing with fair thought in mind (ICO 2020). Even if you have a lawful basis if you are not fair you would be in breach of processing. You must handle personal data in a manner where others view it as fair and does not have unjust means for them. Obtaining data or the use of the data obtained can be deemed unfair if it affects a group or individual that it was meant for. Transparency is said to be attached to fairness. Being clear, open and honest when it comes to personal data is the definition for this processing. If someone is trusting you with their data and has clear documentation of how it will be used, they can then make an educated decision of how this relationship will take form.

Purpose limitation is said to be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (ICO 2020). This provision is intended to ensure that you are transparent and open about the motives for collecting personal data and that what you do with the data is in accordance with the fair expectations of the individuals concerned. Data Minimization is the principle of adequate, relevant and limited to what is necessary in relation to the purpose for which they are processed (ICO 2020). You should then define the minimum amount of personal data you need to serve your function. You are supposed to keep that much knowledge, but no more. Accuracy principle defines accurate and, kept up to date where every reasonable step must be taken to ensure that personal data is inaccurate (ICO 2020). You must always be specific on what you plan to disclose the record of your personal data. What you use it for can affect whether it is accurate. Storage limitation principle explains that personal data kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed (ICO 2020). Ensuring that when you no longer need to delete or anonymize personal data will reduce the risk of it being obsolete, excessive, incomplete or outdated.

“ Integrity and confidentiality of personal data processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures’’(ICO 2020).

This ensures that you must have the necessary protection to prevent the personal data that you carry being unintentionally or purposely breached.

The EU and the United States differ about laws and enforcement practices. When it comes to Data Protection the United States has no federal data privacy law, but the EU has a Data Protection Directive/ GDPR and E-Privacy Directive. The United States is sector specific about its health care and financial services. They have multiple state privacy laws and Unfair and Deceptive Practices enforcement by FTC. The EU on the other hand has a National Implementation by each member state to go along with Data Protection authority for each member state. Enforcement from the United States at a federal level is FTC enforcement, sectoral level specific regulators like the FCC, state level goes through the State Attorney General and consumer level is by class actions suits.

The EU’s enforcement at a pan European level is all about coordination. The national level focuses on National Data protection Authorities and at a sectoral level specific regulator just like the US. Civil actions although rare are how the EU settles consumer level enforcements. Failure to follow these rules usually puts the EU in for hefty fines 4% of their annual global turnover or 20 million Euros. The US has brought in HIPAA which is a set of standards to secure health information. The FISMA act made it possible for federal agencies to develop and implement an information security program.

GDPR has roles defined for certain aspects of their program. A data controller is an individual or legal group that determines the purposes of the processing of personal data (Bhatia 2020). The main responsibility of this controller is to take actions in line with GDPR and be able to formally explain its compliance to the advisory board. A data custodian is an individual or legal group that processes data on behalf of the controller (Bhatia 2020). It is their duty to ensure that the terms laid down in the Data Processing Agreement always comply with GDPR requirements. The data subjects are those from which the GDPR covers. To ensure that the expectations deserved for GDPR policies and procedures are met. Data Protection Officer is a leadership role required by EU GDPR (Bhatia 2020). Only in companies that process the data for EU citizens. The task of DPO is to ensure compliance with the GDPR and to advise company management and staff on the necessary action to be taken.

Cyber Security Professional | Red Team