GDPR and Other Privacy Frameworks: How Compliance Officers Can Use Privacy Compliance to Grow Their Business
People have always cared about the privacy, security of their personal information. It’s just that the digital age has made it infinitely easier than in the past to misuse someone’s private data. Events such as high-profile breaches or cases like Cambridge Analytica have grabbed headlines over the past decade. The misuse of private data has been a public relations debacle for companies and a massive expense for businesses and consumers.
Why caring about privacy helps your business
The EU saw the need to restore confidence. He created GDPR, the General Data Protection Regulation, to protect EU individuals. In effect since May 25, 2018, the GDPR was the first regulation in the new era of privacy to require transparency and give people rights over their data. Many privacy laws around the world, including in a growing number of US states, followed, and data privacy remained a top concern for countries and organizations. Today, understanding and complying with privacy laws is essential to conducting business in jurisdictions where these laws are in effect.
The question is where and how to start a privacy compliance program if you are a compliance manager who has so far focused on security compliance. While a comprehensive guide to this topic is in the works (be sure to check it out), here we will focus on understanding the privacy regulations and frameworks that can be the cornerstone of your company’s commitment to privacy. confidentiality.
Some older privacy laws relate to specific industries, including HIPAA for healthcare, FERPA for higher education, and GLBA for financial services. These are still in use. But newer and broader laws have a bigger impact on businesses in general. For now, let’s focus on GDPR.
GDPR: comprehensive and rigorous
First, GDPR in a nutshell. The GDPR is a regulation made up of a series of articles. It is widely regarded as the most comprehensive privacy and security law in the world. The GDPR protects the processing of personal data of individuals. “Processing” is broad, covering a wide range of operations performed on personal data. With few exceptions, the GDPR imposes obligations on organisations, wherever they are located, if they process data from individuals within the EU. The GDPR provides individuals with enforceable privacy rights. Again, the details of GDPR, in particular the questions of who has compliance obligations under GDPR and what information is protected, are much more complex than can be covered here.
Various aspects of the GDPR demonstrate its broad scope and protection, especially when compared to generally adopted privacy laws in US states:
- It has an opt-in model for data sharing. A person in the EU who wishes to share their data must tick a box. In contrast, US state privacy laws often operate on an opt-out basis: you share your data unless you uncheck the pre-checked box.
- GDPR definitions are broader:
a. Who is protected by GDPR: The definition of covered persons, “data subjects”, covers even persons who are not residents or citizens of the EU. So if a person travels to the EU and, while there, registers on a website, that person is protected by the GDPR.
b. Who might be subject to the GDPR: The regulation applies to a “controller” and a “processor”. For example, a law firm collects data from employees when it hires them. He gives this data to a payroll company in order to process the payroll. The law firm is a data controller because it decides on the use of its employees’ data. The payroll company is a data processor.
What data is protected: A wide range of data is protected by the GDPR, including data relating to genetics, religion, race, political affiliation and ethnicity.
4. What rights are granted: All privacy laws provide rights to protected persons, including the right to object to the sale of personal information, to correct inaccurate information, and to delete information. But the GDPR grants a right of private action. (Among state laws, only California has some form of this right, for certain violations.) So an individual can actually sue for non-compliance with the GDPR. (U.S. state privacy laws generally require a person to contact that state’s attorney general to seek redress for a breach.)
5. The obligations that companies must respect: All privacy laws require relevant companies to follow certain rules, including keeping records, implementing data security, conducting assessments, managing consent, and more. (including deadlines).
6. Consequence of non-compliance: Some national privacy laws allow time to remedy a breach. GDPR does not. Fines can be severe. The law provides for a maximum fine of 20 million euros or 4% of turnover. In practice, the fine imposed may end up being reduced during negotiations.
All of the above may have made you fear the GDPR. But the reality is that an organization must consider privacy compliance as one of the key factors that will enable business growth. GDPR compliance, in particular, is a game-changer; it is necessary to do business with people who are in the EU.
GDPR implementation is process-based, requiring an organization to create a data flow diagram outlining how it processes data. The GDPR does not provide checklists of controls. How, then, can an organization know that it is GDPR compliant? The answer: Comply with one of the many standards created to allow organizations to confidently attest to GDPR compliance.
Selected privacy regulations and frameworks that align with GDPR
The following four frameworks can help an organization achieve GDPR compliance:
- The EU GDPR compliance criteria of the secure control framework,
- The CSA Code of Conduct (CoC) for GDPR, when implemented with the CSA Cloud Control Matrix v.4 (CCM),
- ISO/IEC 27701, and
- ISO/IEC 27018
Note that since GDPR compliance is not dependent on passing an audit or obtaining a certificate, the use of these frameworks should not be seen as a guarantee of compliance, but as proof that an organization does its best to ensure that it complies with the GDPR.
Let’s take a closer look.
- The Secure Control Framework (SCF EGCC) EU GDPR Compliance Criteria:
a. What he does: The full SCF consists of hundreds of controls, many of which fall outside the scope of the GDPR, and links them to dozens of frameworks. For the EGCC, the SCF displays only GDPR-relevant controls.
b. Who it’s for: Companies that:
1. have not adopted CSA STAR (see below), and
2. are not ISO/IEC certified.
2. CSA Code of Conduct (CoC) for GDPRwhen implemented in conjunction with the CSA Cloud Controls Matrix (CCM), Version 4 (collectively, “CoC/CCM”):
a. What he does: The CSA CoC/CCM for GDPR Compliance provides a consistent and comprehensive framework for complying with GDPR, as well as transparency guidelines regarding the level of data protection offered by a cloud service provider.
b. Who it’s for: certain companies that are data processors.
1. For companies that choose to be audited (i.e. CSA STAR attested/certified), CoC/CCM allows formal attestation of GDPR compliance.
2. Companies that do not wish to undergo a CSA STAR audit can submit a self-assessment and receive a certificate indicating that GDPR compliance is “declared” and not “certified”.
3. ISO/IEC 27701 is ISO’s approach to a kind of “GDPR framework”.
a. What he does: Creates a Privacy Information Management System (PIMS). ISO/IEC 27701 offers an extended set of privacy controls, based on GDPR requirements, to existing ISO/IEC 27001 Annex A controls. The framework is composed of 3 sections: the first concerns the specific requirements for PIMS or the extensions of existing controls in an information security management system (ISMS) according to the ISO 27001 standard. The other two sections are annexes additional ones: one for the data controllers and the other for the data processors. Note that an organization can operate as both.
b. Who it is for: Companies that:
1. are data controllers and/or data processors,
2. are ISO/IEC 27001 certified,
3. process personally identifiable information (PII), and
4. want an auditable standard to validate their GDPR compliance certification.
4. ISO/IEC 27018 — international standard for protecting PII in the cloud
a. What he does: This is the standard for protecting PII in cloud storage. It provides additional useful implementation guidance for the controls published in ISO/IEC 27001 and defines additional guidance for protecting PII for the cloud.
b. Who it’s for: ISO/IEC 27001 certified cloud service providers
vs. Note: A fully cloud-based organization can implement either this standard or ISO/IEC 27701, but ISO/IEC 27018 is less rigorous and easier to implement.
Why Choose Privacy
Confidentiality is too important for an organization to settle for a tick-off certification. A company’s stakeholders should know that the company takes data privacy seriously. Not just because companies have been ruined for breaking customer trust, but because adopting privacy frameworks allows a business to grow. With an ongoing privacy compliance system that uses automation, privacy posture is continuously monitored, so an organization demonstrates its full-time commitment to protecting data privacy, even as the world becomes more complex. Privacy needs to become as integral to your business as your security compliance. (Or as it should be, at least.)
Consumers want to be able to trust the organizations that process their data. Adopting privacy frameworks enables a company to seize new opportunities and form new alliances. Because people have always cared about privacy. So be a company that takes the trust of its customers seriously.
*The information provided in this blog, like any other content on this website, does not constitute and is not intended to constitute legal advice.