By Dave Parsons, Chief Information Security Officer at Abacus Group
Our Abacus Group Information Security team is currently near completion of an internal data privacy project to ensure Abacus’s compliance with the new EU General Data Protection Regulation (GDPR) as well as Privacy Shield Certification.
The GDPR is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU). When the GDPR takes effect on May 25th, 2018, it will replace the EU’s Data Protection Directive of 1995.
Some important things to know about GDPR and who is responsible for compliance:
The GDPR places legal obligations on all data controllers and processors. A data controller is defined as the entity which determines the purposes and means of processing personal data, and the data processor is defined as the entity which processes the personal data on behalf of the controller. GDPR applies to processing carried out by organizations within the EU as well as organizations outside the EU that process or control data related to living EU residents or nationals.
It primarily focuses on individual data, which is defined in two categories of ‘personal data’ and ‘sensitive personal data.’ Personal data includes data such as email and physical addresses as well as any information that can be used as an online identifier, e.g. an IP address. Sensitive personal data casts a wider net and covers data elements such as health, biometric, or genetic data. GDPR requires organizations to maintain a plan to detect a data breach, regularly evaluate the effectiveness of security practices, and document evidence of compliance. Instead of specific technical direction, the regulation puts the onus on organizations to maintain best practices for data security.
Replacing the 1995 Data Protection Directive, the GDPR represents a major adjustment to data privacy requirements. The GDPR regulation is over 200 pages long – a major overhaul of the Data Protection Directive – and is focused on harmonization of rules into a risk-based approach. It increases obligations on controllers and processors, strengthens the rights of the individuals who own their personal data, and increases enforcement, fines, and liabilities. A major concept of the GDPR is data and storage minimization – purge is good and required.
The EU-U.S. and Swiss-U.S. Privacy Shield Frameworks were designed in 2016 by the U.S. Department of Commerce and the European Commission and Swiss Administration, respectively, to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the EU and Switzerland to the United States in support of transatlantic commerce. (source: www.privacyshield.gov) The Privacy Shield frameworks replace the International Safe Harbor Privacy Principles, which were declared invalid by the European Court of Justice in 2015.
Abacus Data Privacy Program
To ensure our compliance with GDPR and to become Privacy Shield certified, our team has been conducting an internal assessment and analysis, and are now in the process of implementing any necessary adjustments and improvements. Our steps to do this have included:
- Identifying and classifying personal data on our systems and establishing governance for the lifecycle of the data
- Improving the toolsets and processes for verification of controls
- Methodical analysis, review, mitigation, assignment of ownership and implementation of timelines for adjustments
- Establishment of an independent resource mechanism to allow data owners to manage use, retention and disposal
- Improvement of our policies and processes to conform to ISO/IEC 27002 and NIST security frameworks
We are looking to complete our official Privacy Shield Certification within the next few weeks, and are also well on our way to meeting GDPR compliance by the May 25th deadline.
Microsoft has a dedicated web page about GDPR that’s a great place to start to find out how this regulation applies to your business and the tools available to manage compliance.
In addition, Microsoft has a 10 question evaluation that provides useful insight to assess your organization’s readiness to comply with GDPR.
Tom Cole, Director – Europe at Abacus Group, based in London, was recently interviewed by Credit Suisse Prime Services for a whitepaper on considerations for investment managers when it comes to GDPR. Read an excerpt from his interview here.