Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
The launch of the EU General Date Privacy Regulation is a game-changer for businesses.
The new regulation introduces both hefty fines for non-compliance, mandatory privacy im-
pact assessments (PIAs), and common data breach notification requirements – prospects
that will shift the risk associated with data protection to increased board level attention.
The regulation has extended the definition of personal data, bringing new types of person-
al data under regulation. Any organization that collects, processes, and stores personal
data, will be affected and will need to take action to get compliant in time.
This e-book provides a high level guideline to how your organization can address the chal-
lenges posed by the GDPR, and get ahead of the curve by following Omada’s two-phased
approach. The approach provides best-practices for implementing important changes to
people, processes, and technologies in order for your organization to get GDPR compliant.
By taking advantage of the impact the GDPR will have on people, processes, and technol-
ogy – your organization will turn the data security challenges into competitive advantages.
www.omada.net
info@omada.net © 2017 Omada A/S
OMADA E-BOOK:
PREPARE FOR EU GDPR
The application of the EU General Data Privacy Regulation (GDPR) in May 2018 will increase the risk of
running a business dramatically, unless appropriate action is taken to meet the stringent compliance
requirements in due time.
2 Mandatory breach notification within 72 hours in case of data leaks, to all involved data subjects - the
owners of the related data, meaning that the disclosure will go public and may result in severe reputational
damage for the organization.
Personal data includes any information related to a natural person (“Data Subject”) that can be used to directly
or indirectly, identify the person. It can be anything from a name, a photo, an email address, bank details, posts
on social networking websites, medical information, or a computer IP address etc. Special categories of data,
referred to as sensitive personal data, covers e.g. genetic data, biometric data, criminal records, or data from
systematic profiling of individuals on a large scale.
The storage and control of such data classifies the organization as a Data Controller. Data Controllers that control
EU citizens’ privacy data are not only facing the challenge of implementing sufficient security controls and policies
internally, but will also be liable for ensuring that any contractor or outsourced service provider who has access to
process the data, will do so in compliance with the regulation.
In other words, as a Data Controller, you are responsible/liable for the actions of everyone, including external
parties who process the personal data under your control. Such organizations are called Data Processors. Data
Processors include hosting companies, IT contractors, marketing agencies, payroll agencies, SaaS vendors, and
many other types of businesses.
SaaS Vendors
Hosting IT Contractors
Companies Responsibility
Data
Controller
Fig.1: Your liability as a Data Controller covers not only your organizations’ data privacy compliance, but also the
actions of external data processors and third parties.
There is little acceptance of organizations not having taken appropriate measures, and the fines for severe securi-
ty breaches can amount to up to € 20M or 4% of your global annual turnover. Fines can also be issued if an audit
reveals you are not in compliance, even though you have not been exposed to a data breach.
However, if you are able to document that you have taken the required measures to protect data, the fines will
be significantly reduced, or may even be eliminated completely. Hence, your ability to document and prove the
appropriate level of compliance to authorities, auditors, customers, and collaboration partners will provide you with
a competitive edge and minimize your risk.
2. Ensure that all collected personal data is given to you under consent of the data subjects (persons)
4. Conduct security awareness training within your own organization and for your data processors
Investigate if you are lacking technologies to cover the fundamental security requirements from a
6.
tech perspective
This step includes discovering, identifying and classifying in-scope systems, files and data repositories containing
GDPR data. It also includes producing an overview of who has access to what, and ensuring that only the right
users have access to the data they require to do their job.
If it is determined that your organization processes a special category of data called ‘sensitive personal data’, a
detailed privacy impact assessment (“PIA”) must be undertaken and documented.
Ensure that all collected personal data is given to you under consent of the data
2. subject (the person)
EU GDPR requires that explicit consent is obtained from people when collecting their data. Consent under the
GDPR requires clear affirmative action by the data subjects. Silence, pre-ticked boxes, or inactivity do not consti-
tute consent. When collecting consent you must ensure that it is freely given, specific, informed, and provides an
unambiguous indication of the individual’s wishes. Furthermore, consent must be verifiable.
This step involves validating that your organization has documented consent of all personal data you hold and
decide what data to keep. The records must include how and when consent was given.
You must also implement processes for a person to withdraw their consent at any time and a process to support
the persons’ “right to be forgotten” - making sure you securely delete data for which your organization does not
have proper consent, or in case the person has withdrawn his or her consent.
This step includes appointing a DPO (Data Protection Officer) if your organization processes personal data (More
than 250 individual persons) or performs high risk processing of sensitive personal data.
DPOs are responsible for advising on and monitoring GDPR compliance, and for being the point of contact for
authorities.
Conduct security awareness training within your own organization and for your
4.
data processors
The GDPR requires “the appropriate data protection training to personnel having permanent or regular access to
personal data.” The training should ultimately cover your organization’s privacy policy. The training of the policy
The training must be repeated annually and records of who has conducted the training and when, must be
maintained.
This step includes putting a clear and effective processes in place for handling data breaches.
As an example, your security breach management process must notify any data breach to the supervisory author-
ity within 72 hours of discovery, unless you can show that the breach is unlikely to pose any risk to individuals.
High-risk data breaches must also be notified to the individuals themselves, unless the data has been encrypted.
You will also be required to maintain a log of all data breaches.
Our recommendation is to develop and maintain a data privacy incident / breach plan including the following
elements:
• Implement notification workflows of the breach to internal stakeholders, supervisory authorities, and poten-
tially the individuals themselves
• Implement breach containment workflows including; suspending accounts or revoking the entitlements that
caused the data leakage
• Implement forensics workflows for further damage limitation and investigation of the cause of the breach
We recommend you to methodically evaluate and document if sufficient IT security technologies are in place to
support the mandatory processes outlined by GDPR and to ensure the data is safe from willful misuse such as
external and internal hackers.
GDPR contains new requirements for contracts (Data Processor Agreements) with data processors, as well as
contracts between data controllers.
Each party should be categorized (as data processors or -controllers) and contracts should be reviewed for com-
pliance with GDPR.
The contracts shall include the transfer of legal liability to your data processors, to ensure your contractors or col-
lectors are liable in case of their inadequate protection of data that may cause you to be fined by authorities.
Define a plan for the next phase “Stay in Control”. The plan contains an overview of which remaining deliverables
are to be performed for achieving continuous compliance with EU GDPR
LEARN MORE
Omada is a leading provider of compliance solutions worldwide. As part of our offering, Omada provides a unique IAM
solution highly relevant for EU GDPR compliance.
Identity and access management (IAM) and access governance is a core discipline to achieve compliance with the data
security and access management aspects of the GDPR. Omada’s solution provides built-in best-practices to support a
range of processes that are important for EU GDPR compliance - to get in control and stay in control.
For additional information on how to “Get in Control” and how to “Stay in Control” and how Omada can assist you with
getting the results you need for each of these phases, please contact us at info@omada.net.
Disclaimer:
The purpose of this document is to provide an understanding of how organizations may address the technological challenges of the EU
GDPR. The information in this document has been prepared with greatest care. Omada can, however, not resume any guarantee for the
accuracy of this information in regard to the requirements introduced by the EU GDPR. The information provided in this document is not
meant to be an exhaustive list of examples on how to achieve compliance with the EU GDPR. The intent is to analyze the EU GDPR from
the identity and access management (IAM) perspective and demonstrate where IAM can help in achieving compliance with the regulation.
D
Omada is a market-leading provider of solutions and services for identity management and access Download
governance. Omada enables organizations to achieve sustainable compliance, reduce risk exposure, Gartner’s Critical
and maximize efficiency. Omada’s solutions efficiently manage and control users’ access rights to appli- Capabilities 2016 for
cations and data - reducing IT costs and resource intensive administration processes. IGA:
omada.net/IGAreport
Established in 2000, Omada has operations in North America and Europe, delivering solutions directly
and via a network of skilled partners and system integrators. Omada is recognized as a trusted advisor
and has provided advanced identity management solutions for organizations with some of the largest
and most complex IT infrastructures in the world.