The Global Data Protection Regulation (GDPR) recently celebrated its second anniversary. Many organizations still seem to be figuring out how to navigate the two-year-old regulation as they begin to receive requests from Data Subjects—individuals whose personally identifiable information (PII) has been collected by an organization. What do you need to know about these requests? Throughout this post, I will outline the eight “fundamental rights” of the Data Subject laid out in GDPR and discuss the global impact and influence of these rights on organizations ranging from small- and medium-sized businesses (SMBs) to large enterprises. And since the regulatory and compliance requirements associated with these rights typically involve time-consuming, tedious tasks, I will explore how organizations can leverage a security orchestration, automation and response (SOAR) solution for increased efficiency and regulatory compliance.
The 8 Rights of the Data Subject
- Right of Access (Article 15): This right sets the stage for later data rights, such as rights to erasure or rectification, but also has some important considerations. First, the controller must identify if any personal data is being processed, providing the results to the data subject. Second, if personal data is being processed, the controller must present a range of information to the data subject. Don’t forget to consider third parties or data processors that may be involved.
- Right to Rectification (Article 16): This right ensures that a Data Subject can request correction of inaccurate data or remedy incomplete data.
- Right to Erasure (Article 17): Also known as the Right to be Forgotten, this right allows Data Subjects to request personal data to be deleted by the Controller. There are specific instances spelled out by GDPR that warrant undue delay by the Controller to delete the data, but there are also considerations, such as legal investigation, that may prevent this right from being executed. This is likely one of the more common requests that organizations can expect to fulfill.
- Right to the Restriction of Processing (Article 18): This right allows the Data Subject to request the Controller to restrict processing of their personal data based on certain criteria such as the Controller no longer needs the personal data for purpose of processing or the processing of the data is unlawful, but the Data Subject does not wish to exercise the right of erasure. Keep in mind that the Controller must inform the Data Subject should restrictions of processing be lifted.
- Right to be Informed (Article 19): This right outlines a number of circumstances in which the Controller is required to inform the Data Subject on how their data is being used and who it was sent to. This ensures Data Subjects are informed and can therefore make an appropriate decision, or exercise other rights accordingly.
- Right to Data Portability (Article 20): This right ensures the Data Subject can request to have the personal data transferred from one Controller to another, in a readable format and where technically feasible.
- Right to Object (Article 21): If a Data Subject’s request to stop processing of their data is denied by the Data Controller, the Data Subject has the right to object to their Article 18 denial.
- Right Regarding Automated Decision Making (Article 22): This right allows the Data Subject to not be subject solely to automated decisions, including profiling, where a legal or similarly significant effect on them can occur. Article 22 also specifies exceptions to this Right, such as decisions necessary for a contract or when authorized by law. This can be particularly challenging for organizations, especially those with targeted marketing campaigns.
Outside of the eight fundamental rights of the Data Subject, there are a number of other rights or considerations organizations should be aware of. There are subsets of personal data called “sensitive data” that have special considerations around them. These include personal data for criminal convictions and offenses (Article 10) and personal data related to a child (Article 8).
Pay attention to time requirements
When responding to a Data Subject requests, organizations must be aware of the information they are required to include, confirm the fulfillment of the requests, and be able to explain any and all courses of action. Keep in mind the clock is ticking. GDPR employs strict timelines based on response to both Data Subject requests (30 days) and reporting of a data breach (72 hours) to Supervisory Authorities.
Organizations integrating their compliance processes into their SOAR platform can easily track these timelines and use the SOAR metrics, reporting and dashboards to ensure compliance deadlines are met. In addition to real-time displays of process timelines, the organization can use their SOAR platform to trigger workflow-based tasks such as notifications and report submissions to guarantee the processes are followed accurately and timely.
Establish key resources
When establishing your Data Privacy Program, one of the first key resources is a data discovery process that identifies and maps sensitive information throughout its lifecycle, including any exchanging of information with third parties. A documented data flow along with a data classification are fundamental resources to set the tone going forward.
As you identify your organization’s sensitive data and map the data lifecycle, your next step is to classify your involved systems. This can include a number of factors in assigning prioritization, but generally speaking, you can start with risk factors and business criticality values. Collectively, this will help your organization prioritize where high risk areas need stringent controls and protections. As you build out controls and implement supporting technologies for risk reduction, these lessons learned can be carried forward into medium and low risk business processes as well.
Documentation is key to confirming your organization’s awareness and understanding of data privacy. The culture shift happens once data privacy is no longer an afterthought but a consideration in any change to business processes, third party relationships, and the data used for automatic decision making.
Once your organization has set the foundation for the data privacy and security program, be sure to carry forward the requirements into discussion when selecting business partners, data processors, or other third party vendors. You can contract out business processes, but you cannot necessarily contract out ownership of risks. Your choice of SOAR platform could be critical to the success of your compliance. Are you using your SOAR platform to identify and track your resources? Are your controls being tracked and monitored by your SOAR platform? Is all of the compliance documentation fully integrated into your SOAR platform? Is your SOAR platform automatically creating and submitting all of the required compliance documents and reports? If not, maybe you should be asking yourself, “Why not?”
Other important resources are the supporting policies and procedures that support governance risk and compliance. Without getting into too much detail, these supporting documents are the first stop for auditors to validate control design and implementation. Not having policies and procedures in place is a quick road to noncompliance. One procedure that should be established is how the organization takes in, processes, responds to, and documents requests from Data Subjects.
Finally, is there one team or individual that handles these requests? Considering the fact that this role often falls on IT Ops or security operations (SecOps) individuals, be sure to consider the impact if this role is secondary to primary job functions. It is important to have a centralized avenue for fielding and responding to requests to ensure you aren’t missing Data Subject requests. SOAR can come in handy here.
IT Ops and/or SecOps teams do not need another set of tedious and manual processes taking up the precious little time they have to complete the rest of their job functions, including maintaining the network safety and security of the organization. Automating these tedious tasks with a SOAR platform helps boost IT Ops and SecOps efficacy, and it can also improve the organization’s compliance by reducing and eliminating the number of incidents that must be tracked and reported. This enables the organization to demonstrate the control is being satisfied while also providing a standardized method for fulfilling the requests and providing supporting evidence.
Interested in learning more?
If you’re reading this, your organization is likely overwhelmed with a daily influx of alerts from an evolving threat landscape and is daunted by regulatory and compliance processes and procedures. Swimlane can help! Watch this on-demand webinar, “Streamlining Incident Response and Reporting Requirements in Compliance,” to learn how SOAR can help automate your compliance reporting.
Webinar: Streamlining Incident Response and Reporting Requirements in Compliance
As SOC teams continue to mitigate and adapt to cyberthreats, one thing remains constant—incident response will continue to require documentation and reporting. One such common compliance requirement in the energy industry is North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP), which is a set of requirements designed to secure the assets necessary for operating and stabilizing North America’s bulk electric system. In this webinar replay, Bob Swanson, Compliance Research Consultant, and Jay Spann, SOAR Evangelist, discuss how SOAR can streamline and support compliance reporting and audit package creation. Watch now!