=Paper=
{{Paper
|id=Vol-2300/Paper66
|storemode=property
|title=The Impact of GDPR on IT/IS
|pdfUrl=https://ceur-ws.org/Vol-2300/Paper66.pdf
|volume=Vol-2300
|authors=Vlasta Svata
|dblpUrl=https://dblp.org/rec/conf/acit4/Svata18
}}
==The Impact of GDPR on IT/IS==
https://ceur-ws.org/Vol-2300/Paper66.pdf
275
The Impact of GDPR on IT/IS
Vlasta Svatá
Department of Systems Analysis, University of Economics, Prague, W. Churchill sq. 3, 130 00 Prague 3, email:svata@vse.cz
Abstract: The article focuses on GDPR and emphasizes • Privacy of communication: protection of all
the implications of ensuring compliance in IS/IT. It communication channels (printed, voice, video, digital)
stresses the importance of information security (hidden microphones, mail, postal services).
management and data governance. The main output is the • Privacy of association: the right to associate with other
table outlining the main responsibilities of data persons without unauthorized monitoring and
controllers and processors and their impact on IS / IT marginalization (DNA tests for ethical proof, employee
management. release based on DNA tests, ...).
Keywords: GDPR, information security, data • Privacy of data and image (information): protection of
governance, IT/IS perspectives of GDPR. personal information in all forms (leakage of financial,
I. INTRODUCTION health information, dissemination of images without the
knowledge of persons).
IT professionals can act as strategic partners to businesses • Privacy of thoughts and feelings: protection against their
currently working toward compliance with the European spread or use against persons (requesting password for
Union General Data Protection Regulation (GDPR), access to the social network when recruiting, requesting
scheduled to come into enforcement on 25 May 2018. Even information on religion and political orientation).
to the fact, that GDPR compliance is not solely a technology • Privacy of location and space (territorial): protection
issue (it requires attention and remediation expertise from against technology that can monitor the location, space,
various functions within the business, e.g. human resources, and general environment of an individual (video, drones,
legal, compliance, marketing, communications) technology work and home monitoring).
acts as a common denominator across business processes and
plays a significant role in the collection, processing, storage
and transfer of personal data [3]. The main aim of the article
is to clarify the status of personal data protection in
information security management, and thereby partially
reduce concerns about the introduction of regulation into
practice. At the same time, some new aspects that the new
regulation brings to IT management should be highlighted.
II. PROTECTION OF PERSONAL DATA PRIVACY,
INFORMATION SECURITY AND DATA GOVERNANCE
Confidentiality / privacy is a fundamental right, necessary
for autonomy and protection of human dignity, serving as the
basis on which other human rights are built. On the other
hand IT fundamentally restricts the right to privacy being
integrated, globalized and mobile. This fact is
counterbalanced by the constant improvement of frameworks
for the introduction of controls into the IS / IT environment.
Fig. 1. Privacy categories and technologies [2].
All of them should artificially balance the loss of privacy.
The development of such countermeasures range from Fig. 1 shows how separated IT influence the privacy
securing the primitive need to "be alone - give me a peace" categories.
up to complex concepts (legal, socio-psychological,
economic or political). Some of the concepts are more
reactive (GDPR is an example) some are more proactive, eg.
European Data Protection: Coming of Age ). This document
takes in a count seven categories of privacy: Personal
• Privacy of the person: protection against unauthorized data
body failure (genetic tests, blood tests, implants, ...). protection
• Privacy of behavior and actions: protection of ideas,
emotions, orientation - sensitive information (camera
systems, police body cameras).
Fig. 2. Information security CIA Triad.
ACIT 2018, June 1-3, 2018, Ceske Budejovice, Czech Republic
� 276
Great majority of international reactive frameworks for activities and they will have legal liability if they are
information security are designed to protect the responsible for a breach. The GDPR does not apply to certain
confidentiality, integrity and availability of computer system activities including:
data from those with malicious intentions. Confidentiality, • covered by the Law Enforcement Directive
integrity and availability are sometimes referred to as the CIA • processing for national security purposes
Triad of information security. Based on this definition we can • processing carried out by individuals purely for
conclude, that protection of personal data is preservation of personal/household activities.
confidentiality, integrity and availability of data relating to a The GDPR applies to ‘personal data’ (both automated and
living individual who is or can be identified either from the manual filing systems) meaning any information relating to
data or from the data in conjunction with other information. an identifiable person who can be directly or indirectly
Protection of personal data thus can be viewed as application identified in particular by reference to an identifier. In case of
of information security controls over the specific types of manual data it must be accessible according to specific
data – personal data. The base for GDPR is thus the criteria. This could include e.g. chronologically ordered sets
compliance with information security frameworks, but it is of manual records containing personal data. Special
only a necessary but not a sufficient condition. GDPR goes categories of personal data are sensitive data, pseudonymised
beyond the information security frameworks, as its main aim data and children’s data. Sensitive data include genetic data,
is to improve data governance. and biometric data where processed to uniquely identify an
Data governance is a term used to describe the overall, individual. Pseudonymised data (coded data) can fall within
comprehensive process for controlling not only the data the scope of the GDPR depending on how difficult it is to
security (CIA Triad) but the efficiency, effectiveness, attribute the pseudonym to a particular individual. Examples
relevance and compliance as well. Data governance consists are all types of electronic traces, e.g. Internet proxy addresses
of the processes, methods, tools, and techniques to ensure and cookie identifiers. Children's data processing needs the
that data is of high quality, reliable, and unique (not consent of the holder of parental responsibility and the data
duplicated), so that downstream uses in reports and databases need specific protection as children may be less aware of the
are more trusted and accurate. A data governance program risks. Personal data that are excluded from compliance are:
should be a part of an IT governance program. While • data relating to criminal convictions and offences
data/information security is mainly in responsibility of IT • organizational data
professionals (processors or third parties), data governance is • data of deceased persons
in responsibility of business managers – controllers that
• data to help prevent crime (investigation, detection,
determine the purposes and means of the processing of
prosecution)
personal data. GDPR compliance is thus the corporate
• data not arranged according to the specified points of
responsibility of the data controller, not of the DPO, internal
view
auditor or CIO.
• anonymous data (statistics, research).
III. PERSONAL DATA AND PERSONAL DATA Personal data processing is any act or set of acts that the
PROCESSING controller or processor systematically performs with personal
data by automated or other means. Examples are collecting,
Before we will discuss the impact of GDPR on IT recording, arranging, structuring, storing information,
management it is necessary to specify who does the GDPR accessing, editing or editing. This definition of data
apply to and what data does the GDPR apply to. processing is no surprise, but the Article 5 of the GDPR
The GDPR applies to processing carried out by requires that personal data shall be
organizations operating within the EU. It also applies to • processed lawfully, fairly and in a transparent manner in
organizations outside the EU that offer goods or services to relation to individuals;
individuals in the EU. Transfers of personal data outside the • collected for specified, explicit and legitimate purposes
EEA (European Economic Area) are not allowed unless the and not further processed in a manner that is incompatible
country has an adequate level of protection for the processing with those purposes.
of personal data. For instance in 2016 the European The requirement to have a lawful basis in order to process
Commission approved the Privacy Shield, enabling easy personal data is not new. It replaces and mirrors the previous
transfer of personal data from the EU to selected companies requirement to satisfy one of the ‘conditions for processing’
without the need to obtain permission from the national data under the Data Protection Act 1998. However, the GDPR
protection authority or the conclusion of a standard places more emphasis on being accountable for and
contractual clause with the US data processor. The GDPR transparent about the lawful basis for processing [1] . The
applies to both the ‘controllers’ and ‘processors’. The identification of the lawful basis is important not only
controllers determine the purposes and means of processing because the organizations should provide people with
personal data and ensure that the contracts with processors information about their lawful basis for processing (this
comply with the GDPR. They are not relieved of their information must be covered in the privacy notice) but it has
obligations where a processor is involved and they shall be a big consequences on to IT/IS area. The reason is, that the
responsible for, and be able to demonstrate, compliance with lawful basis for processing can also affect the rights that are
the GDPR principles. The processors are responsible for to be available to individuals.
processing personal data on behalf of a controller. They are
required to maintain records of personal data and processing There exist the six lawful bases:
ACIT 2018, June 1-3, 2018, Ceske Budejovice, Czech Republic
� 277
• Consent- should be given by a clear affirmative act of the that goes beyond their existing responsibilities. The extent of
data subject's agreement to the processing of personal these tasks is influenced by the following three aspects that
data relating to him or her, such as by a written statement, are specific for each organization:
including by electronic means, or an oral statement. • Decision about the lawful base for personnel data
• Contract - processing should be lawful where it is processing – has an impact on the scope of GDPR
necessary in the context of a contract or the intention to application (see Chapter III)
enter into a contract. • Codes of conduct – guidance on the implementation of
• Legal obligation - legitimate basis, laid down by law appropriate measures and on the demonstration of
including the necessity for the performance of a contract compliance by the controller or the processor. They
to which the data subject is party. should include identification of the risk related to the
• Vital interest - it is necessary to protect an interest which processing, their assessment in terms of origin, nature,
is essential for the life of the data subject or that of likelihood and severity, and the identification of best
another natural person (e.g. humanitarian purposes). practices to mitigate the risk.
• Public task - processing is necessary for the performance • Designation of the data protection officer – represents the
of a task carried out in the public interest or in the new role within the organization and thus needs new
exercise of official authority; the processing should have a redefinition of the RACI chart and redesign of the IT and
basis in Union or Member State law. business processes.
• Legitimate interest – e.g. where there is a relevant Next table provides the summarization of the controller´s
relationship between the data subject and the controller in responsibilities and their impact on IT/IS.
situations such as where the data subject is a client or in TABLE 1. OVERVIEW OF CONTROLLERS AND PROCESSORS
the service of the controller, when it is necessary for the GDPR RESPONSIBILITIES AND THEIR IMPACT ON IS / IT
purposes of preventing fraud and for direct marketing MANAGEMENT
purposes.
Responsibilities of the
The GDPR provides the following rights for individuals: controller and Impact on IT/IS
• The right to be informed processor
• The right of access
Data protection Provide consultancy what, where and
• The right to rectification principles: how long are personal data collected,
• The right to erasure • lawful, fair and processed and stored
• The right to restrict processing transparent
• The right to data portability processing
• collected for
• The right to object specified, explicit
• Rights in relation to automated decision making and and legitimate
profiling. purposes
Fig. 3 shows the relevance between the six lawful bases and • minimization
voluntary rights for individuals (the others are obligatory in • accurate data
each case). • kept no longer than
is necessary
IV. IMPORTANT ISSUES FROM IT/IS PERSPECTIVE • secure data
Despite the fact, that GDPR being data governance Implementation of the Implement methods for the
regulation, not the data security regulation, is in appropriate technical pseudonymisation and encryption of
and organizational personal data
accountability of board and business executives, IT measures
professional both from the controller´s and processor´s Ensure information security
organizations are to be expected to address a range of tasks (confidentiality, integrity, availability)
by choosing and implementation of the
Right to Right to Right to appropriate framework (ISO 27000,
erasure portability object Cobit 5, Cobit Security Baseline, ..);
impact on:
Consent x • business continuity (back up and
disaster recovery plans)
Contract x • risk assessment
• access controls
Legal
x x x • physical security
obligation Do not engage another processor
without prior specific or general written
Vital interest x x authorization of the controller
Check all contracts that are binding on
Public task x x the processor whether they sets out the
subject-matter and duration of the
Legitimate processing, the nature and purpose of
x
interest the processing, the type of personal data
Fig. 3. Relationships between the lawful bases and rights [1]. and categories of data subjects and the
ACIT 2018, June 1-3, 2018, Ceske Budejovice, Czech Republic
� 278
obligations and rights of the controller. • changes in process, data, application
models (additional controls,
Continuous testing, assessing and
identifiers, functions)
evaluating the effectiveness of technical
• changes in application interfaces
and organizational measures
(menus) supporting the
Approvement of Adherence to the approved certification communication with data subject
certification mechanism and cooperation with the • process analysis for separate rights
mechanism (is certified bodies enforcement
voluntary)
Records of processing Provide consultancy about the items
Notification of a Immediate notification the controller of activities needed, mainly:
personal data breach to a personal data breach in a formal way • the purposes of the processing
the supervisory (breach nature, consequences, taken • the categories of data subjects and of
authority measures, etc.) the categories of personal data
• the categories of recipients
Data protection impact Assessment of the impact of new IT on
• transfers of personal data to a third
assessment the personal data protection (cloud
country
computing, big data, IoT, BYOD, …)
• time limits for erasure
Designation of the data Support the DPO in performing the • general description of the technical
protection officer tasks (access to personal data and and organizational security
(DPO) processing operations) measures
• the name and contact details of the
Ensure that DPO tasks and duties do not processor(s)
result in a conflict of interests
Provide IT/IS consultancy V. CONCLUSION
Adherence to the codes of conduct; IT plays a dual role in the protection of personal data: in
Codes of conduct impact on:
one it poses a threat, the other is an effective protection tool.
• declaration, that personal data
processing is fair and transparent Balancing these two roles is an endless and costly task for all
• the pseudonymisation of personal organizations. As a consequence GDPR cannot be viewed as
data (e.g. whether System design a sprint to finish line. It represents one of the great
permits the attribution of opportunities that provides the basis for deepening
pseudonymized data to natural collaboration between business executives and IT
persons, domain segregation is
professionals. In many cases, IT professionals can assure
applied to separate attribution data
from pseudonymized data; and managers that the required controls are already implemented
access to meta-data is or can be done automatically, in other situations they can
appropriately restricted) point out the IT risks that they pose to the protection of
• the information provided to the personal data. In any case, without deeper ongoing
public and to data subjects cooperation and communication between these parties,
• the notification of personal data ensuring compliance with the GDPR will be the only
breaches
• the transfer of personal data to third
investment without any value for business.
countries REFERENCES
• the information security measures
and procedures [1] Information Comissionair´s Office, Guide to the
Cooperation with the accredited body General Data Protection Regulation, 22 March 2018
while monitoring compliance [2] ISACA Privacy principles and program management
Transfers of personal Provide consultancy as regard the Guide, http://www.isaca.org/Knowledge-
data to third countries appropriate safeguards, and condition Center/Research/ResearchDeliverables/Pages/ISACA-
or international that enforceable data subject rights and Privacy-Principles-and-Program-Management-
organizations effective legal remedies for data subjects
Guide.aspx
are available
[3] O.Osagiede Beyond GDPR Compliance – How IT Audit
Provide contractual clauses about Can Move from Watchdog to Strategic Partner, isaca.org
safeguards [4] Regulation (EU) 2016/679 on the protection of natural
Lawfulness of Consent processing persons with regard to the processing of personal data
processing • the need to record the consents, and on the free movement of such data, and repealing
purpose and validity and to check Directive 95/46/EC (GDPR)
them in personal data processing
• to be able to withdraw the consent at
any time
Rights of the data To check possibilities how to automate
subject the realization of the separate rights;
impact on
• authentication of the data subject
enforcing its law
• personal data encryption
ACIT 2018, June 1-3, 2018, Ceske Budejovice, Czech Republic
�