SANS Security Awareness: The security of your data is at the heart of everything we do.
It is a few years since the General Data Protection Regulation (GDPR) took effect in the European Union (EU). The GDPR defines the privacy rights of EU citizens and places responsibility on all organizations that manage, market to, or process EU citizens’ personal data to ensure the security and lawful processing of data. At SANS Security Awareness we take our responsibilities under GDPR very seriously and we regularly review our processes to ensure we are complying with the law.
What is GDPR?
The GDPR harmonizes data privacy laws across Europe and it protects and empowers EU citizens through a number of data rights. It has helped to reshape the way organizations across the EU approach data privacy.
Major Provisions:
- Data subject rights
- Data breach notification
- Safe handling and transfer of data
- Data Protection Officers (DPOs)
Put simply, the GDPR mandates a baseline set of standards for companies that handle EU citizens' data to better safeguard the processing and movement of citizens' personal data.
What type of information does the GDPR cover?
GDPR covers personal data which is defined as:
‘Any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person’;
Data covered by the GDPR includes cookies, images, names, email addresses, employee numbers, location, occupation, gender, account records, etc., in effect any information relating to a data subject.
What about data breach notification?
The GDPR sets out how the communication of a data breach involving the data of EU citizens must be managed.
Data Controllers must notify the supervisory authority of a personal data breach without undue delay and, where feasible, not later than 72 hours, unless the breach is likely to result in a risk to the rights and freedoms of individuals.
When the personal data breach is likely to result in a high risk to the rights and freedoms of individuals, controllers must communicate the breach to the subject without undue delay.
What requirements does GDPR impose in terms of the security of personal data?
The GDPR makes the controller responsible for implementing appropriate technical and organizational measures to ensure and to be able to demonstrate that processing is performed in accordance with the law. The measures must be reviewed and updated where appropriate, taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of data subjects. The controller shall implement secure storage of data, ongoing security, integrity, and availability of data and the ability to restore availability within a timely manner. It also calls for regular testing and evaluation of effectiveness of technical and organizational measures ensuring the security of the data.
The GDPR also requires that companies undertake Data Protection Impact Assessments to identify risks to consumer data where there is high risk processing.
What is a Data Protection Officer (DPO)?
The GDPR requires that certain companies appoint data protection officers; these officers advise companies about compliance with the regulation and also act as a point of contact with Supervising Authorities (SAs) and provide a point of contact for customers.
Data Protection Officers have an expert knowledge of data protection law and practice the ability to fulfill the tasks referred to in Article 39.
DPO’s also advise processors and employees who process data and they monitor compliance with the Regulation. In certain circumstances they also provide advice in relation to the data protection impact assessments.How does GPDR apply to an international operation such as SANS Security Awareness?
The GDPR extends requirements to international companies that collect or process EU citizens' personal data, subjecting them to the same requirements and penalties as EU-based companies.
How does it apply to SANS Security Awareness?
The EU GDPR categorizes data holders into two groups: processors and controllers.
Controllers collect, process, store, and in effect "own" the data and manage the relationship with EU data subjects.
Processors are essentially sub-contractors of controllers who may process, store, and utilize EU citizen data on behalf of a controller.
Controllers are subject to additional required measures, processes, and documentation requirements.
SANS Security Awareness is a controller when it processes individual level data.
In which jurisdiction is SANS Security Awareness data processed and how does SANS Security Awareness ensure compliance with the law?
The GDPR imposes special requirements for any data that is transferred outside of the EU. SANS Security Awareness has dedicated servers within the European Union that are used for processing all learner and training information. Data processed on these servers remains within the European Union.
We also offer a fully GDPR compliant alternative where indicated through our Data Processing Agreements. These agreements ensure that where a Data Controller indicates that data should be sent to the United States of America to be processed on SANS Security Awareness servers; it is processed to the same high standards. This is in accordance with the European Commission and guidance from the European Data Protection Board, through the operations of what are called Standard Contractual Clauses. SANS Security Awareness monitors the application of the measures required in these clauses on a regular basis.
Customers and data subjects can be absolutely sure that their data is appropriately protected at all times by SANS Security Awareness through either one of these mechanisms.