1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar

Data processors under the GDPR

In our monthly GDPR Updates we discuss various key issues of the General Data Protection Regulation, (EU) 2016/679 (the GDPR), which applies from 25 May 2018. With the introduction of the GDPR, the existing Directive 95/46/EC and its implementation in the local laws of the various EU Member States will be repealed. The GDPR will bring significant and substantial changes with respect to the processing of personal data. It introduces several new concepts, such as Privacy by Design, Privacy by Default and Data Portability. As the GDPR contains several onerous obligations that require significant preparation time, organisations are recommended to timely commence the implementation process.

We notice that personal data protection is becoming more and more topical within organisations, and that the first steps towards compliance with the GDPR are undertaken. Our GDPR Updates illustrate the relevant changes resulting from the GDPR and provide readers with practical recommendations on the implementation of the GDPR within their organisations.

In the August edition of our GDPR Updates we address the position of the data processor. Under the GDPR the data processor is given certain specific responsibilities, meaning that it will no longer be only the data controller who is responsible for compliance with the privacy regulations. From 25 May 2018 also the data processor can be held liable for not complying with the GDPR requirements and additional legislation relating thereto.

If the data processor falls within the territorial scope of the GDPR (data processors will be confronted with an expansion of the territorial scope of the European privacy regulations), the data processor could face the following obligations:

  • the obligation to designate a representative in the EU if the data processor is not established in the EU but its processing is related to (i) offering of goods and/or services to data subjects in the EU; or  (ii) monitoring of data subjects in the EU;
  • complying with the mandatory requirements with regard to the content of the processing agreement as set out in Article 28 GDPR;
  • the obligation to maintain a written record of processing activities. Note that this obligation is not applicable to organisations employing fewer than 250 employees, unless (i) the processing is likely to result in a risk to the rights and freedoms of data subjects, (ii) the processing is not occasional, or (iii) the processing includes special categories of data. Data processors that provide services whereby the processing of personal data is standard practice are not likely to fall within the scope of the exceptions and will therefore be obliged to maintain a written record of processing activities (e.g. SaaS, hosting and other cloud service providers);
  • the obligation to designate a data protection officer if (i) the data processor is a public authority or body; (ii) its core activities consist of processing on a large scale of special categories of personal data or data relating to criminal convictions; or (iii) its core activities consist of processing operations that require regular and systematic monitoring of data subjects on a large scale; and
  • the obligation to notify the data controller (without undue delay) after becoming aware of a breach of the processed personal data and assist the data controller in ensuring compliance with its subsequent obligations towards the competent supervisory authorities and (where necessary) the data subjects.

Instead of only being contractually liable on the basis of a processing agreement with a data controller, under the GDPR data processors will also be subject to administrative liability in case of non-compliance. Administrative fines can increase up to EUR 20 million or (if higher) 4% of the total worldwide annual turnover of the organisation concerned. In addition to administrative liability and contractual liability towards the data controller, a data processor can be held liable towards data subjects who have suffered damages as a result of a breach of the GDPR by the data processor.

Organisations are recommended to carefully examine their positions within the various data processing activities and to make a very clear assessment on the associated responsibilities and obligations. A careful inventory should be made of the parties involved in the various personal data processing activities within an organisation and their roles (data controller/co or joint data controller/data processor/sub-processor, et cetera). This is particularly relevant as the division of roles directly influences the responsibilities a party has in the personal data processing activity, as well as the corresponding liability.

Please click here to read the entire August GDPR Update.

, , ,

Data processors under the GDPR

FBI Warns Cyber Criminals Are Targeting Unsecured FTP Servers In The Healthcare Industry

On March 22, 2017, the FBI issued a Private Industry Notification, warning that criminal actors are actively targeting File Transfer Protocol (FTP) servers operating in “anonymous” mode and associated with medical and dental facilities to “access protected health information (PHI) and personally identifiable information (PII) in order to intimidate, harass, and blackmail business owners.” FTP’s are used to transfer information between various parties. When an FTP is placed in anonymous mode, it allows a user to authenticate the FTP server with a common username such as “anonymous” or “ftp” without submitting a password or by submitting a generic password or e-mail address.

The FBI warns that cyber criminals could use an FTP server in anonymous mode to store malicious tools or launch targeted cyber attacks. Therefore, “any misconfigured or unsecured server operating on a business network on which sensitive data is stored or processed exposes the business to data theft and compromise by cyber criminals who can use the data for criminal purposes such as blackmail, identify theft, or financial fraud.”

The FBI recommends medical and dental healthcare entities request their respective IT services personnel to check networks for FTP servers running in anonymous mode. If businesses have a legitimate use for operating a FTP server in anonymous mode, administrators should ensure sensitive PHI or PII is not stored on the server.

The FBI encourages businesses to report information concerning suspicious or criminal activity to their local FBI office or the FBI’s 24/7 Cyber Watch.

A copy of the notification can be found here.

 

FBI Warns Cyber Criminals Are Targeting Unsecured FTP Servers In The Healthcare Industry

NIST and USCG Issue New Maritime Industry Cybersecurity Profile

In 2013, President Obama issued Executive Order 13636 and directed the Director of the National Institute of Standards and Technology (NIST) to “lead the development of a framework to reduce cybersecurity risks to critical infrastructure” (Cybersecurity Framework).  The Cybersecurity Framework was published in February 2014.  A number of industries are integrating the Cybersecurity Framework, including by creating industry-focused Framework Profiles (Profiles) as described in the Cybersecurity Framework.

This month, NIST and the United States Coast Guard (USCG) released a “Maritime Bulk Liquids Transfer Cybersecurity Framework Profile” (Bulk Liquids Transfer Profile) to address the vulnerabilities in the transfer process of bulk hazardous liquids in the maritime industry.  These transfers are often a part of a sophisticated supply chain that uses multiple networked systems, and is therefore vulnerable to attack.   The new profile serves to assist in cybersecurity risk assessments for those entities involved in maritime bulk liquids transfer operations as overseen by the USCG, and is intended to act as “non-mandatory guidance to organizations conducting” maritime bulk liquids transfer operations within facilities and vessels under the regulatory control of the USCG under the Code of Federal Regulations 33 CFR 154-156.

The stated benefits of creating the new Bulk Liquids Transfer Profile include:

  • Compliance reporting becoming a byproduct of running an organization’s security operation;
  • Adding new security requirements will become more straightforward;
  • Adding or changing operational methodology will be less intrusive to ongoing operations;
  • Minimizing future work by future organizations;
  • Decreasing the chance that organizations will accidentally omit a requirement;
  • Facilitating understanding of the bulk liquid transfers environment to allow for consistent analysis of cybersecurity-risk; and
  • Aligning industry and USCG cybersecurity priorities.

Other benefits include strengthening strategic communications between:

  • Risk executives and operational technology integration of cybersecurity capabilities;
  • Personnel involved in cybersecurity governance processes and operational technology oversight; and
  • Enterprises who are just becoming aware of cybersecurity recommended practices with subject matter expertise and the collective wisdom of industry experts.

The new profile can be found here.

NIST and USCG Issue New Maritime Industry Cybersecurity Profile

New York Proposes First-in-the-Nation Cybersecurity Regulation for Financial Institutions

On September 13, 2016, the New York Department of Financial Services introduced a new rule that would require banks, insurance companies and other financial institutions regulated by the Department to establish and maintain a cybersecurity program designed to protect consumers and ensure the safety of New York’s financial services industry.  The proposed regulation is subject to a 45-day notice and public comment period, following the September 28, 2016 publication in the New York State register before final issuance.

Under the proposed rule, regulated financial institutions would be required to:

  • Establish a cybersecurity program;
  • Adopt a written cybersecurity policy;
  • Designate a Chief Information Security Officer responsible for implementing and overseeing the new cybersecurity program and policy; and
  • Have policies and procedures designed to ensure the security of information systems and nonpublic information accessible to third-parties.

Establishment of a Cybersecurity Program

According to the proposed rule, regulated financial institutions will need to establish a “cybersecurity program designed to ensure the confidentiality, integrity and availability of information systems that performs five core cybersecurity functions:”

  • Identification of cyber risks.
  • Implementation of policies and procedures to protect unauthorized access / use or other malicious acts.
  • Detection of cybersecurity events.
  • Responsiveness to identified cybersecurity events to mitigate any negative events.
  • Recovery from cybersecurity events and restoration of normal operations and services.

Additional requirements for each “cybersecurity program” include:

  • Annual penetration testing and vulnerability assessments.
  • Implementation and maintenance of an audit trail system to reconstruct transactions and log access privileges.
  • Limitations and periodic reviews of access privileges.
  • Written application security procedures, guidelines and standards that are reviewed and updated by the CISO at least annually.
  • Annual risk assessment of the confidentiality, integrity, and availability of information systems; adequacy of controls; and how identified risks will be mitigated or accepted.
  • Employment and training of cybersecurity personnel to stay abreast of changing threats and countermeasures.
  • Multi-factor authentication for individuals accessing internal systems who have privileged access or to support functions including remote access.
  • Timely destruction of nonpublic information that is no longer necessary except where required to be retained by law or regulation.
  • Monitoring of authorized users and cybersecurity awareness training for all personnel.
  • Encryption of all nonpublic information held or transmitted.
  • Written incident response plan to respond to, and recover from, any cybersecurity event.

Adoption of a Cybersecurity Policy

The new rule would require regulated financial institutions to adopt a written cybersecurity policy, setting forth “policies and procedures for the protection of their information systems and nonpublic information that addresses, at a minimum, the following:”

  • Information security.
  • Data governance and classification.
  • Access controls and identity management.
  • Business continuity and disaster recovery planning and resources.
  • Capacity and performance planning.
  • Systems operations and availability concerns.
  • Systems and network security.
  • Systems and network monitoring.
  • Systems and application development and quality assurance.
  • Physical security and environmental controls.
  • Customer data privacy.
  • Vendor and third-party service provider management.
  • Risk assessment.
  • Incident response.

Creation of Chief Information Security Officer

The new rule would require regulated financial institutions to designate a qualified individual to serve as a CISO, responsible for “overseeing and implementing the institution’s cybersecurity program and enforcing its cybersecurity policy.”  The new rule also would require the CISO to “report to the board, at least bi-annually to:”

  • Assess the confidentiality, integrity and availability of information systems.
  • Detail exceptions to cybersecurity policies and procedures.
  • Identify cyber risks.
  • Assess the effectiveness of the cybersecurity program.
  • Propose steps to remediate any inadequacies identified.
  • Include a summary of all material cybersecurity events that affected the regulated institution during the time period addressed by the report.

Third Party Protections

The new rule also would require regulated financial institutions to have policies and procedures designed to ensure the security of information systems and nonpublic information accessible to, or held by, third-parties, including the following:

  • Identification and risk assessment of third-parties with access to such information systems or such nonpublic information.
  • Minimum cybersecurity practices required to be met by such third-parties.
  • Due diligence processes used to evaluate the adequacy of cybersecurity practices of such third-parties.
  • Periodic assessment, at least annually, of third-parties and the continued adequacy of their cybersecurity practices.

A draft of the proposed rule is here.

New York Proposes First-in-the-Nation Cybersecurity Regulation for Financial Institutions

CASL compliance undertakings continue to mount

Another company that is well-known to consumers has agreed to enter into a compliance undertaking with the CRTC for alleged CASL violations.  Kellogg Canada Inc. has paid a monetary penalty of $60,000 and undertaken to enter into a compliance program to better address elements such as:

  • written CASL compliance policies and procedures;
  • training programs for employees;
  • tracking CASL complaints and resolution; and
  • monitoring and auditing mechanisms to assess compliance.

Notably, the compliance issues arose from messages that were sent: not only by Kellogg, but also by its third party service providers, and not long after CASL entered into force in July 2014.  This was a time when many companies were early on in the process of familiarizing themselves with the many CASL requirements, and implementing programs to make sure that databases, third party agencies (marketing companies and other service providers) and internal procedures were all in line.

The CRTC’s Notice regarding Kellogg’s 2014 compliance issues comes only a month after the CRTC issued its Enforcement Advisory to businesses and individuals on how to keep records of consent (see our recent blog post here), and less than a year before the Private Right of Action becomes available in Canada under CASL legislation, meaning that the CRTC will not be the only one taking businesses to task for CASL compliance.

CASL compliance undertakings continue to mount