Guidelines for SME adaption to GDPR Case study of Evalent

(1)

Guidelines for SME adaption to GDPR Case study of Evalent

German Fischer

Information Security, master's level (120 credits) 2020

Luleå University of Technology

Department of Computer Science, Electrical and Space Engineering

(2)

Abstract

In may 2018 a new data protection law will come in force. This law will be mandatory for all EU countries. The name of this new law is GDPR - General Data Protection Regulation.

GDPR will replace current Data Protection Directive 95/46/EC. Purpose of this new law is to enforce stronger integrity and data protection in all EU countries. The law will be mandatory for all companies which are collecting personal data. If company will fail to adapt to GDPR it could get a fine up to 20 millions euro or 4% of the revenue. The question that arises is what companies have to do in order to adapt to the new law and what tools could be used for that?

For now there are 2 codes of conducts that are managing GDPR compliance for cloud computing. The problem is that these codes of conduct contradict each other and aren’t based on practical cases [9]. Besides codes of conduct there are some frameworks. These frameworks are developed by different companies and don't seem to be applicable for all types of companies, some of them are missing some GDPR components.

The main problem is that there is a law which companies have to adapt to, but there is no clear description on how to do that. There is no general framework or guidelines that all could follow. In order to deal with these problems there is a need of general guidelines which every company could take and use in order to adapt to GDPR. Because there are several company types out there and time and resources are limited this thesis will focus on SME.

Purpose of this thesis is to create GDPR implementation guidelines for SME based on case study where existing GDPR framework will be applied and modified. The contribution of this research will be GDPR guidelines for SME, examination of existing frameworks, design process of these guidelines, implementation of GDPR in organisation and of course thesis by itself.

The scientific method that will be used in order to create guidelines will be action design research, purpose of which is implementing and evaluating an artifact in organisation to produce new knowledge.

The first step will be literature review for finding out which GDPR compliance frameworks there are and possible gaps in those frameworks. Then most appropriate framework for SME will be selected. Selected framework than will be used for the companie Evalenet implementation of GDPR. During this implementation there will be lessons learned from which there will be suggestions in how to improve the framework. Than the original framework will be changed according to those suggestions from which guidelines will be created.

The first outcome in these thesis is suggesting that Nymity’s Privacy Management Accountability Framework is the framework that is most appropriate for GDPR implementation because it is addressing all GDPR components. The second outcome of

(3)

these thesis is GDPR implementation using this framework. Third outcome of this thesis is GDPR implementation guidelines for SME based on modification of selected framework by lessons learned during implementation.

1

(4)

List of tables

Table number

Content description Page

number Table 1 GDPR components that are handled by framework for

Demonstrable GDPR Compliance A mapping of the Nymity’s Privacy Management Accountability Framework to GDPR Compliance Obligations framework

25

Table 2 Information about how APSs GDPR FRAMEWORK framework is fitting GDPR dimensions

28

Table 3 Information about how IBMs GDPR framework is fiting GDPR dimensions

30

Table 4 Information about how Copenhagen Compliance framework is fiting GDPR dimensions

33

Table 5 Information about how ICO is addressing GDPR dimensions 42 Table 6 Criteria list for framework evaluation and selection 36 Table 7 Matching table of framework and GDPR implementation flow chart 42

Table 8 Business structure evaluation overview 43

Table 9 Audit protocol 44

Table 10 Audit protocol 44

Table 11 Addressed requirement in existing security policy 56

Table 12 Technical requirement that are met 59

Table 13 Matching between framework and implementation 68 Table 14 GDPR component checklist for guidelines validation 52, 114 Table 15 Organisation checklist for guidelines validation 53, 116 Table 16 Check if requirements handel all GDPR components 63

Table 17 GDPR Guidelines for SME 92

6

(9)

List of figures

Number of figure

Content Page number

Figure 1 Summary of personal rights 13

Figure 2 GDPR critical Path Roadmap 25

Figure 3 GDPR critical Path description 27

Figure 4 Overview of IBMs GDPR framework 29

Figure 5 GDPR Road Map and Framework 32

Figure 6 Preparation for the General Data Protection 34 Figure 7 Stages in action design research 37

Figure 8 Steps in guidelines design 40

7

(10)

Chapter one

1. Introduction

In may 2018 a new data protection law will be enforced. This law will be mandatory for all EU countries. The name of this new law is GDPR - General Data Protection Regulation. GDPR will replace the current Data Protection Directive 95/46/EC [2]. Purpose of this new law is to enforce stronger integrity and data protection in all EU countries [4].

GDPR will force all companies which are processing personal information to be compliant to rules which are described in the law. If companies fail to be compliant, It could lead to a fine up to 20 million euro or 4% of the revenue [62]. These sanctions could lead to bankruptcy of an organisation, of course depending on the organisations size and revenue.

The GDPR will impact whole organisations. Companies will have to protect personal data and provide information about what data is collected. This could lead to organisational and technical impacts.

From organisational impact point of view management will have to consider GDPR in all processes in which personal data is handled. Companies will have to create policies, routines and rules in order to manage GDPR requirements. That can require changes in existing business processes around data processing made [5]. Employees will have to learn about GDPR and know how their daily work will be impacted. Employees who are handling personal data will have to follow routines and policies for data security in their daily tasks.

Companies will have to have GDPR in mind all the time when personal data is processed.

In customer relations companies will have to have process for personal data processing all the time some kind of personal data is managed. Companies will have to inform about the rights data owners have[5], for example when email addresses for newsletters are collected.

when data about new customers are collected and when data is passed to an external company.

Besides organisational impact there could be technical impacts. Such impacts could be that companies will have to provide technical mechanisms for monitoring systems they have, in order to discover, prevent, report and mitigate security incidents [4]. It could mean investments in new technology and changes in current infrastructure.

This work will be focusing on creation of general GDPR compliance guidelines for SME. In order to do that there will be a case study made where GDPR implementation will be performed in company called Evalent.

8

(11)

1.1 Problem description

The main problem with GDPR is that GDPR is a new law and there are no official guidelines that SME or companies in particularly could use in order to adapt to the law. Lack of official guidelines don't mean that there are no attempts to create such. There are 2 codes of conducts that are managing cloud computing. The problem is that those contradict each other, which could lead to confusion. Besides that those codes of conducts aren’t based on practical cases [9]. Besides codes of conduct there were 5 frameworks found (for more details see literature review chapter). These frameworks are developed by different companies such as IBM and RSA [51] but it doesn't seem that these frameworks could apply to all types of companies. In some frameworks some GDPR components missed. Besides that none of frameworks are based on real life implementation.

In order to meet new regulations, companies have to gather knowledge about what GDPR is and which requirements there are on the particular company. Existing frameworks could be used but companies have to evaluate those in order to see if there are any frameworks which could be applied to the company's needs.

Of Course there are some materials such as different brochures and descriptions of GDPR which could be used. But the main problem is that a company can’t trust the quality of the brochures or that those are containing all components. Existing material could be good for introduction into GDPR but after reviewing it, a deeper understanding should be searched for, in oficial legal documents. The companies have to make an interpretation of those and then implement GDPR based on the understanding they got from this information gathering.

After understanding what GDPR is and which requirements there are those requirements have to be implemented some how.

It is suggested to use Plan Do Check Act Cycle for GDPR implementation [64]. The main problem with cycles implementation is that PDCA is a methodology which is very general and doesn’t address GDPR specifically. It is a good tool for planting and caring out with GDPR compliance work but it doesn’t tell anything about GDPR components such as personal rights, personal data protection etc. PDCA is a good method for implementing something but the companies are still on their own in order to find out what should be implemented and which steps should be taken. When those things are clear than PDCA could be used for every step. So the main problem is that there is law which companies have to adapt to. But there is no clear description on how to do that. There is no general framework or guidelines that all companies could follow.

1.2 Research questions

The purpose of this research is to see how GDPR implementation could be done in real life and use this knowledge for modifying existing frameworks to produce general GDPR adoption guidelines which SME could use. Guidelines will be based on existing GDPR compliance framework which will be modified by lessons learned during GDPR

9

(12)

implementation in Evalent and by closing possible gaps found during literature review. In order to address purpose of this study that research questions below are going to be answered:

1. Which existing GDPR compliance framework are most appropriate to be used for all SME in order to implement GDPR?

2. How GDPR guidelines will be designed and evaluated after modifying appropriate framework?

1.3 Research outcome

These research will produce guidelines that all SME could use in order to adapt to GDPR.

Guidelines will describe practical steps that companies have to take. In order to achieve that there will be existing GDPR frameworks analysed. Then there will be one framework which is most appropriate for all SME selected. Then there will be a case study made in order to see how an organisation is adapting to GDPR in real life by using this framework. Then there will be adaption of this framework which will be based on lessons learned by implementation.

From this, adaptation guidelines for SME will be designed.

1.4 Expected contributions

The main contribution of this research will be general GDPR adoption guidelines for SME. A review of existing frameworks will also be a contribution. The design process of guidelines will be another contribution. Designed guidelines will be build on GDPR implementation in organisation Evalent. The GDPR implementation in organisation is another contribution of this thesis. Of Course the thesis will be a contribution by itself.

1.5 Limitations for the thesis

GDPR will impact both companies and government. This work is focusing on non government business organisation and any Impact on government won't be discussed further. For this work selected business organisation type will be SME because SME are representing about 99% of companies in the EU [52]. Guidelines that will be created in this thesis will be based upon existing GDPR compliance framework and case study. Reason of that is that this approach will cover possible gaps which could occur between real life situation and theoretical assumptions. Only one of the existing GDPR compliance frameworks will be selected and used because there is no time for testing several fireworks.

In order to find examin and select frameworks literature review will be done. Found frameworks are listed below:

● Framework for Demonstrable GDPR Compliance A mapping of the Nymity’s Privacy Management Accountability Framework to GDPR Compliance Obligations

● APSs GDPR FRAMEWORK

● BMs GDPR framework

● Copenhagen Compliance framework 10

(13)

● Information commission offices framework

The chosen framework will be used in the case study. Case study will be limited to only one company. The reason of why only one company will be examined is that there will be not enough time to examine several companies.

1.6 Benefits of the study

The benefit of created guidelines would be that SME could get a tool in order to use for GDPR adaptation. A company could just take this tool and use it. There won't be any investigation needed in order to find out how to implement the regulation. As mentioned before the possible non compliance fines are pretty big. Guidelines will contribute to that company won't miss any important parts which will minimize financial risks.

The GDPR work won't stop after deadline in may. The law will be there and companies will have to take it in consideration all the time. Guidelines could help companies with their procese in order to handle GDPR. Such guidelines would be usable for future companies because GDPR will affect new started companies too. The new started companies won't need to put large efforts on investigating and learning GDPR. They could just use the guidelines and focus on practical steps that should be taken. Created guidelines will be general for all types of SME. If any SME out there will use those guidelines and go through all the steps, than it is going to be GDPR compliant. All GDPR components will be there.

1.7 Evalent the case study company

The case study company is Evalent which is a small enterprise with 37 employees and is located i Malmö. Companies revenu is about 3 mil Euro. The company is providing their customers with the own-developed ecommerce platform called nordisk e-commerce.

Customers can use e-commerce from the box and use features that are provided or get it specially adjusted. Special adjustment service is made by designers. The system development depends on requested feature. Evalent is hosting its infrastructure itself.

Besides own developed ecommerce platform the company offers consultation on Magento development and hosting. The reason why Evalent is chosen is because it could be categorised as SME and it is sorting personal data for itself and for it customers which means that company is both data collector and data processor. (Information about data collector and processor is described in chapter 3.1 central concepts.) This will result that guidelines will be based on GDPR implementation in all possible data processing entities.

11

(14)

Chapter two

2 GDPR background

EU agreed on december 2015 about new data protection regulation GDPR - General Data Protection regulation. The agreement was provisionally and in july 2016 the agreement got permanent and final version of it was published [4]. Purpose of the new data protection regulation is to increase and protect EU citizens integrity and strengthening rights of an individual. An individual will have increased rights to decide which data is collected about the individual and what a company can do with the data [4]. Companies that are gathering personal information have to provide the dataowner with information about which data is collected and for what purpose. A data collector company have to provide mechanisms for deleting, moving and editing data on request of the data owner. Companies have to notify a person about whom data are collected if data is sent to external party. Besides that collected data have to be protected [2], [3], [4], [5], [10].

Before GDPR there was Data Protection Directive 95/46/EC which regulated data protection [2]. One of the main problems with Data Protection Directive 95/46/EC is that it leaves up to the member countries to decide enforcement of the data protection. For example Spain have strict regulation and big fines [4]. Germany is another country that is a frontrunner [6]. France on the other hand have very small fines for companies that don’t protect data [4]. Romania is another country where data regulation is poor [6]. In my opinion existing laws could be an indication of how much adoption there will be required by companies. In countries where there are hard enforcement there will be easy to adopt because everything already is in place. For countries with only recommendations, companies may have to do all work from the beginning [6]. Besides different application in European countries the Data Protection Directive 95/46/EC was created back in 1995. The world was different then. Only 1% of world population was using internet which has changed by now [4].

The main change from previous law is that companies that are collecting data about EU citizens have to protect data no matter where data is sorted [4]. For example if a company is sorting data in India it’s still the company that is responsible for protection of data. The same is valid for data storing in the cloud [4]. Another major change is that companies have to report discovered data breach in 72 hours to data protection authority [4]. Companies which have substantial data processing have to appoint an independent data protection officer [4].

If organisation fail with ensuring those rights it could get penalized by fine up to 20 million euro or 4% of the annual revenue.

In order to proceed with this thesis it is important to understand GDPR and the central concepts of GDPR in order to know which requirements there are for companies. Which is necessary in order for correct implement GDPR. If GDPR isn’t correctly implement it could

12

(15)

lead to breaking a law which could lead to fines described above. Central concepts and GDPR dimensions will be discussed below.

2.1 Gdpr Central concepts

The main concern of GDPR is personal data, meaning of which extended since Data Protection Directive 95/46/EC [4]. Now personal data means all data by which a person directly or indirectly can be identified [4]. Direct identification could be made by such data as name, surname etc. Indirect identification could be made by information such as IP addresses, addresses, emails etc. Basically alla data by which a person could be identified by, is personal data. For example by seeing IP address and figuring out who the owner is.

Personal data are collected by different organisations for different purposes. Collection purpose could be marketing, order data etc. GDPR is referring to those organisations as data controllers [14]. It is the data controller who is responsible that data is collected in a lawful way. According to GDPR data controllers have to investigate which data they are collecting and by which legal ground. Besides that it is data controller's responsibility to secure collected data and guaranty rights of the people which personal data are collected [14]. Figure 1 is presenting summary of personal rights. Below the picture there is a more detailed description of every right.

Figure 1 - Personal rights in GDPR. In picture personal rights are presented 13

(16)

● Right to be informed: when data is collected information has to be provided regarding which information is collected and when it is collected. Information must be provided even when a person asks about which data is collected. The information has to be provided free of charge [10].

● Right to correct wrong information: A person has the right to get personal information corrected if it’s wrong. Besides that the person has the right to provide additional information if it’s missing. A person should be notified if corrected information is passed to a third party [10].

● Right to be forgotten and to erase information : A person has the right to request that collected information is deleted. Besides that company have to erase collected information if it isn’t needed for the purpose it was collected for [12].

● Right to limitation of processing information: sometimes a person the have right to require that there is limitation on processing information. For example a person could require that information which is collected for one purpose today only could be used for some other purpose later on [12].

● Transfer of data: A person has the right to require that information is transferred to some other company [12].

● Right to object: a person has sometimes right to object on how information is handled. For example a person could object if a state authority is processing information about the person which is allowed by law, and which, for example, is published [12].

● Right to object against automated decisions: a person have right to not allowed that decisions about the person are made by automated data analyse [12].

● Lawful collection: there have to be lawful grounds for collecting data [10].

Sometimes collected data are sent to another organisation for some reason. GDPR is referring to organisations that receives data as a data processor. Data processor is an organisation which is processing data on data controllers behalf. Data processor could be a cloud service provider which services data controller is using for data processing [14]. In order to be GDPR compliant, data controller should identify which data is passed to a third party and have to ensure that there is an agreement with the data processor, by which data processor is aligated that data are handled according to GDPR [14].

In order to handle data according to DGPR both data controllers and processors should minimize amount of collected personal data. Only needed data should be collected and only for the purpose that is decided before data is collected. Unneeded data should be deleted.

Companies are allowed to collect personal data in order to fulfill an agreement, if there is law that is requiring information to be collected or if a person about whom data is collected allows that data is collected [14]. As described earlier one of the purposes of GDPR is to increase integrity for EU citizens. GDPR provides expanded rights. The person has now control over the personal data [12]. When data is collected individual has the right to get information about which data is collected and a purpose go the collection. In order to get data the company has to ask if it’s ok [12].

14

(17)

There are sanctions described in GDPR for companies that don’t meet the requirements.

The sanctions are serious and depending of violation could be up to 20 million euro or 4% of the revenue [5]. The amount of fine depends on how serious the violation is. If there will be revenue percent or amount of money depends on which one is higher [4].

2.2 GDPR dimensions

There are 2 dimensions of GDPR. One of them is personal right dimension The main components of this dimension are listed below:

● Identify which data is collected.

● Identify on which legall ground data is collected.

● Identify if and which data are passed to third party.

● Ensure that there is an agreement with a data processor.

● Minimize collected data if needed.

● Implement mechanisms for deleting unneeded data.

● Implement mechanism for collecting data collection aloweness.

● Implement mechanism for providing personal rights which are right to get forgotten, correct wrong information and transfer data somewhere else.

The second dimension is the security dimension which is describing rules about how to secure data. Those rules are handled in article 32, 33 and 34 in GDPR [40]. According to those rules the company which is sorting personal data have to provide fallowing:

● Data have to be secured according to confidentiality, integrity and availability principles. There should be mechanisms that secure data recovery after incidents [40].

● There should be a testing mechanisms in order to test security [42].

● Besides that the data controller should ensure that employes doesn’t access data in unpermitted way and that risk evaluation is done before data are classified in different security levels [41].

● Besides that the security breaches where personal data have been leaked should be reported to authorities [42].

● In cases where data that leaked are sensitive data or could cause damage to a person should information about the breach be provided to a registered person too [43].

● There should be risk analysis performed in order to see which security risks there are on security breaches [42].

Companies that are collecting data have to adopt internal procedures so principles of data protection are met [4]. The companies have to make privacy and data security as a standard when they are planning for security. The term for it is privacy by default [4]. This means that data protection and privacy have to be considered in all processes where access to private data is involved.

15

(18)

For ensuring security compliance organisation could use any of security certifications that meet the requirements that are accredited by a governing body. Certification is voluntary [41]. Because the organisation that is used in this study I searched for certification in Sweden. According to data inspection which is the governing body in Sweden, there is no such certification in Sweden yet [44].

2.2.1 Security models

As described earlier there are 2 dimensions in GDPR which have to be covered in order to become GDPR compliant. One of those dimensions is the security dimension which is describing how data have to be secured. In order to become GDPR compliance company have to ensure that data is secure by including controls which are providing confidentiality, integrity and availability. Security model called CIA triad is handling just that. CIA triad contains 3 components which are confidentiality, integrity and availability [38].

Purpose of availability is to provide information. The information should be available when needed. Availability component of CIA triad is handling just that [38]. It is up to the system administrator to implement techniques that are providing availability, such as failover etc.

The data that is stored in the system should be unchanged by unauthorized person in rest or during operations. It means that it should be impossible to impact data in any way by unauthorized person. The system should be provided with Integrity mechanisms that are ensuring that data is consistent and accurate during the whole lifetime [38]. This is handling by integrity component of CIA model.

Access to data should be granted only by authorized agents. The confidentiality component in CIA triad is describing that part [38]. In order for a system to be secure the data should be unchanged by unauthorized agents during the whole lifetime. Access to data should be provided when needed and only allowed agents how should have access to the data.

Besides CIA triad there is another security model that is called AAA model. This model has 3 components which are Authentication, Authorization and Accounting [39]. The model is defining system as secure when there is a check that is done in order to check that user is the person he claims to be. This could be achieved by login credential. There is a check that the user is allowed to do things he wants to do. This could be achieved by different privileges given to different users. And there is accounting for actions in the system which could be achieved by logging events [39].

CIA and AAA model could be combined in order to achieve security. The reason for doing that could be to cover security aspects that aren't fully covered by one of the models. For example accountability is covered by AAA model but not by CIA model. Besides confidentiality integrity and availability there have to be risk analysis and security testing for GDPR compliance [40] which are not really handled by CIA or AAA models In order to cover those parts there should be some risk management methodology used. In chapters below

16

(19)

methodologies that could handle those parts and used for GDPR implementation are covered.

2.2.2 Risk management

Risk management could be defined as policy, routines and technologies which are used in order to reduce threats, vulnerabilities and consequences which could occur if data is not secured [45]. In order to manage risks there should be policies and security mechanisms in order to manage different risk parameters. There is an equation which determines risks which are threat x vulnerability x consequence. Risk is a sum of all those 3 variables [45]. In order to manage risks in context of GDPR there should be threats and vulnerabilities of systems that are sorting personal data defined. After that there should be consequences of occurrence of vulnerability or threat decided. All those parameters together will result in a value which is risk [45]. When risks are calculated then there should be policy created which is describing how to handle different risks. For example to control risk of disclosure of sensitive information there could be authentication mechanism applied.

2.2.3. Security testing

In order to test security there should be tests performed in order to test if the system is secure or not. It could be done in different ways. In order to test web systemes there could be tests performed for top 10 vulnerabilities that are described by OWASP - Open Web Application Security Project [46]. In order to perform such tests the tool called OWASP ZAP can be used. ZAP is a tool which includes vulnerability described by owasp in testing [46].

This test will only discover vulnerabilities in web software. It is not enough because other vulnarbilities should be tested too. Such vulnerabilities could occur in network infrastructure.

There could be a social engineering attack. In order to test all parts there could be penetration test performed. Purpose of these tests are to try to find all possible vulnerabilities in an organisation [47]. Ofcourse penetration test is more expensive than automatic test. I suggest that there should be a combination of those tests. How to and when to perform this tests should be regulated in policy for risk assessment.

2.3 GDPR implementation management

In order to implement GDPR in structured way there is need of understanding implementation methodology and how IT is managed. Besides that there is need to understand what SME is because this thesis is focused on GDPR implementation in SME. In chapters below there is description of all these things.

2.3.1 PDCA cycle as implementation methodology

In order to deal with GDPR compliance implementation it is suggestion is to use Plan Do Check Act Cycle [64]. GDPR itself doesn’t say anything about how to implement it. For this reason there have to be some implementation methodology used . In my opinion PDCA is good method for GDPR. Reason of that is that it could be used when new processes and changes should be implemented in the organisation [65]. In order to become GDPR compliant organisations will have to reconsider process where management of personal data

17

(20)

is included [65]. New process for handling and secure personal data could be needed. It is explaining how to plan for implementation, do what planed, check that right thing is performed and correct possible mistakes. These method is covering all methodological part that could be addressed in GDPR and is easy to understand and use. So main reasons of why use PDCA for GDPR is that it is holistic, lightweight and easy to learn and use. This model contains just 4 steps which are covering all parts from planning implementation till implementing what is planed which makes this model holistic. Because there are only 4 steps it is easier to grasp and understand, then more complicated models which contains more stages and steps. Because of simplicity it is easy to learn and then use. In my opinion this could be advantage from SME point of view because there will be little resources needed in terms of learning this model and then applying it. This model is a iterative model with 4 steps which are presented below:

● Step one is Plan. In this step you should plan your activity.

● Step two is Do. In this step you should implement what is planed.

● Step three is Check and here you should evaluate what has been done.

● Step four is Act and in this step you should fix problems which you have discovered during previous steps [65].

In GDPR context this methodology could be used in order to carry out with implementing different components of GDPR. For example in order to make inventorization of how personal data is handled in organisation the work could strat with planning on how to investigate which data is handled by the organisation, in which process data collecting is involved ect. Next step would be to find out which data is collected and how it is handled in the organisation. Then there should be a check if there could be some types of personal data in some process where data are handled which wasn't handled in previous steps. Some processes or data could be missed. In next step those misses should be fixed. In order to do that there has to be a plan on how to do that, than it should be done, evaluate and possible misses fixed and so on, until there is no personal data or process that is missing in inventerization document. When it is done than there is time for doing the same thing with next component and carry on until all components are handled. After GDPR is implemented PDCA cycle could be used in order to maintain GDPR compliance.

2.3.2 Outsourcing and inhouse IT

In order to secure data and provide personal rights companies have to know where data are stored. Data storage is depending on how companies IT-environment is handled.

Companies have to insure that stored data is secured no matter where those are stored.

Today there are 3 possible ways to handle It-environments in companies. It could be outsourced which means that external party is handling companies IT. Company could manage IT in house or company could outsource part of it’s IT and manage part of IT itself [56]. Of course data will be stored in different places depending on what type of IT management there is.

18

(21)

According to GDPR there have to be an agreement if data is outsourced. GDPR adoption work could be different depending on which type of IT-management company is choosing. If a company is choosing to outsource all IT than the company doesn’t need to handle security implementation. IT should be handled by outsourcing company. The only thing that the company need is a GDPR compliance agreement with the outsourcing company. These sort of companies could focus on legal dimension of GDPR. The other type of companies have IT in house and need to manage security implementation itself. So those companies have to focus on implementing both dimension by themselves. The third type of companies have to make distinction of which parts of IT-security it is managed by outsourcing company and which have to be managed by themselves and where data is stored. Data that is stored in company's environment company have to secure itself. Data that is stored by outsourcing company should be secured by the outsourcing company. GDPR compliance security dimension work is depending on by whom IT is managed. Inhouse management requires more effort on security implementation. For outsource management it could be enough with contract.

2.3.3 SME criterias from management perspective

In order to create guidelines for SME it is necessary to know what SME is.There are 3 types of companies that are included in SME. Those companies are micro, small and medium enterprises. However a company is counted to SME depends of headcount and turnover.For micro enterprise staff could be up to 10 employees and turnover 2 milj euro. For small enterprises staff could be up to 50 employees and 10 million euro in turnover. For medium companies staff could be up to 250 employees and turnover upto 43 miljon euro [58].

Besides SME there are large companies.There are differences between SME and large companies. Besides turnover and employees the structure of companies are different. Large companies are more formalised, systematic and organised then SME. Of Course large companies have more resources [57]. There are business characteristics for different types of companies as well. SMEs organisation structure is flat and small. Business units are limited and non separated. The requirement of having IT-personnel is small. Doesn’t need any full time IT personnel [60]. For example a company with 12 employees may not have an IT-department but there could be somebody with IT-knowledge that is managing IT part time.

It is more likely that SME wont have different departments but only the different people that have different roles. In contrast to that large companies usually have large matrix organisation, multiple business units and domains and have an IT department [60] and are organised in different departments. Large company will likely have an IT-department [59].

Of course there could be grey zones where some SME could have structure that is like large companies. GDPR is affecting all the processes in which personal data are handled. It means that GDPR compliance are going to require more management from large companies then by small ones, because small companies will probably have less complicated processes with much less people involved. It means that GDPR guidelines for SME could be much more lightweight and may not need to explain how to manage implementation in different departments. It could be enough with guidelines that just explain different components of GDPR and how to implement them. For large companies such guidelines

19

(22)

may be not enough because it is not enough comprehensive and there are no parts that are covering how to handle complex organisational structure.

2.4 Frameworks and policies

Besides GDPR, GDPR compliance frameworks is examined in this thesis. Besides frameworks organisations could use policy for implementation definition. Below there is an description of what frameworks, information security frameworks and policies are in general.

2.4.1 Definition of a framework

According to Cambridge a framework is defined as follows: “ a supporting structure around which something can be built” [17]. Collins dictionary is defining framework as: “ A framework is a particular set of rules, ideas, or beliefs which you use in order to deal with problems or to decide what to do ” [18] if it’s mentioned in context of small and medium enterprises. Or as “ A framework is a structure that forms a support or frame for something. ” [18]. If it’s mentioned in context of building something. The definition “ A framework is a structure that forms a support or frame for something ” will be used in these thesis because definition is used in SME context.

From definitions above we could say that framework is a description that contains rules and principles on how to build something. The framework should be general for the domain purpose it is created for. Such framework could be reused several times and applied for certain users needs. For example if framework is designed for building secure systems, a developer should be able to follow rules and principles that are described in the framework, apply it to system that is going to be built and delivery a secure system. Framework should be general for a domain it shouldn't matter which kind of software is going to be be build in particular domain.

2.4.2 GDPR framework

According to framework description above GDPR compliance framework could be defined as a description of rules and principles on how to implement GDPR in an organisation. In the context of this research a GDPR framework is a framework which is describing how to apply GDPR rules on an organisation in order to fullfit GDPR. According to the definition such framework should contain rules and principles which could be used in order to secure personal data and fulfit rights of the data owner. Such framework should cover all GDPR dimensions and include description on how to implement GDPR in organisation in order to become GDPR compliant.

2.4.2 Policy

Besides framework organisation could use policy in order to implement GDPR. It could of course be enough because the purpose is to implement GDPR and have all components in

20

(23)

place. The way how companies reach GDPR compliance doesn’t matter from a law point of view. The main question that arises is what a policy is and how it differs from framework? A policy is a plan and rules that is used in organisation in order to make decisions [31]. The purpose of a policy is to create guidelines in order to reach a goal that is set by organisation management [32]. For example if an organisation want to have good security than security policy could be created where rules and guidelines are described on how to work with security implementation and how to approach different security questions. Question that arises now is what the difference between framework and policy is? In my understanding the main difference is that framework is more comprehensive than a policy. Besides that in content of organisations the policy is used to address issues of a certain organisation.

Framework is used to address issues of several organisation and could be reused in different organisations with little or non adoption.

21

(24)

Chapter three

3. Literature review

In order to proceed with my research questions I have to investigate which GDPR compliance frameworks and guidelines there are, which GDPR components they address, how those frameworks are describing implementation from PDCA perspective and how those frameworks could be used by SME. In order to do that the literature review was conducted. In order to search for literature I used following databases and search engines:Google scholar, Academic Search Premier, ACM Digital Library, arXiv.org, ASTM Compass, IEEE Xplore, INSPEC Archive, ScienceDirect Journals, Scopus, SPIE Digital Library, SpringerLink, Web of Science, Google. Keywords that were used ware “GDPR”,

“GDPR compliance”, “GDPR implementation”, “GDPR guidelines”, “GDPR framework”,

“GDPR compliance guidelines”, “GDPR compliance framework”, “GDPR compliance guidelines”, and “GDPR compliance framework”.

The time slot for article publication ware 2016-2018. In order to select relevant articles I read title, abstract and in case with google search, description. This search provided me with articles with information about GDPR framework/guidelines. I then analysed each framework in order to see which GDPR components those address, if it is managing customer rights and data security, if data are managed inhouse or outsourced, how framework is handling GDPR implementation process. For analysing the implementation process I examined implementation according to PDCA methodology where I investigated which components are handled. The reason why I examined implementation from PDCA perspective is that PDCA is suggested to be good methodology to be used for GDPR implementation[64] because of its simplicity and eas to use. If there is framework that is addressing PDCA components then it could be a good candidate to be selected for case study. Besides that I investigated if and how frameworks could be used by SME.

Below there are found frameworks presented. For each framework there is an overview description of it and then a table which is showing in detail which GDPR dimension and components are handled, which of PDCA components are handled, that there is a description about how framework could be used for GDPR implementation and how framework could be used particularly for implementation in SME.

3.1 Existing frameworks

3.1.1

Nymity’s Privacy Management Accountability Framework

The first found framework is “ Framework for Demonstrable GDPR Compliance A mapping of the Nymity’s Privacy Management Accountability Framework to GDPR Compliance Obligations”. It is a GDPR compliance framework created by Nymity. Nimity is a Canadian

22

(25)

based company which is offering privacy compliance, risk management and research to its customers [66].

The purpose of this framework is to cover all GDPR components that should be documented for audit no meter of organisation type [53]. This framework is based on assumption that accountability is required in order to show that the company is compliant [53]. Basically a company has to be able to demonstrate that different requirements are met. This framework contains 39 GDPR articles that require evidence. Than there are 55 primary measures that could be needed to be taken in order to demonstrate compliance [53]. The framework contains 2 parts. The first part contains different GDPR articles that are mapped to technical and organisational measures required for evidence for showing that an article is implemented 53]. This part is serving as an overview. Second part contains technical and organisational measures that are needed [53]. This framework is addressing both security and personal rights dimensions. In Table 1 an overview is described of which GDPR components are handled by framework and which steps form PDCA are addressed.

Table 1 - GDPR components that are handled by Nymity’s Privacy Management Accountability Framework

Dimension Handled Plan Do Check Act

Legal dimensio

Identify which data are collected yes no yes yes no

Identify on which legal ground data are collected yes no yes yes no

Identify if and which data are passed to 3:rd party yes no yes yes no

Ensure that there is agreement with data processor yes no yes yes no

Minimize collected data if needed yes no yes yes no

Implement mechanisms for deleting unneeded data yes no yes yes no

Implement mechanism for collecting data collection aloweness

yes no yes yes no

Appoint data protection officer if needed yes no yes yes no

Implement mechanism for providing personal rights which are right to get forgotten, correct wrong information and transfer data somewhere else

yes no yes yes no

Data breach rapportering yes no yes yes no

Security dimension

Data security according to confidentiality, integrity and availability principles.

yes no yes yes no

23

(26)

Security testing mechanism yes no yes yes no

Data access policy for employ yes no yes yes no

Risk analysis yes no yes yes no

Organisation type

SME Not clear

Large Not clear

Hosting

Handling outsourcing yes no yes yes no

Handling inhouse hosting x no yes yes no

As shown above framework is addressing all legal and security components. The framework is managing internal and outsourced data management too.

Besides GDPR components the framework is providing some information about implementation of those components. The framework is describing what to do with all GDPR components in order to be compliant. It is described in section “How the Mandatory Technical and Organisational Measure may help Achieve Compliance” [53]. This would be Do component in PDCS cycle. Besides that the framework is describing a possible audit mechanism. Section "How the Mandatory Technical and Organisational Measure may help Achieve Compliance with GDPR Obligations" is describing how taken measures could be used in order to demonstrate compliance. Here is an example of such evidence demonstration description “Example evidence to demonstrate compliance:1. Organisational policy on handling special categories of personal data; 2. Sample data classification guides;

3. Consent forms/evidence of explicit consent; ” [53]. This section could be used for checking the purpose in a PDCA cycle. For doing that the implementation could be checked against evidence that is needed in order to demonstrate compliance. If implementation is providing such evidence than it is compliant. The PDCA components which are handled by this framework are Do and Check. It doesn’t handel Plan or Act component. Provided implementation information could be enough despite lack of Plan and Act steps because it describes what has to be implemented and how to check that it is right implemented. The method on how to implement is up to each organisation to decide.

The framework doesn't give any specific information on how it could be used by SME. It is containing just a little information about organisation type it is designed for. For example it is addressing issues such as implementation of data privacy in research or privacy in religion organisations and HR [53]. This indicates that the framework could be used for different types of organisation. The purpose of this framework is to fit all types of organisations and not specifically SME [53]. SME could take this framework and implement GDPR by following it. The main problem of this framework is that it is complex. For small companies there could be many aspects of GDPR that company doesn’t need to think about and using this framework could be overwhelming.

24

(27)

The main advantage of this framework is that it is addressing most of GDPR parts and encouraging documentation in order to prove taken measures. If there will be checking of compliance the company could easy show proof of it. Besides that, the company could check during the implementation if a finished step is providing needed evidence. if this is true, then this step is finished.

3.1.2

APSs GDPR FRAMEWORK

Second framework that was found is “APSs GDPR FRAMEWORK” This framework is created by a company called APS, which stands for Assurance Programme Solutions. APS is a consultant company in the wealth and asset management Industry and provide its customers with transformation specialists [67].

Purpose of the framework is to use it in GDPR implementation for Financial service companies. APS is helping those companies and the framework is used as a support for this work [54].The framework is containing 2 parts. The first part is is a roadmap which is describing different milestones and contains 12 steps. An overview of those steps is presented in figure 2 below.

Figure 2 - GDPR critical Path Roadmap. Picture is describing GDPR compliance framework [54]

Second part of the framework is a table that is describing GDPR components and divides them in to 12 checkpoints. The 12 checkpoint described what should be done for each checkpoint. This table is presented in the figure below.

25

(28)

Figure 3 - GDPR critical Path description. Picture is describing steps GDPR compliance framework [54]

Table in picture above is suggesting that companies should start GDPR implementation with creating awareness of GDPR among decision makers and get a decision to implement GDPR. Than the company should document which personal data it is holding. After that, the company should check privacy rules it has and make them GDPR compliant. Than the company should create routines for insuring individual rights and how to respond on individual requests. Than there should be motivation by which legal rights the company is collecting data. After that there should be considerations made about children and if there is needed system to verify age. Than there should be procedures for data breach implemented. Then there should be data protection by design and data protection assessment development. Than there should be measures taken if the company is sending data to companies outside EU [68]. In table 2 below there are shown which GDPR components are addressed by the framework.

Table 2 - Detailed information on how APSs GDPR FRAMEWORK is fitting GDPR components and handling PDCA components

Dimension Handling Plan Do Check Act

Legal dimension

Identify which data are collected yes no yes yes no

Identify on which legal ground data are collected yes no yes yes no

Identify if and which data are passed to 3:rd party yes no yes yes no

Ensure that there is agreement with data processor yes no yes yes no

Minimize collected data if needed yes no yes yes no

26

(29)

Implement mechanisms for deleting unneeded data yes no yes yes no

yes no yes yes no

Appoint data protection officer if needed yes no yes yes no

yes no yes yes no

Data breach rapportering yes no yes yes no

yes no yes yes no

Security testing mechanism no no no no no

Data access policy for employ yes no yes yes no

Risk analysis no no no no no

SME No

Large No

Hosting

Handling outsourcing No No No No No

Handling inhouse hosting No No No No No

This framework is addressing all parts in GDPR legal dimension. In security dimension it doesn’t address risk analysis and security testing. There is no clear description of those components. Those two components could be included in data breaches part of framework which is described in part 9 and is saying to make sure that mechanisms should be implemented in order to detect, report and investigate data breach [54]. Security testing and risk management could be part of these mechanisms, but the organisation has to be aware of those things because there is nothing written about it in the framework. This framework doesn’t mention anything about how to work if organisation is outsourcing it’s IT or not.

In order to implement the GDPR framework is discussing what needs to be done. And how it could be checked. The roadmap and table are used for those purposes. In my opinion the roadmap could be used to get a milestone overview of the implementation.The table could

27

(30)

be used in order to gain more detailed information of what has to be done as a checklist. An organisation could basically follow all steps in the table and implement them. Than the table could be used in order to set status of work progres of each step and than, when work is done, to check status.It could be done by checking description in each step and confirm that everything is dne. These could be mapped to PDCA cycles do and check parts.

This framework doesn’t mention anything about if it is for SME or Large organisations. These framework seems to me as a lightweight framework though and could better fit for organisations which are outsourcing their IT and security and doesn’t have so large organisation. Such organisation only needs to worry about that legal parts are handled.

Security is outsourced along with IT, so the outsourcing company should handle the security.

The only security part such organisation need to worry about is that only authorized personnel can access data which could be handled by policy and authentication mechanisms that are provided by the outsourcing company.

3.1.3 IBMs GDPR framework

Third GDPR framework that was found is “ IBMs GDPR framework ” [55]. The framework is created by IBM Security which is a part of IBM holding and is providing services within cyber security to it’s customers [70]. This framework has 5 phases and 2 dimensions. The phases in framework are assess, design, transform, operate, conform. Dimensions that are handled by the framework, are privacy requirements and security requirements. Framework phases are handling both security and privacy requirements[69]. Which GDPR dimensions and components are handled in the framework are presented in table 3 below.

Table 3 - Detailed information on how IBMs GDPR framework is fitting GDPR components and handling PDCA components

Dimension Handeling Plan Do Check Act

Legal dimension

Identify which data are collected yes yes yes yes no

Identify on which legal ground data are collected yes yes yes yes no

Identify if and which data are passed to 3:rd party yes yes yes yes no

Ensure that there is agreement with data processor yes yes yes yes no

Minimize collected data if needed yes yes yes yes no

Implement mechanisms for deleting unneeded data yes yes yes yes no

yes yes yes yes no

Appoint data protection officer if needed yes yes yes yes no

28

(31)

yes yes yes yes no

Security testing mechanism yes yes yes yes no

Data access policy for employ yes yes yes yes no

Risk analysis yes yes yes yes no

SME no no

Large no no

Hosting

Handling outsourcing no no no no no

Handling inhouse hosting no no no no no

According to the framework, GDPR implementation starts with conducting GDPR assessments and than documenting which personal information is collected and stored, and which privacy risks there are. After assessment, there should be an implementation plan created. After that, the plan should be implemented and things as policies, routines and security mechanisms put in place. All of implemented measures should be demonstrable.

Security and privacy dimensions are included in all activities [55]. Besides all GDPR components the framework is addressing all parts in PDCA cycle besides the last part which is Act. The framework is providing information about planning implementation of GDPR components and than implementation of components and after that conforming implementation. The framework doesn't tell anything about how to deal with discovered problems when confirming that everything is implemented [55]. There is nothing mentioned about if IT is outsourced or not or for which organisation types it could be used for. In figure 4 below there is a detailed overview of the framework phases, dimensions and activities presented.

29

Guidelines for SME adaption to GDPR Case study of Evalent