A Study on the Information Security Management Index through Analysis of EU-GDPR (European Union-General Data Protection Regulation)

The European Commission is committed to ensuring the free movement of personal information between EU Member States and strengthening the protection of the privacy of information by EU Member States through the EU General Regulations 2016/679 (General Data Protection Regulation: 'GDPR'), which entered into force on May 24, 2016, and effect on May 25, 2018, and will have direct application and legal binding power to all EU Member States. Companies that are servicing the EU or preparing for business need to have a good understanding of the GDPR compliance requirements and need to comply with the relevant regulatory requirements. This study compares the legal core requirements between GDPR and domestic law, compares and analyzes the control items of ISMS (Information Security Management System & PIMS: Personal Information Management System) with the requirements of GDPR suggest ways to prepare a response system.


Introduction
In recent years, the EU has been promoting the use of personal information by businesses that process personal information while at the same time protecting the information subject by reflecting changes in the environment of personal information processing due to universal use of the Internet, protect them in a balanced way. The EU's 1995 Privacy Directive (95/46 / EC) was replaced by the General Data Protection Regulation (GDPR) adopted on 27 April 2016 As GDPR begins to be applied the personal information protection law system of 28 member countries according to the personal information protection guidelines of 1995 will be implemented more consistently and uniformly. [1] In the 2015 Digital Single Market Strategy, the European Commission, together with the Cloud and Internet of Things, the center of European Union (EU) competitiveness. As of May 25, 2018, the GDPR is a comprehensive legal system with direct legal binding force that EU Member States must apply unconditionally and has a strong influence, so that they are well served by the EU or are prepared for business. it is necessary to establish an analysis and response system for the compliance requirements of the EU-GDPR to ensure business stability through prevention of business risks such as imposing enormous penalties in violation of regulations and securing a compliance system. [2] In order to establish a practical and concrete response system based on GDPR detailed compliance requirements, companies in the EU business should analyze the status of their personal information related operations and review whether they meet GDPR regulatory requirements check and change existing risk response strategies by establishing plans and presenting detailed measures for improvement requirements.

GDPR (General Data Protection Regulation) System analysis
GDPR (General Data Protection Regulation) is a requirement of the European Union for the improvement of privacy protection system following the implementation of the EU Directive 95/46 / EC in 1995, due to the development of Internet technologies and radical changes in the environment. The European Commission adopted the GDPR on April 27, 2016 and adopted a uniform law enforcement and regulation between the EU member countries for the protection of individuals related to the processing of personal information and the discipline of free movement of personal information. It entered into force on the 24th of May, and effective from May 25, 2018.  [19] Compared to the Data Protection Directive 95/46 / EC, which was enacted in 1995, consists of more than seven articles and 34 final articles. Unlike the existing guidelines on privacy protection, the GDPR, which has secured the status of 'regulation', is characterized by the fact that the legal force that can be directly applied to the whole EU and has legally binding power becomes more uniform and stronger in the EU. The composition of the GDPR consists of 173 professional texts, 11 texts, and 99 articles. It has become possible to apply and regulate unified laws among member countries. The contents of each item such as the general rule of the text, the right of the information subject, controller and processor, and personal information transfer are shown in [Fig. 2]. Major changes under the GDPR implementation include the provision of goods or services to information entities outside the EU outside the EU, as well as activities undertaken by information entities within the EU, Range. It also imposes penalties on the basis of "business group" sales, in the event of a serious breach of the GDPR regulations, the greater of the worldwide sales of 4% or 20 million euros in the immediately preceding financial year, in the case of a general violation of the GDPR regulations, Or 2% of sales or 10 million euros, whichever is greater. Apply multiple rules directly to processors -Includes a number of content that directly regulates the process, including appropriate documentation requirements and appropriate security standards.
-The processor is subject to the direct application of sanctions and may be required to recover from the information subject Principle of processing personal information Establish Responsibility for compliance and certification of personal information processing 6 principles (1) legality, fairness, transparency In addition, in the process of processing personal information, personal information must be collected to comply with all six principles including the legality of processing, fairness, transparency and limitation of collection purpose, principles of personal information minimization, accuracy principle, storage limitation principle, integrity and confidentiality principle. The principle of processing personal information has been upgraded according to the principle of legality, fairness and transparency of personal information. It defined only in the case of the transfer of the foreign country to the appraisal of appropriateness or the provision of appropriate protection measures, the exercise of the right of information entities and the existence of effective legal remedies. Appropriate protection measures include binding corporate rules, standard contracts, approved codes of conduct, consent and contract implementation, establishing a mechanism for transferring personal information outside the country, reporting to the regulatory authorities within 72 hours from the time when the notice of the leakage of personal information was introduced and the information about the leak was discoveredWhen a high risk is , it is required to notify the information entity about the leak without undue delay. In addition to the burden of the transparency of the controller, the information entities have expanded the rights of information entities, such as the right not to apply the results of automated processing including the right of inspection, right of correction, right of deletion, processing agentThe DPO (Data Protection Officer) is mandatory if it is a public entity or if the core activities of the controller or processor are large-scale regular and systematic monitoring of information subjects or are large-scale processing of sensitive information, criminal history and criminal activity . We are also strengthening accountability and governance of personal information processing, such as maintaining detailed records of processing activities, conducting personal information impact assessments for high-risk processing, notification of personal information leaks, maintaining comprehensive records, and implementing Data Protection by Design and Default.
In order to strengthen the right of the EU to treat personal information and guarantee the free movement of information between EU member states and to protect the privacy of the information subject, scope applied when providing services and monitoring activities carried out in the EU by EU information entities utilizing a filing system of accessible and structured sets of personal information according to certain criteriaThe material scope in which the personal information is processed and all information relating to the identified or identifiable natural person (information subject) and the personal scope to which the nationality or residence of the information subject does not apply The geographic, physical, and human scope of business activities that manage personal information of customers or employees the same as The GDPR applies [20] Conditions for consent provide for the representation of consent to the processing of personal information to be freely given, Informed to provide information necessary for specific, unambiguous consent. In addition, Article 8 of the Child's Consent Regarding the Direct Provision of Information and Social Services to Children shall only apply if the child is under 16 years of age and has given or granted consent by a person with parental responsibility for the child . In this regard, the GDPR restricts the EU member states from providing children with information and social services directly under the law, but only under the age of 13 [2]. Operators providing information society services to multiple Member States should take into account the various child age standards set by the laws of the Member States of the EU. [ Figure 2-4] As in the current provisional indication of the age of children's activities across the EU, the EU Member States may decide to shorten the age limit of the child to 15, 14 or 13 years, Better Internet for Kids, mapping of the age of consent in the GDPR (2018) ", Feb 2 (2018) It is likely that the future trend should be monitored whether or not children can observe their consent related obligations. According to GDPR article 83, a higher amount of the penalty of up to € 10 million or a penalty of up to 2% of annual worldwide sales for the fiscal year immediately preceding the business, if a general violation of the regulation is concerned, and a maximum of 2 It is stipulated to dispose of the higher of the fines of the euro or the fines up to 4% of the world annual sales for the fiscal year immediately preceding the business. The contents of the provisions and reasons for general or serious violations shown in [Table 3].  Whether the subject has consented to the processing of personal information or failed to demonstrate the validity of the agreement (1) to be free, (2) to be specific, (3) to provide information necessary for consent, and (4)  You do not provide information when collecting personal information from an information entity(1) Organization name and contact details, (2) Details of DPO contact, (3) Purpose and ground of personal information processing, (4) Fair interest, (5) Recipient,(6) grounds for transferring abroad, (7) storage period, (8) access, correction, deletion, restriction of processing, denial,(9) the right of withdrawal of consent, (10) the right of objection, (11) whether the provision of personal information is enforced, In the absence of international conventions such as mutual legal assistance treaties, the transfer of personal information to a third country in the absence of a court or tribunal serious

Information security management index
The  Table. 3], and the information security management process consists of 12 items in 5 areas and information protection measures in 92 areas in 13 areas. The information security management process defined for the continuous information security management of the Plan, Do, Check, and Act in the fields of policy, scope, organization, risk management, implementation of countermeasures and post management. In the information security measures, information security management process consists of 12 items in 5 fields and the information protection measures in 92 fields in 13 fields, which consists of 104 indicators.
In addition, the Personal Information Protection Act stipulates that the Minister of Administrative and / or Business Administration can certify that a series of measures related to the processing and protection of personal information of the personal information processor conform to the Act through the revision of the law in 2015 (Article 1, Article 32 1) In particular, the Ministry of Public Administration and Security and the Telecommunications and Communications Commission will start the Personal Information Protection Level (PIPL) pursuant to Article 32-2 of the Personal Information Protection Act from January 2016 under the Act on Information Network Promotion and Information Security (PIMS), which is stipulated in Article 47-3 of the Personal Information Protection Management System (PIMS). PIMS is an administrative, technological, and financial means necessary to systematically and continuously carry out personal information protection activities pursuant to Article 32-2 (Personal Information Protection Certification of Personal Information Protection Act) and Article 47-3 (Personal Information Protection Management System Certification of Information Communication Network Act) The standard for establishing and operating a comprehensive management system including physical protection measures [ Table. 4]. In addition, personal information protection measures consist of 50 criteria in three areas. Privacy management process during the period of operating the PIMS Plan, Do, Check, and continue along the cycle of the Act advised to run on a recurring basis, life cycle and rights guaranteed certification criteria personal information lifecycle management and data subject's rights Most of the coverage directly related to legal requirements, so organizations should be able to clearly understand and comply with applicable laws and regulations. Privacy Statement field is systematically establishing a Privacy Statement to reflect the safety measures standards, risk analysis carried out in the privacy management process with technical, administrative and physical safeguards requirements of the Privacy result of personal information, . PIMS Certification Scheme, "Page 7 ~ 10", Korea Internet Security Agency (2017. 4) The GDPR article 83 defines provisions that are subject to general or serious violations, which in each European country are guided by the implementation of the Data Protection Impact Assessment (DPIA) as a preparation for GDPR compliance . The European Union Agency for Network and Information Security (ENISA), which is a subsidiary of the European Union, presents the GDPR Guidelines DPIA Indicators and refers to the definition of GDPR 83 and the DPIA Indicators [ Table. 5the GDPR compliance information management index summarized. The ISMS and GDPR indicators based on the Information Communication Network Act Article 47 (Certification of Information Security Management System) were compared and analyzed as shown in [Fig. 5].

Fig. 5: Comparative analysis of GDPR and ISMS indicators
The code starting with A in GDPR is an indicator of imposition of fines in case of violation of GDPR and is defined as a clause related to personal information protection as confirmed in the comparison of GDPR clause and domestic laws (personal information protection law, information communication network law) In the ISMS information protection management process and the information protection measure items, the compliance ratio was low because the majority of the indicators defined in relation to personal information were not included. The code starting from B to U of GDPR was the personal information of GDPR This is the index for the DPIA, most of which can be mapped to the ISMS index. However, the T code that defines personal information deletion and processing does not match the ISMS index. [7] The PIMS index based on Article 32-2 (Personal Information Protection Certification of Personal Information Protection Act) and Article 47-3 (Certification of Personal Information Protection Management System) also compared with GDPR in the same way [ Fig. 6]. However, it is confirmed that the asset management areas not included in the PIMS index do not match the GDPR E code, F code, I code. [7] Mapping between the ISMS, PIMS and GDPR compliance indicators for the similarity or degree of correspondence between the indicators. [ Fig. 7]

Fig. 7: Comparative analysis of GDPR and ISMS+PIMS indicators
Analysis of the ISMS, PIMS and GDPR compliance indicators showed that the A code did not differ from the PIMS case and all the codes related to the GDPR privacy protection evaluation were in agreement. The mapping of ISMS and PIMS to the information security management index and the GDPR compliance index were analyzed, and a compliance rate of 91.0% was confirmed. [7]

Conclusion
The EU-GDPR calls for a stronger level of personal information protection than the existing rules on personal information protection, in order to establish the principle of personal information processing, to expand the rights of information entities, and to strengthen corporate responsibility and obligations have. In this study, it is necessary to understand the current status and legal requirements of GDPR application, personal information processing stage, to grasp the flow of personal information about service, to make current flow chart, to implement and manage protective measures based on risk analysis and evaluation, Establishment of a management system based on the information protection management indexes proposed by ISMS and PIMS such as system establishment, continuous implementation of personal information protection impact assessment, and risk management are necessary. Finally, documentation and document management on the implementation of the information security management system should be followed. Therefore, the compliance with GDPR (173 professional texts, 11 chapters, 99 articles, DPIA) and the ISMS(Korea Information Security Management System) certification (12 management processes, 92 control items) and PIMS(Privacy Information management system) certification (16 management courses, 20 life cycle, 50 items), and the result showed compliance rate of about 91%confirmed that it is possible to fully comply with GDPR by observing domestic information protection management index.
. In conclusion, it is more practical to analyze the regulatory compliance required by the GDPR, and to derive the management system improvement that the company should comply with based on this, and to propose measures for effective GDPR response by Korean companies conducting EU services or projects . However, it will be necessary to revise related laws and establish a new system for the responsibilities required for controllers and processors, such as strengthening the consent requirement of GDPR, data movement rights, right to be forgotten, profiling rights is expected that some confusion of domestic companies will be inevitable at the beginning of the implementation it is necessary to continuously study to clarify definitions and examples of the GDPR.