The clock is quickly ticking down to May 25, 2018 when the European Union begins enforcement of the General Data Protection Regulation (GDPR), the largest data protection act ever conceived. Why should you as a U.S. company care, right?
Here’s why it matters: GDPR affects any business that houses the data of EU citizens or residents regardless of the country in which that business resides.
It may be intimidating, but here’s the info you need to know to get ready:
What is the purpose?
Signed into law in April 2016, this monumental data privacy and protection act is a set of data regulations that allow European Union (EU) citizens to have more control over their personal data.
Who does it affect?
It affects all companies in the EU and any company that offer goods or services to, or monitors the behavior of, EU citizens and residents. It affects all companies processing and holding the personal data of EU citizens residents regardless of the company’s location.
What types of data does it regulate?
Many types of data fall under the umbrella of GDPR, including:
- Personal data (e.g., identified, identifiable)
- Racial or ethnic origin
- Religious/philosophical beliefs
- Political opinions
- Sexual orientation
- Trade union membership
- Online identifiers (e.g., IP address, GPS location data)
Who are the key players?
If you read the official GDPR legislation (a real page-turner), you’ll notice many different roles involving “data”. Below is a list of the key players involved in the protection of data:
- Data Controller – The natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; makes the decisions regarding the data received
- Data Processor – The natural or legal person that stores, manipulates, or accesses data at the direction of a Data Controller
- Data Protection Authority – National authorities tasked with protecting data and privacy as well as monitoring and enforcing regulation
- Data Protection Officer – An expert on data privacy who works independently to ensure an entity is adhering to polices and procedures enacted by GDPR
- Data Subject – A natural person whose personal data is processed by a Data Controller or Data Processor
What are the penalties for non-compliance?
The fines for non-compliance are massive and are delivered in a tiered approach depending on the violation.
- Tier 1 – These are minimal offenses for which companies can be fined up to €10 million or 2% of the company’s global annual turnover from the previous fiscal year, whichever is higher. Generally, fines in this tier will be imposed as a result of breaches of obligation by either Data Controllers or Data Processors.
- Tier 2 – These are larger offenses for which companies can be fined up to €20 million or 4% of the company’s global annual turnover from the previous fiscal year, whichever is higher. Generally, fines in this tier will be imposed as a result of breaches of a person’s rights and freedoms.
Alternatively, the GDPR also allows the supervising authority to take a range of minimal corrective actions, including:
- Issue warnings
- Issue reprimands
- Order compliance with Data Subjects’ requests
- Communicate a personal data breach directly to the Data Subject
What are the Data Subject rights associated with GDPR?
- Breach notification – Breach notification is mandatory for all organizations in which the breach is likely to result in a risk for the rights and freedoms of individuals. This must be done within 72 hours of breach discovery. Data Processors will be required to notify their customers and Data Controllers without undue delay after breach discovery
- Data Portability – The right for a Data Subject to receive their personal data in a “commonly used and machine-readable format” and the right to transmit that data to another controller
- Privacy by Design – The inclusion of data protection from the onset of system design, rather than as an addition
- Right to Access – The right for Data Subjects to obtain confirmation from the Data Controller as to whether their personal data is being processed, where it’s processed, and for what purpose
- Right to Erasure – Allows the Data Subject to have the Data Controller erase his/her personal data, cease further dissemination of the data, and potentially have any third-party halt processing the data
How can I benefit from GDPR?
Although it is a trailblazing regulation with massive fines that loom over businesses around the globe, achieving compliance will not only help you avoid those fines, but also improve your business. Here’s how:
- Achieving compliance allows you to gain a better understanding of the existing data in your environment, specifically understanding the systems across which it’s stored.
- Responding to a data breach within 72 hours is a defined Data Subject right in GDPR, so if you don’t have an incident response plan in place currently, achieving compliance grants you the opportunity to create one. Having a formalized, practiced incident response plan in place will help you minimize the damage in the event of a data breach.
- Not every company will be GDPR-compliant by May 25. However, if you are, you have an advantage in the marketplace against competitors that might not be compliant.
How do I achieve compliance?
There’s no magic bullet to achieve compliance. It’s a combination of many security best practices, including staff security training, incident detection, Personally Identifiable Information (PII) compliance, and sound backup retention polices.
There are hundreds if not thousands of resources online you can sift through to find out how you can prepare yourself for May 25. However, we’ve studied it and understand this is the most comprehensive legislation regarding cyber security. We cannot only help you understand it, but also help you get ready for it. Through endpoint protection, incident and breach response, security training, Security Information and Event Management (SIEM), Security Operations Center (SOC) monitoring, and compliance assessments, we can help eliminate your worry regarding this sweeping legislation.
What if I’m not compliant by May 25?
Spiceworks conducted a survey of nearly 800 IT professionals in the U.S., U.K., and EU to determine how prepared they are for GDPR. Based on their findings, only 9% of IT professionals in the U.S. felt informed about GDPR and its impact on businesses. There have been several similar studies done within the past year to evaluate how ready businesses are for GDPR, and based on the collective results, it’s safe to say many businesses around the world will not be ready in time.
However, with so many businesses affected, we believe that enforcement of GDPR initially will be selective at best. If you know you are bound by GDPR, it’s important to work toward compliance; however, it’s unlikely EU data protection authorities will bust down your door on May 25 to check.
Read the second part of this blog focusing on the spirit of the law and the Four Cornerstones of the GDPR.