GDPR is a regulation that covers transactions that occur within EU member states, and requires businesses to protect the personal data and privacy of these EU citizens. Non-compliance isn’t an option as it could cost companies dearly, so here below is what every company that does business in Europe needs to know about GDPR.
Companies that collect data on citizens in European Union (EU) countries have until May 25th to comply with strict new rules around protecting customer data. The GDPR will likely see a new standard set for consumer data and their rights – The challenge will be companies putting these systems and processes in place to make sure theycomply.
Security teams will need to assess the new expectations, particularly in terms of what is considered personal identification information. An individual’s IP address and cookie data will require the same level of protection as name, address and Social Security number.
There are some greyer areas where the lack of a set definition creates room for interpretation. Companies must provide a “reasonable” level of protection for personal data, but it’s not made explicit what exactly “reasonable” is. This might make you think that there’s scope for flexibility on the company’s part, however it actually gives the GDPR governing body a lot of leeway when it comes to assessing data breaches and non-compliance and deciding fines.
With only a few months left to make sure your company is complying with the new regulations, we thought it useful to provide key information and advice for meeting the requirements.
What is the GDPR?
In April 2016, the European Parliament replaced an outdated 1995 data protection directive with the GDPR. It sets out to ensure that businesses protect EU citizens’ personal data and privacy for all transactions that occur within EU member states. The exportation of personal data outside the EU is also regulated by the GDPR.
Companies have just this one standard to meet within the EU as the provisions are consistent across all 28 EU member states. The standard however is rather high – most companies will need to make a large investment to meet and to administer it.
Why does the GDPR exist?
Before the GDPR, the EU brought in it’s Data Protection Directive in 1995. At this point, the internet was not the online business hub that it is today, making this directive severely outdated. With the amount of business that is carried out online now, there is public concern over privacy and this is what the GDPR seeks to protect in Europe. Generally, Europe has had much more stringent rules around how companies use the personal data of its citizens, and with the dramatic increase in online business since the last directive, the GDPR replaces these outdated regulations. The GDPR addresses things that were not needed to be previously considered, such as how data is stored, collected and transferred.
Recently there have been a number of high-profile data breaches to hit the headlines, which makes privacy a very real public concern. The RSA surveyed 7,500 consumers in France, Germany, Italy, the UK and the U.S., and found that 80% of consumers said that lost banking and financial data is a top concern. 76% of respondents also stated lost security information (e.g., passwords) and identity information (e.g., passports or driving license) as a concern.
The report’s authors concluded that, “As consumers become better informed, they expect more transparency and responsiveness from the stewards of their data.” 62 percent of the respondents said that if there was a data breach and their information was lost, they wouldn’t blame the hacker, but the company. This is a rather alarming statistic for any company that deals with consumer data.
There seems to be a distinct lack of trust between consumers and companies when it comes to personal information, with 41% of respondents admitting to providing false information when signing up for services online in order to take their own countermeasures against security fears, unwanted marketing and the risk of having their information resold to third parties.
There’s not much forgiveness for companies that suffer breaches either, with 72% of American respondents saying they would boycott any company that seemingly don’t go to appropriate measures to protect their data. However a company that openly proves it’s dedication to data protection would see 50% of respondents choosing to shop with them.
The report concludes that “As businesses continue their digital transformations, making greater use of digital assets, services, and big data, they must also be accountable for monitoring and protecting that data on a daily basis.” This is where the GDPR comes in.
What types of privacy data does the GDPR protect?
- Basic identity information such as name, address and ID numbers
- Web data such as location, IP address, cookie data and RFID tags
- Health and genetic data
- Biometric data
- Racial or ethnic data
- Political opinions
- Sexual orientation
Will my company by affected by the GDPR?
If your company stores or processes personal information about EU citizens within EU states, then it must comply with the GDPR.
The specific criteria for companies required to comply is:
- A presence in an EU country.
- No presence in the EU, but it processes personal data of European residents.
- More than 250 employees.
- Fewer than 250 employees but its data-processing impacts the rights and freedoms of data subjects, is not occasional, or includes certain types of sensitive personal data. That effectively means almost all companies. A PwC survey showed that 92 percent of U.S. companies consider GDPR a top data protection priority.
When does my company need to be in compliance?
Companies have until May 25th 2018 to show compliance.
Who within my company will be responsible for compliance?
There are several roles that the GDPR defines as responsible for ensuring compliance. These are: data controller, data processor and the data protection officer (DPO).
The data controller defines how personal data is processed and the purposes for which it is processed. The controller is also responsible for making sure that outside contractors comply.
Data processors maintain and process personal data records – These can be an internal group or any outsourcing firm that performs all or part of those activities. The processors are liable for any breaches or non-compliance. Even if a company uses a processing partner like a cloud provider, in the event of a breach it is possible that both your company and the processing partner will be liable for any penalties incurred.
A designated DPO is required to oversee data security strategy and GDPR compliance. If a company processes or stores large amounts of EU citizen data, special personal data, regularly monitors data subjects, or are a public authority then companies are required to have a DPO. Some public entities such as law enforcement may be exempt from the DPO requirement.
How does the GDPR affect third-party and customer contracts?
Your company is only compliant if any third party processor is compliant. The GDPR places equal liability on data controllers (the organization that owns the data) and data processors (outside organizations that help manage that data). Everyone in the chain must also be able to comply with rules on reporting any breaches. Customers must also be informed of their rights under GDPR.
In simple terms, all contracts with processors need to clearly lay out responsibilities as well as be revised in order to define processes for data management, data protection and the reporting or breaches. This will be one of the largest exercises needing to be carried out in order to ensure GDPR compliance.
It needs to be understood where data is being stored or processed and where it’s being exported outside the company. Once these data flows are understood and their impact on the business, you can start to identify the vendors you need to be most focused on both in terms of a security perspective, and how you manage those relationships going forward. This needs to be memorialised in the contract itself so that outside firms know what they can and cannot do with the data to ensure protection. This could well see the GDPR changing the mindset of business and security teams toward data from it being an asset to a set of liabilities which is a thoroughly different frame of mind for legal and compliance.
To prepare operationally to handle GDPR compliance, you must go through a process of defining obligations and responsibilities. For example, in the event of a hacking, would your vendors know who to call and how to respond, all the while ensuring they are meeting the required regulations?
The GDPR has a 72-hour reporting window so it’s imperitive that vendors know how to properly report any breach. A regulator requires there to be the policies, procedures, and response structure in place to solve a breach quickly.
All revised and renegotiated contracts need to be in place by the May deadline or else are open to the following possible risks:
- Operational: If you haven’t agreed on what your processes will be with a vendor, it’s not clear how you will be operating under GDPR.
Vendor management: Under GDPR, you need to know how your vendors operate including their security framework and how they manage data. Without that knowledge, you don’t know the risk they present. - Regulatory fines: If a breach occurs, not having contracts in place might well work against the company. You need to know, and be able to show that you know, what your vendors are doing and how you are treating the data. This is a reflection on how organised the company is and how well you understand your data flows.
Head to Part 2 of this blog here: https://geekabit.co.uk/2018/03/04/part-2-general-data-protection-regulation-gdpr-the-requirements-deadlines-and-facts/