On April 14, 2016, the EU Parliament approved the General Data Protection Regulation (GDPR), which is intended to protect all European Union (EU) citizens from privacy and data breaches in an increasingly data-driven world. This regulation will replace the Data Protection Directive 95/46/EC, which was established in 1995. What do you need to know before the statute takes effect on May 25, 2018?
Know the key terms
Personal data: Any information related to a natural person or “data subject” that can be used to directly or indirectly identify the person
Data controller: Entity that determines the purposes, conditions and means of the processing of personal data
Data processor: Entity that processes data on behalf of the data controller
Does it apply to my business?
GDPR applies to all companies processing the personal data of subjects residing in the EU, regardless of the company’s location and regardless of whether the processing takes place in the EU. These rules apply to both data controllers and data processors of personal data, meaning cloud providers will not be exempt from GDPR enforcement.
Are there financial impacts?
Organizations in breach of GDPR can be fined up to a maximum of 4% of annual global revenue or $22 million (currently €20 million).
What are the operational impacts to businesses?
Designation of the Data Protection Officer (DPO): You must have someone who is qualified and knowledgeable of privacy. The DPO must have responsibility and authority for the enforcement of privacy and compliance with applicable laws.
Performing Data Protection Impact Assessments (DPIA): You must know of, be aware of and have a process for addressing the risks to the privacy rights of individuals when processing their personal data, not just the risk to the organization.
Security of Processing: An organization needs to build a risk-based (DPIA results included) security program based on established best practices, enforcing the confidentiality, integrity and availability of personal data.
Vendor Management: You need to have GDPR compliance language in contracts when outsourcing the processing of personal data to a processor, and perform ongoing management of the vendors in your supply chain to ensure compliance. You cannot simply outsource the liability for maintaining confidentiality and integrity of the personal data.
Data Subjects’ Rights – Consent: Consent must be clear and distinguishable from other matters (not a blurb hidden in a 30-page document), and provided in an intelligible and easily accessible form using clear and plain language. It must be as easy to withdraw consent as it is to give it.
Data Subjects’ Rights – Breach Notification: Organizations must have people, processes and technologies for discovering and responding to breaches of confidentiality, integrity and/or availability of the personal data in their possession.
Data Subjects’ Rights – Right to Access / Data Portability / Right to be Forgotten: On demand, you must be able to:
- Provide information to subjects about whether you have data about them, and how you are using it.
- Provide their data to them in a format that they can easily port to another provider.
- Cease use of and completely eliminate any and all records past or present of their data.
Data Subjects’ Rights – Privacy by Design: You must demonstrate that privacy and security are considered in everything that you do from the onset of obtaining personal data. Privacy and security cannot be a “bolt-on” or an afterthought.
As with all security, compliance and privacy initiatives, it is always recommended to build and maintain a risk- and standards-based (ISO and NIST) security and privacy program rather than trying to chase compliance or laws. Privacy and compliance are byproducts of a good security program.
For more information on how Sirius Security Solutions can help with GDPR and all your privacy, compliance and enterprise security needs, visit our Security & Risk Management webpage or contact us today.