GDPR, 4 four little letters that spell BIG headaches for American companies that do business or partner with companies overseas. It should be a serious concern for these organizations, and it doesn’t look like it is going away anytime soon. If you need proof, just ask Google which was fined $57 million for breaching GDPR privacy rules. This article merely attempts to highlight some of the key points and should not substitute for your own due diligence.
To understand how we got here, it is important to review the history of GDPR. GDPR, otherwise known as the General Data Protection Regulation (EU) 2016/679, went into effect in May of 2018. The regulation requires any organization that stores “personal data” for EU citizens to protect the data (implement security solutions that detect a data breach), regularly audit the effectiveness of their security posture, and document evidence of compliance. GDPR consolidates and replaces many of the previously existing data protection regulations. The main difference between GDPR and previous regulations is the severity of the potential fines and new requirements such as breach notification, right to access, right to be forgotten, and so forth.
The intent of GDPR is to strengthen security and improve privacy protection of both “personal data” and “sensitive data” for EU citizens.
Under GDPR, “personal data” is defined as “any information relating to an identified or identifiable natural person (‘data subject’).” It is important to note that in the U.S., very few federal or state privacy laws actually define “personal data/information.”
“Sensitive (personal) data” casts a wider net and covers data elements such as health, biometric, genetic, mental, economic, cultural or social identifying data. Based on the context of how the information is collected, this definition can grow to include IP addresses, cookie strings, social media posts, job or political opinions, online contacts, mobile device IDs and more.
Who GDPR Applies To
GDPR, unlike its predecessor, the 1995 EU Data Protection Directive, places legal obligations on all data controllers and processors, regardless of where they are located. US-based businesses, even if they have no employees or offices within the boundaries of the EU, may still be subject to GDPR.
Penalties for the worst cases of GDPR non-compliance max out at €20 million (more than $23 million) or 4 percent of global revenue, whichever is larger.
If you have read this far, you probably realize that GDPR is here to stay. If you don’t already have the required security tools and controls in place, your organization will need to implement several new security controls, policies, and procedures in order to demonstrate GDPR compliance. For security and privacy-conscious organizations, the new regulation should not bring about too much technical overhead. For those that haven’t yet achieved compliance with the data protection laws that GDPR replaces, the impact will be much greater.
Requirement 1: Receive Customer Consent
GDPR mandates that companies receive customer consent before processing or storing customer data. The request for consent not only needs to be laid out in plain, straightforward language but also needs to clearly explain how the customer’s data will be used and for how long it will be used and stored. While silence and/or inactivity from the customer used to pass as consent, that is no longer the case with GDPR, as companies need to be able to prove that they received approval from customers to use their information. Furthermore, the terms of consent need to be consistently accurate with the customer’s most up-to-date information and the purpose for which the data is being used. If either of those changes, a new request is in order. Lastly, at any given time, your customers have the right to withdraw consent, which requires you to respond and act upon the request in a reasonable time-frame.
Requirement 2: Hire a Data Protection Officer (DPO)
According to GDPR, if your organization meets one of these three criteria, you must hire a DPO:
- When the organization is a public authority or body
- When the organization’s core activities consist of data processing operations that require regular and systematic monitoring of data subjects on a large scale
- When the organization’s core activities consist of large-scale processing of special categories of data (sensitive data such as personal information on health, religion, race or sexual orientation) and/or personal data relating to criminal convictions and offenses
Even if your organization is small, this requirement still applies to you.
Requirement 3: Perform a Data Protection Impact Assessment (DPIA)
If your organization stores personal data, GDPR mandates a DPIA be performed before each data processing operation that involves personal data. This audit should examine the organization’s processes and procedures surrounding the protected data, as well as evaluate the protections and alternatives to mitigate associated risks.
Requirement 4: Data Protection is a Must
GDPR requires organizations to implement appropriate technical and organizational measures to protect data and detect data breaches. In addition, you must evaluate the data, ensuring you only keep the data required for the specific processing purpose and for as long as needed for that purpose while ensuring the data is not made accessible without the individual's consent.
Instead of providing specific instructions about the technical controls, GDPR puts the onus on your organization to maintain best practices for data security. If you get breached, be prepared to defend your security posture.
Requirement 5: Report Data Breaches
GDPR requires organizations to notify authorities within 72 hours of discovery of a breach. The notification should:
- Describe the nature of the breach, including the categories, approximate number of data subjects affected and the approximate number of records stolen
- Communicate the name and contact information of the data protection officer or other relevant contacts
- Describe the likely consequences of the breach
- Describe the measures taken or proposed to address the breach, including measures to mitigate possible adverse effects of the breach
Requirement 6: Data Reduction
As referenced above, GDPR requires organizations to limit the personal data kept to only that needed for the given purpose. If you don’t need it, delete it. In addition, EU citizens have the right to withdraw their consent and request their data be deleted. Your organization must remove all traces in your systems as well as ensure anyone you shared the data with removes the data from their systems as well.
Now more than ever, boardrooms are faced with the global march to protect privacy, and GDPR puts real teeth behind this initiative. Companies that ignore the warning signs risk severe financial penalties. If your organization has a well-documented privacy protection policy, GDPR will be seen as a minor hurdle. Everyone else must start looking at their responsibilities as defined under GDPR and begin to take action immediately.