Reference to the General Data Protection Regulation (GDPR) seems to be making a lot of noise right now to the extent that in some circles, technology and marketing mostly, it’s the new buzzword. The reason GDPR is such a hot topic of conversation is that this new piece of legislation will impact data security and data privacy in a big, big way. GDPR is on the way, bringing with it new requirements for your organisation.
The new EU personal data regulations come into force on 25 May 2018. All companies must be preparing and ready to meet compliance by this date.
What is GDPR?
After 4 years of preparation and debate the GDPR was approved by EU parliament. The GDPR is extremely complex totalling eleven chapters divided into 99 articles. All companies must be compliant when the GDPR becomes enforceable from 25 May 2018. Those organisations found not to be fully compliant will face hefty fines.
The GDPR gives EU citizens control of their digital data by empowering them with the right to know what data is being collected, when it is collected, what it is going to be used for and to have access to that data. It also gives them the capability to withdraw it upon request.
Specifically, implementing the GDPR will protect your organisation from data, information and knowledge theft. Ultimately you should treat digital data in the same way as protecting sensitive paper documents stored in a safe. By not taking the appropriate measures, this data can be easily copied and sold. Experts agree that protecting sensitive company data is a worthwhile endeavour necessary to safeguard your organisation’s unique competitive advantage.
About the GDPR
GDPR is a new EU regulation which has been designed to update the existing Data Protection Directive. GDPR applies to data collection that impacts any EU citizen, even if your business is located outside the EU, the reach of GDPR will affect you.
The new data protection framework with broader punishments for compliance failure brings new rules surrounding the storage and handling of personal data. GDPR is a new and improved form of ‘consent management’ and will provide individuals with trust in companies they choose to be in contact with. It will enable them to have greater control over their own data and what is done with their data.
Irrespective of the UK’s imminent uncoupling from the EU, the law still very much applies to all businesses, particularly those which handle the data of individuals within the EU.
If your company processes the data of any individuals, whether that be your customers or potential customers the GDPR regulation will stipulate that new levels of consent will need to be acquired in order for your company to handle that data or use it in any way.
Enacted in 1995, the existing directive was established before the days of widespread internet use, which has significantly changed the way we create, use, share, and store information. Alongside the aim of updating data protection, GDPR is also levelled at unifying approaches to data privacy and security. Being a directive, the existing framework had, by its nature, the flexibility to be implemented by EU member states as they saw fit, resulting in quite different approaches to data protection across Europe. GDPR is a regulation and as such must be followed much more rigidly. At the core of GDPR is the aim to simplify, unify and update the protection of personal data.
At its core the GDPR mandate is to protect personal data. On the one hand, it focuses on the protection of consumers, but it is also invaluable in setting standards for the protection of public and private corporations.
So what does this mean for organisations?
Changes under GDPR are aimed at moving companies away from a tickbox compliance attitude to the security and privacy of personal information, and towards a company-wide approach to managing the lifecycle of personal data. With the GDPR compliance date looming, here are some key points to consider in ensuring your organisation is ready.
The top ten key points are:
- GDPR has a wider geographic scope. You do not have to be based in Europe for it to apply. Any company that does business with EU residents will be subject to GDPR. Even if you are offering a free service, such as a website that people in the EU access, you may be subject to GDPR if you collect IP addresses or track cookies.
- Data Protection Authorities (DPAs) will have the power to enforce much more severe penalties for breaches of personal data. There is a tiered approach to fines under GDPR. The maximum fine that can be imposed for the most serious infringements, such as not having sufficient customer consent to process data, is 4% of annual global turnover or £20 million (whichever is greater).For less serious infringements, such as failure to notify about a breach, a fine of up to 2% of global annual turnover would apply. This is a much greater scope for fines than we currently have in place; for example, in the UK, the maximum penalty for breaching the Data Protection Act is £500,000, and the largest fine so far imposed was £400,000, which was issued to TalkTalk in 2016 for security failings that allowed a cyber attacker to access customer data easily. However under GDPR this would have cost a massive £54m!
- Personal data is characterised by a connection between a person and another person, thing, or event. Constitutive for personal data is the possibility of connecting the data to a specific person. Examples of personal data include car license plates, account numbers, social security insurance numbers, registration numbers, online identifiers such as email and IP addresses and mobile device identity. The determining factor in applying these regulations is not the location of the company but rather the physical location of the individual whose data was collected.
- Organisations will need to attain explicit consent from individuals regarding the processing of their data, and companies will no longer be able to use long, illegible terms and conditions. Individuals will also have more rights regarding the processing of their data, for example relating to data erasure (often referred to as the ‘right to be forgotten’) and data portability, which is the right to transmit their data to another controller.
- Technical and organisational measures regarding the protection of personal data are to become mandatory, with the GDPR outlining examples of the measures expected. These relate to the hashing and encryption of personal data, the ability to ensure confidentiality, integrity, and availability, and processes to test the effectiveness of security measures.
- Data processing registries will become mandatory. This means organisations will need to keep a written (electronic) record of personal data processing activities, capturing the lifecycle of the data and the name and contact details of the data controller.
- Data protection impact assessments will be required for technology or processes that are likely to be high risk to the individuals, for example data profiling.
- The reporting of personal data breaches will become mandatory. Under Article 33 of the GDPR, organisations must report breaches of personal data to the DPA within 72 hours of becoming aware of them. If a breach poses a high risk to individuals, for example relating to personal data that has not been encrypted, those individuals must be informed without delay.
- If your organisation monitors individuals on a large scale or processes special categories of data (particularly sensitive personal data), you will be required to have a Data Protection Officer (DPO). The DPO monitors organisational compliance with the regulation and must report directly to the highest management level of the organisation, must perform their tasks in an independent manner, and cannot be dismissed or penalised for performing their tasks.
The legislation is focused on attaining data protection by design and by default. Privacy by design is a concept that has existed for years now, but it is only just becoming part of a legal requirement with the GDPR. At its core, privacy by design calls for the inclusion of data protection from the onset of the designing of systems, rather than an addition.
The legal and technical changes required to comply with GDPR are huge and will require changes deep within the organisation. Becoming compliant with GDPR is not something the legal and information security teams of organisations can achieve alone. Senior level support is key to embrace these changes and provide the necessary financing and resourcing to achieve compliance.
Click below to read the full whitepaper, highlighting the steps you need to take to implement a GDPR security framework in your organisation, how GDPR will open further opportunities and examples of what poor data handling looks like.