GDPR is coming…
May 2018 is the date when The European Union’s General Data Protection Regulation (GDPR) goes into effect. This means that any organization doing business in or with any EU member state has to comply with the strict requirements of this new privacy law.
The GDPR applies to any organization holding or processing personal data of EU citizens, and the maximum fines for non-compliance is 4 % of the organisation’s worldwide turnover but not higher than €20m. Moreover, the definition of personal has been changed in order to classify even more data, including users behaviour, as personal information.
Remember that your company must be able to show compliance by May 25, 2018 which means less that 5 months!
Do you know the new requirements?
1. Security by Design (article 25) – The idea behind is to have security measures from the very initial phase of any data processing system and to ensure that all of them are fully implemented and up to date during data processing process. Moreover, continuous evaluation of efficiency should be performed.
2. Data Processing Security (article 32): Companies must implement an application for data encryption & key handling and take care of pseudo anonymization of personal data. Other apps should ensure data confidentiality, integrity and availability such as: access control, log monitoring, backup systems, security configuration, IPS/IDS, traffic encapsulation etc. Additionally, companies should focus on implementation of a disaster recovery plan and business continuity process taking into consideration regular penetration testing services and vulnerability assessments of the systems involved or related to the personal data collection.
3. Data Protection Impact Assessments – When certain data associated with subjects has to be processed, companies will have to first analyze the risks to their privacy.
4. Right to be deleted and To Be Forgotten – the GDPR allows consumers to request that their data be deleted. This is probably the most controversial and most difficult requirement, how to stay out of the public view and “be forgotten” while also keeping the data as long as the business requires it.
5. Extraterritoriality – The new principle of extraterritoriality in the GDPR says that even if a company doesn’t have a physical presence in the EU but collects data about EU data subjects, then all the requirements of GDPR are in effect. In other words, the new law will extend also outside the EU. This will especially affect e-commerce companies.
6. Breach notification – A new requirement is that companies will have to notify data authorities within 72 hours after a breach of personal data has been discovered. Data subjects will also have to notified but only if the data poses a “high risk to their rights and freedoms”.
Moreover the GDPR defines several roles that are responsible for ensuring compliance: data controller, data processor and the data protection officer (DPO).
The data controller defines how personal data is processed and the clear purposes for which it is processed and in the same time is also responsible for making sure that outside contractors comply according to the requirements.
Data processors may be the internal groups that maintain and process personal data records or any outsourcing company that performs all or part of those activities. The GDPR holds processors liable for breaches or non-compliance. It’s possible, then, that both your company and processing partner, a third party provider will be liable for penalties even if the fault is entirely on the processing partner.
The GDPR requires the controller and the processor to designate a data protection officer to oversee data security strategy and GDPR compliance. Companies are required to have a DPO if they process or store large amounts of EU citizen data.
All the above will leave a lot of organizations vulnerable to fines.
However the still unanswered question is how penalties will be assessed. For instance, how will fines differ for a breach that has minimal impact on individuals versus one where sensitive information was leaked? Probably we will see regulators who will quickly act on a few companies, find them non compliant and give some fines in order to send a message. Then, maybe organizations can make a better assessment of what to expect in the case of a non-compliance finding.