That’s right folks, it hasn’t gone away…
What is the GDPR? The European Union General Data Protection Regulation (GDPR)
Data protection is a global issue that has been growing more challenging every year. We often see headlines about huge data breaches from businesses and corporations we thought we could trust—incidents that cost those companies billions in revenue, damage control, and customer loss. Furthermore, the clientele of these enterprises are also detrimentally affected by these phenomena; their confidential information is leaked online or ends up in cybercriminal hands to be exploited and used unscrupulously. Given that thievery remains a highly lucrative business model for digital criminals, data breaches and thefts are unlikely to end anytime soon.
On May 25, 2018, a new regulation will come into force (and thus be enforced), which is expected to usher in a new and improved era for personal data security. The EU General Data Protection Regulation or GDPR is a reform of the European Union’s data protection legislation that aims to provide guidance and regulate how businesses handle their customers’ personal information throughout the EU, as well as strengthen and unify data protection for all people within the union.
We’ve put up a living FAQ to assist you on your path to GDPR compliance. We will continue to update this article as new information becomes available. Check back often, since we will be continuously updating it.
What is the EU General Data Protection Regulation, and what does it entail?
The GDPR (General Data Protection Regulation) is a new regulation created by the European Union, which was finally approved on April 14th, 2016. It replaces its predecessor from 1995- the Data Protection Directive 95/46/EC and has been four years in the making. The GDPR aims to better protect the personal data of individuals residing in Iceland, Liechtenstein, Norway, and all EU member countries – hereafter referred to as “EU citizens”. With an expansive scope that takes into account current cybersecurity landscape changes, the GDPR provides updated guidelines for collecting and processing this type of sensitive information.
The GDPR is an updated version of the past directive. Some key changes are as follows:
- The GDPR has a worldwide territorial scope. The GDPR applies to all organizations that process personal data of persons in the EU/EEA, regardless of where they reside. To put it another way, the GDPR applies to data processing by controllers (companies) and processors (entities that process data for companies), whether or not the activity occurs within the EU/EEA. Non-EU/EEA-based businesses that handle data of EU citizens will be required to obtain a representative in the EU/EEA. The GDPR will apply to the processing of personal data of people in the EU/EEA by a controller or processor not established in the EU/EEA. All businesses and organizations anywhere in the world are affected, as long as they process the personal data of EU citizens.
- Penalties for data protection violation: Organizations and firms that are discovered to violate GDPR will be fined according to the severity and kind of their infractions. To determine what sort of penalty should be imposed, a supervisory authority will evaluate the infringement (e.g., deficiency, data breach). Fines are levied in a tiered system.
- You shouldn’t have to be a lawyer to understand the terms and conditions of a website or app—nor should you need one to withdraw your consent. Companies will no longer be able to use long, incomprehensible forms to request consent from customers. Consent must now be given explicitly using clear language that is easily accessible and easy to understand. Customers must also be able openly to withdraw their consent without any hassle.
- If a customer or individual data is breached and placed at risk, organizations have 72 hours to notify the necessary supervisory authorities. Data processors must also notify their customers of such an occurrence. This notification will be mandatory moving forward.
- Data subjects will be able to obtain confirmation from firms as to whether or not their data is being handled, where it’s stored, and for what purpose. The firm must also supply a copy of the customer’s personal information upon request, free of charge.
- The subject has the “right to be forgotten”, meaning the company will erase all personal data related to them. Although this is not an absolute right, it may still be claimed under specific conditions: if consent is withdrawn or if the data processing is no longer relevant. This latter condition to data erasure, however, can only be applied when public interest or national security concerns are NOT in play.
- The data subject will be able to receive and transmit in a common and machine-readable format any previously obtained personal data (that concerns him) to another firm.
- Privacy by design and by default: Privacy by design is a typical informal method of thinking — it implies that each new service or business process that utilizes personal data must take privacy into account. Simply put, privacy by default simply means that the most severe privacy settings are applied automatically to a consumer’s new product or service if he or she activates it. This implies that the user will not need to make any manual changes to their privacy settings to select the most restrictive option. As a result, data protection as a fundamental design feature becomes an inherent objective from the start, owing to the GDPR’s emphasis on privacy by design.
- The Data Protection Officer (DPO) will be an essential GDPR foundation. In addition to assisting with a company’s compliance with the GDPR, the DPO will have an important function of serving as an intermediary between the firm and supervisory authorities, data subjects, and other stakeholders. Not every business/company needs a DPO; certain criteria must be met before one is required.
With these broad-spanning modifications in mind for protection, it’s clear that businesses, industries, and even single proprietors all over the world will have to follow a comprehensive set of rules and legal obligations to protect their customer data. The protection of data is also closely linked with putting in place comprehensive cybersecurity procedures and solutions to defend against cyberattacks of all kinds, thus implying investing in adequate security systems as well. One important outcome of these regulations, in addition to making companies and organizations reinforce stronger data protection and overall security posture, is also the arrangement of efforts across various industries and sectors all over the world.
Who is affected by the GDPR?
- The GDPR is a regulation about data protection that affects EU citizens.
- Personal data protection is the responsibility of any organization or business that deals with the personal information of people within the European Union. The General Data Protection Regulation (GDPR) applies to businesses of all sizes and locations, not just those based in or operating within EU/EEA countries. This means that even if your company is located outside of Europe but you still do business with Europeans, you must follow GDPR guidelines.
- Data processors, that is, firms that undertake data processing for other companies, are also covered by the GDPR. This makes them equally responsible as businesses that utilize or market EU citizens’ personal information. For example, any cloud provider to whom a firm has outsourced storage is also impacted by the regulation.
What defines personal data?
Personal data refers to any information that can be used, directly or indirectly, to identify a person. This includes but is not limited to photos, email addresses, bank details, social media posts medical information, and IP addresses.
The key difference between a data controller and a data processor
The entity that requires data is referred to as the data controller, while the organization that processes personal data on its behalf is called the data processor. This distinction matters because oftentimes, controllers will contract out certain tasks to processors. Even though this does exempt responsibility from processors in part, they are not exempt from all provisions of regulations.
What are the potential repercussions of noncompliance once the GDPR has been implemented?
The European Union has two levels of fines for violations of the regulation, depending on the type and scope of the infringement:
- The first penalty tier is set at a maximum of 10 million euros, or in the case of an undertaking, up to 2 percent of the company’s global annual turnover of the preceding financial year- whichever is greater.
- The second tier is set at a maximum of 20 million euros or 4 percent of the company’s global annual turnover (whichever is higher) for the previous financial year. This fine can be imposed on companies who have appointed supervisory authorities that find and prove GDPR violations, as stated in Article 83 of the GDPR.
What does the GDPR have to do with data breaches for organizations’ existing policies?
Customers, GDPR supervisory authorities, and at-risk people must be notified of a data breach under the GDPR within 72 hours. If you fail to do so, you risk breaking the GDPR and incurring a penalty.
Here, it’s worth mentioning that many businesses have varied policies on when they make data breaches public or alert the relevant authorities. This usually boils down to the laws of their state and/or country. For example, Florida law requires disclosure of a data breach to affected individuals within 30 days. By contrast, Puerto Rico stipulates that companies must notify the Department of Consumer Affairs 10 days after learning about their data breach.
Smaller firms and organizations may or may not have data breach disclosure rules, just like businesses in certain states without data breach laws (for example, Alabama, New Mexico, and South Dakota). The GDPR will be the “default” to follow for any company or organization, regardless of size or location.
Businesses’ GDPR Compliance: What You Need to Know
The GDPR applies to organizations that process the personal data of EU citizens, even if those activities take place outside the EU. Similarly, other countries are updated their approach to data protection, requiring businesses to use state-of-the-art technology for cybersecurity going forward.
The good news is that the GDPR will allow companies to be more secure against increasingly sophisticated cyberattacks – including ransomware, which can have a significant impact on organizations beyond fines and penalties. The GDPR and similar laws and regulations also offer businesses a chance to improve their brand and customer/user relationship security. Users will have greater control over their data as well as improved protection while their data are handled. As the May 25, 2018 deadline for compliance with GDPR draws near, take some time to understand how it will affect your business and what changes you need to make. The FAQs below can help get you started, but be sure to check back here regularly as we’ll continue adding new information and updates about GDPR implementation.
Is my company vulnerable to GDPR rules?
As the GDPR emphasizes, any company that handles the personal data of EU citizens is included within its ambit. It’s true whether your company is huge or small, in the EU or not; regardless of size or location, it is affected by and therefore subject to the GDPR if it deals, has dealt with, or will deal with EU citizens and their data. Businesses in the United States that use the EU-U.S. Privacy Shield Framework are therefore subjected to regulation and its consequences — including fines — under this scenario.
How can I tell if I’m collecting data from EU citizens as a small company?
Whether your company is tiny or large, it remains responsible for any commercial or personal data that it processes from EU individuals. This includes activities such as collecting and processing billing addresses and/or delivery addresses of EU customers, as well as online banking credentials in the case of online purchases. Not only does GDPR consider online identifiers like IP addresses and mobile IDs as personal data, but it also requires small businesses that use analytics, media, or advertising to protect EU citizen data.
If a business is unsure whether or not it deals with the private information of EU citizens, the company must take time to figure this out. This can include retrieving records from different places to confirm before proceeding to make sure data is secure, as demanded by GDPR.
Even if your business has never done business with an EU citizen, you should still take steps to make your company GDPR compliant. Not only will this help you avoid costly fines, but it also shows customers that you’re serious about their security.
My company is compliant with the GDPR. What adjustments should I make now?
You’re expected and required to fulfill certain obligations and responsibilities under the GDPR, which goes into effect on May 25, 2018. Your company should begin preparing for the impending changes by assessing what is necessary of it and adjusting all components of its security plan to safeguard user data. The following are some of the things you may do to meet the requirements:
- Anytime there is a data breach, you must notify the GDPR supervisory authority (SA) in your country within 72 hours, as well as all customers that could be personally affected by the data or are at risk of having their rights infringed.
- To figure out whether your customers would be uncomfortable with the collection, usage, processing, and sharing of their data, conduct Privacy Impact Assessments.
- Simplify your End User License Agreements/Terms of Service, especially those that pertain to soliciting permission from your consumers.
- Let your clients withdraw consent in the same manner as they can grant it.
- If you are a business, inform your clients if their data is being collected and be prepared to provide them with an electronic copy of the data, free of charge, if they so choose. Allow users to share this document with another organization if they wish.
- When they request it, delete their personal information from your database.
- Customer data security should be a must-have from the start, not an option, in any new system or design you develop. This is how data protection by design works under the law.
- Make sure to appoint a Data Protection Officer (DPO) if required.
Is my company in need of a Data Protection Officer (DPO)? What responsibilities does a DPO have?
It’s all in the data. It is, however, dependent on what data you collect and how you use it. The following are examples of businesses and organizations that need a Data Protection Officer:
- Public authorities, including government agencies, public advisory bodies, state universities and schools, and publicly-funded museums.
- Large organizations systematically observe their customer’s online activities, such as what they do on shopping or banking websites.
- Organizations that engage in large-scale processing of sensitive data, either for themselves or for other organizations. These include organizations that process data relating to criminals and/or criminal offenses or personal data revealing racial or ethnic origin or religious beliefs.
If your company is not in any of these industries, you don’t have to appoint a Data Protection Officer.
The Data Protection Officer’s responsibilities are as follows:
- Assist the company/business and its employees in understanding their duties to comply with GDPR and other protection regulations.
- Monitoring compliance with the GDPR and other data protection laws. This may include, among other things, directing internal data protection operations, advising on data protection impact assessments, and educating staff about GDPR compliance.
- Being the first point of contact for supervisory authorities and individuals regarding their data processing.
A DPO may be assigned to an existing employee, as long as the person’s background is suitable for the responsibilities of a DPO and there will be no conflict of interest. If they so desire, organizations may hire the position of DPO externally.
Who determines noncompliance, and how is it determined?
Noncompliance with the GDPR implies that the company, as data controller or processor, has failed or is neglecting to follow the regulations’ requirements, which in total aim to safeguard EU citizens’ data privacy and security. Noncompliance with this safety may be interpreted as a violation.
If a customer files a complaint about your company’s GDPR compliance, or if the supervisory authority sees something that makes them suspicious, they may investigate to see if you are following the GDPR rules.
Supervisory authorities are independent entities located in each European Union member state. These authorities have the power to hear, investigate, and resolve complaints made by data subjects. Additionally, they can administer punishments in the form of fines if a complaint is deemed valid after an investigation finds that the company being investigated has violated GDPR. If a data subject decides to file a legal complaint, courts may become involved as well.
If a company is accused of misconduct, what can a supervisory authority do?
The supervisory authority can execute tasks such as:
- The company ordering the data processing must provide all relevant information to allow for accurate execution of said tasks.
- Ordering and conducting data protection audits on the company accused
- Obtaining access to a firm/data processor’s premises, including access to their data processing equipment and the information stored on it
The supervisory authority may use a variety of methods to gather as much evidence as possible to determine whether or not the complaint is genuine and valid.
If the supervisory authority believes that the company has committed a GDPR infringement, it can take corrective actions, like:
- Give people a warning about potential problems.
- The company in question must meet all GDPR requirements before the set deadline; if they do not, they may be fined.
- The company’s operations (and/or data processing) are stopped.
- Impose administrative penalties of between 2 percent and 4 percent of worldwide revenue or 10 million euros (whichever is greater) up to 20 million euros (whichever is greater).
The supervisory authority will decide the amount of any penalty and/or administrative fine.
The supervisory authority uses these criteria when assessing the complaint and the firm involved:
- How many people have been harmed, what damage they’ve endured, how long the violation has existed, and why their personal information is being processed.
- Intentional or not, the infringement was caused by the company.
- If any actions were taken to prevent damage to the people involved
- The categories of data/personal information covered by the infringement
- We will investigate the preventative measures, both technical and organizational, that were put in place to stop the event from happening and gauge if they comply.
A company’s past infringement record (if any), its efforts to mitigate the infringement’s effects on data subjects, and whether it could directly or indirectly gain from the infringement are also weighed when determining the fine.
The supervisory authority may issue warnings instead if the infringement is deemed to be minor or otherwise extremely modest in impact on consumers. However, if a business is found to have committed numerous breaches, it will be fined accordingly.
Both the company that requires the personal data and any entity that processes it for the company are subject to penalties, this includes ‘clouds’ or cloud service providers.
What penalties do exist for grave offenses?
The GDPR has a two-tiered approach to maximum fines for serious infringements. The lower tier constitutes being fined up to 2 percent of total global turnover or 10 million euros, whichever is higher. The upper tier constitutes being fined twice the amount of the former (i.e., 4 percent of total global turnover or 20 million euros, whichever is higher).
The lesser of the two penalties are assessed if you are fined at the lower level. The company has been found guilty of violating terms such as:
- If you are looking to process the personal data of a child who is at least 16 years old, you will need to obtain consent from either the child (if they are of age), their parents, or their guardians.
- Applying for privacy and data protection “by design and by default.”
- Keeping records on data processing activities, including information on the kinds of data gathered and how they will be used.
- Timely notification to the supervisory authority and the data subjects affected about data breaches
- The appointment of a Data Protection Officer (for businesses and public authorities)
The company will be fined at the upper tier if they have infringed any GDPR provisions related to the following:
- The safe, legal, and secure handling of an individual’s data.
- A data subject’s consent is required for the collection and processing of personal information.
- The individual’s rights to privacy, accessing information on data processing, and data portability.
- Failure to comply with an order or a temporary or permanent restriction on data processing by a supervisory authority
- The data subject’s information is lawfully and securely transferred to a third country or an international organization.
The list above is not complete, and other scenarios can result in a fine. You can read the full list of infringements in Article 83 of the GDPR legal text.
How can I make my business compliant with GDPR?
The General Data Protection Regulation provides an opportunity for companies to establish better cybersecurity practices and procedures, which will benefit both the company and its customers. The GDPR not only offers a chance for companies to improve their defenses against cyberattacks but also creates an opportunity to present a stronger image of themselves to their customers and other stakeholders.
Here are some good places to start:
- Make certain that your stakeholders are aware of the GDPR and its implications for your company.
- Conduct comprehensive research and interviews to assess your company’s readiness for GDPR compliance.
- Start making a list of the personal information that is gathered, who it’s shared with, and what terms and conditions control its use.
- Make sure your customer consent forms are easy to read and understand. Get rid of any complicated jargon, and make the forms accessible to everyone.
- To create a culture that prioritizes the protection of your client’s private information and privacy, deploy cutting-edge security solutions and procedures.
- Ensure that your firm has the appropriate data governance procedures in place to react quickly to new consumer rights, such as the right to erasure and transfer.
Although my organization has current privacy practices, what additional steps do I need to take?
Your company’s privacy and security policies are great! You’re probably already on your way to compliance in some areas, especially if you operate mainly in Germany or Japan. However, the GDPR is much stricter than other regulations. Your current policies likely satisfy only part of the GDPR–not all of it. To make sure you’re fully compliant with the law, check your policies against the GDPR provisions today.
Here’s what we recommend:
- Review GDPR security compliance by organizing a workgroup to identify policy gaps and updates needed for current security solutions.
- Organize your IT security staff to outline all of your customer information storage and protection procedures, as well as flaws, shortcomings, and outdated hardware that may be addressed by upgrading or investing in additional security software.
- Speak to your local GDPR expert or supervisory authority to ensure that your privacy and security policies are up to standard, both before and after you have completed your compliance efforts.
- Look into and follow the instructions in the question.
The GDPR demands that businesses adhere to the principles of privacy and customer data protection from the start of any project or product development.
What types of cybersecurity technologies/solutions will help my organization comply with the GDPR?
To comply with the GDPR, your company’s security strategy should have a strong technological base and include solutions that possess the following attributes:
- Smart: It should be able to protect client data against known and unknown threats at all times — whether it’s in storage, transit, or process — while adapting to any threat scenario. It should be able to react to any security scenario and does not undervalue tried-and-true methods that may be very effective in a layered security approach.
- Optimized: It should be able to be implemented across the company and into the personal data processing systems without conflicts or issues, whether the systems are legacy or modern deployments like the cloud. This includes approaches for protecting users, servers and cloud applications, and networks that are highly efficient deployment.
- Connected: This system should be able to both prevent and remediate personal data breaches by sharing real-time threat intelligence as well as automatic security updates with all security layers. This process stops malware and/or cyberattacks before they can penetrate the network and impact the personal data archives of a business. This also assists the IT security team in isolating any infected system from the entire network, relegating potential damage and breaches to just one unit as opposed to the entire organization.
- Utilizing the most recent generation of security technology, State of the Art can deliver cutting-edge capabilities with a proven track record for stopping advanced threats. One such example is Virtual Patching, which allows users to create rules that will protect specific systems or networks from vulnerabilities and exploits – even if there isn’t an official patch yet or it hasn’t been applied. The Windows SMB vulnerability that caused the recent WannaCry ransomware outbreak is one example of this. Another is Integrated Data Loss Prevention, a technology that allows users full visibility of their data and control to identify, track, and secure business-critical information from all endpoints — even remotely.
A combination of security solutions that have all four of the aforementioned characteristics can aid in the protection of an entire business, not just a single point like a database of consumer information, throughout a threat’s lifecycle. Investing in an approach that combines smart, optimized, and connected security with a “data protection by design” strategy will help minimize compromises and breaches while also exemplifying the GDPR’s ethos.