Companies that collect data on citizens in European Union (EU) countries will need to comply with strict new rules around protecting customer data by May 25. The General Data Protection Regulation (GDPR) is expected to set a new standard for consumer rights regarding their data, but companies will be challenged as they put systems and processes in place to comply.
Compliance will cause some concerns and new expectations of security teams. For example, the GDPR takes a wide view of what constitutes personal identification information. Companies will need the same level of protection for things like an individual’s IP address or cookie data as they do for name, address and Social Security number.
The GDPR leaves much to interpretation. It says that companies must provide a “reasonable” level of protection for personal data, for example, but does not define what constitutes “reasonable.” This gives the GDPR governing body a lot of leeway when it comes to assessing fines for data breaches and non-compliance.
What is the GDPR?
The European Parliament adopted the GDPR in April 2016, replacing an outdated data protection directive from 1995. It carries provisions that require businesses to protect the personal data and privacy of EU citizens for transactions that occur within EU member states. The GDPR also regulates the exportation of personal data outside the EU.
The provisions are consistent across all 28 EU member states, which means that companies have just one standard to meet within the EU. However, that standard is quite high and will require most companies to make a large investment to meet and to administer.
According to an Ovum report, about two-thirds of U.S. companies believe that the GDPR will require them to rethink their strategy in Europe. Even more (85 percent) see the GDPR putting them at a competitive disadvantage with European companies.
Which companies does the GDPR affect?
Any company that stores or processes personal information about EU citizens within EU states must comply with the GDPR, even if they do not have a business presence within the EU. Specific criteria for companies required to comply are:
- A presence in an EU country.
- No presence in the EU, but it processes personal data of European residents.
- More than 250 employees.
- Fewer than 250 employees but its data-processing impacts the rights and freedoms of data subjects, is not occasional, or includes certain types of sensitive personal data. That effectively means almost all companies. A PwC survey showed that 92 percent of U.S. companies consider GDPR a top data protection priority.
When does my company need to be in compliance?
Companies must be able to show compliance by May 25, 2018.
Who within my company will be responsible for compliance?
The GDPR defines several roles that are responsible for ensuring compliance: data controller, data processor and the data protection officer (DPO). The data controller defines how personal data is processed and the purposes for which it is processed. The controller is also responsible for making sure that outside contractors comply.
Data processors may be the internal groups that maintain and process personal data records or any outsourcing firm that performs all or part of those activities. The GDPR holds processors liable for breaches or non-compliance. It’s possible, then, that both your company and processing partner such as a cloud provider will be liable for penalties even if the fault is entirely on the processing partner.
The GDPR requires the controller and the processor to designate a DPO to oversee data security strategy and GDPR compliance. Companies are required to have a DPO if they process or store large amounts of EU citizen data, process or store special personal data, regularly monitor data subjects, or are a public authority. Some public entities such as law enforcement may be exempt from the DPO requirement.
What will GDPR preparation cost my company?
According to the PwC survey, 68 percent of U.S.-based companies expect to spend $1 million to $10 million to meet GDPR requirements. Another 9 percent expect to spend more than $10 million.
What happens if my company is not in compliance with the GDPR?
The GDPR allows for steep penalties of up to €20 million or 4 percent of global annual turnover, whichever is higher, for non-compliance. According to a report from Ovum, 52 percent of companies believe they will be fined for non-compliance.
If your organization is not in compliance by the May 25 deadline, it will not be alone. Estimates vary, but the consensus is that about half of the U.S. companies that should be compliant will not be on all requirements. According to a survey by Solix Technologies released in December, 22 percent of companies were still unaware that they must comply with GDPR. Thirty-eight percent said that the personal data they process is not protected from misuse and unauthorized access at every stage of its life cycle.
That leaves a lot of organizations vulnerable to fines. The big unanswered question is how penalties will be assessed. For example, how will fines differ for a breach that has minimal impact on individuals versus one where their exposed PII results in actual damage? The consensus is that the regulators will quickly act on a few companies found to be not in compliance early on to send a message. Then, organizations can make a better assessment of what to expect in the event of a non-compliance finding.
What types of privacy data does the GDPR protect?
- Basic identity information such as name, address and ID numbers
- Web data such as location, IP address, cookie data and RFID tags
- Health and genetic data
- Biometric data
- Racial or ethnic data
- Political opinions
- Sexual orientation
Which GDPR requirements will affect my company?
The GDPR requirements will force U.S. companies to change the way they process, store, and protect customers’ personal data. For example, companies will be allowed to store and process personal data only when the individual consents and for “no longer than is necessary for the purposes for which the personal data are processed.” Personal data must also be portable from one company to another, and companies must erase personal data upon request.
That last item is also known as the right to be forgotten. There are some exceptions. For example, GDPR does not supersede any legal requirement that an organization maintain certain data. This would include HIPAA health record requirements.
Several requirements will directly affect security teams. One is that companies must be able to provide a “reasonable” level of data protection and privacy to EU citizens. What the GDPR means by “reasonable” is not well defined.
What could be a challenging requirement is that companies must report data breaches to supervisory authorities and individuals affected by a breach within 72 hours of when the breach was detected. Another requirement, performing impact assessments, is intended to help mitigate the risk of breaches by identifying vulnerabilities and how to address them.
What should my company be doing to prepare for the GDPR?
Set a sense of urgency that comes from top management: Apoint an executive leadership in prioritizing cyber preparedness. Compliance with global data hygiene standards is part of that preparedness.
Involve all the stakeholders. IT alone is ill-prepared to meet GDPR requirements. Start a task force that includes marketing, finance, sales, operations—any group within the organization that collects, analyzes, or otherwise makes use of customers’ PII. With representation on a GDPR task force, they can better share information that will be useful to those implementing the technical and procedural changes needed, and they will be better prepared to deal with any impact on their teams.
Conduct a risk assessment: You want to know what data you store and process on EU citizens and understand the risks around it. Remember, the risk assessment must also outline measures taken to mitigate that risk. A key element of this assessment will be to uncover all shadow IT that might be collecting and storing PII. Shadow IT and smaller point solutions represent the greatest risk for non-compliance; ignore them at your own peril.
Hire or appoint a DPO: The GDPR does not say whether the DPO needs to be a discrete position, so presumably a company may name someone who already has a similar role to the position as long as that person can ensure the protection of PII with no conflict of interest. Otherwise, you will need to hire a DPO. Depending on the organization, that DPO might not need to be full-time. In that case, a virtual DPO is an option. GDPR rules allow a DPO to work for multiple organizations, so a virtual DPO would be like a consultant who works as needed.
Create a data protection plan: Most companies already have a plan in place, but they will need to review and update it to ensure that it aligns with GDPR requirements.
Don’t forget about mobile: According to a survey of IT and security executives, 64 percent of employees access customer, partner, and employee PII using mobile devices. That creates a unique set of risks for GDPR non-compliance. For example, 81 percent of the survey respondents said that most employees are approved to install personal apps on the devices used for work purposes, even if it’s their own device. If any of those apps access and store PII, they must do so in a GDPR-compliant manner. That’s tough to control, especially when you factor in all the unauthorized apps employees use.
Create a plan to report your GDPR compliance progress: “With the clock ticking, organizations must demonstrate that they are making progress against completing the Record of Processing Activities (RoPA)—article 30 of the GDPR regulation which is centered around taking inventory of risky applications—to avoid being an easy target for regulators. Establishing the RoPA, is the essential piece to focus on at this stage in the game as it enables organizations to identify where personal data is being processed, who is processing it and how it is being processed.
Implement measures to mitigate risk: Once you’ve identified the risks and how to mitigate them, you must put those measures into place. For most companies, that means revising existing risk mitigation measures. “Upon taking inventory of applications and completing the RoPA, the GDPR team can now spot and investigate any risks associated with the data and determine the appropriate level of security deemed necessary to protect that data,” says Fisher.
If your organization is small, ask for help if needed. Smaller companies will be affected by GDPR, some more significantly than others. They may not have the resources needed to meet requirements. Outside resources are available to provide advice and technical experts to help them through the process and minimize internal disruption.
Test incident response plans: The GDPR requires that companies report breaches within 72 hours. How well the response teams minimize the damage will directly affect the company’s risk of fines for the breach. Make sure you can adequately report and respond within the time period.
Set up a process for ongoing assessment: You want to ensure that you remain in compliance, and that will require monitoring and continuous improvement. Some companies are considering incentives and penalties to ensure that employees follow the new policies. 47 percent of respondents will likely add mandatory GDPR policy observances to employee contracts. Twenty-five percent might withhold bonuses or benefits if a GDPR violation occurs, and 34 percent say they will reward employees for complying with GDPR.
Do all of this with an eye to improving your business: 74 percent of respondents believe that complying with GDPR requirements will be a competitive advantage. Compliance will boost consumer confidence. More importantly, the technical and process improvements necessary to meet GDPR requirements should enable efficiencies in how organizations manage and secure data.