| ISO 27701 | ISO 27001 | ISO 37001 | ISO 45000 | ISO 41001 | ISO 50001 | IS0 23301 |
What is GDPR?
GDPR stands for General
Data Protection Regulation, which is the heart of European
legislation on digital confidentiality. It requires companies to safeguard the
personal information and privacy of EU
citizens for transactions carried out within the EU
Member States. And non-compliance could end up costing
businesses.
A Definition of GDPR (General Data Protection Regulation)
The General Data Protection Regulation (GDPR), agreed upon by
the European Parliament and Council in April 2016, will replace the Data Protection
Directive 95/46/ec in Spring 2018 as the primary law regulating how companies
protect EU citizens' personal data. Companies that are already in compliance
with the Directive must ensure that they are also compliant with the new
requirements of the GDPR before it becomes effective on May 25, 2018. Companies
that fail to achieve GDPR compliance before the deadline will be subject to
stiff penalties and fines.
GDPR requirements apply to each member state of the European
Union, aiming to create more consistent protection of consumer and personal
data across EU nations. Some of the key privacy and data protection
requirements of the GDPR include:
- Requiring
the consent of subjects for data processing
- Anonymizing
collected data to protect privacy
- Providing data breach notifications
- Safely
handling the transfer of data across borders
- Requiring
certain companies to appoint a data protection officer to oversee GDPR
compliance
Simply put, the GDPR mandates a baseline set of standards for
companies that handle EU citizens’ data to better safeguard the processing and
movement of citizens’ personal data.
Who is Subject to GDPR Compliance?
The purpose of the GDPR is to impose a uniform data security law
on all EU members, so that each member state no longer needs to write its own
data protection laws and laws are consistent across the entire EU. In addition
to EU members, it is important to note that any company that markets goods or
services to EU residents, regardless of its location, is subject to the
regulation. As a result, GDPR will have an impact on data protection
requirements globally.
Requirements of General Data Protection Regulation
The GDPR itself contains 11 chapters and 91 articles. The
following are some of the chapters and articles that have the greatest
potential impact on security operations:
- Articles
17 & 18 –
Articles 17 and 18 of the GDPR give data subjects more control over
personal data that is processed automatically. The result is that data
subjects may transfer their personal data between service providers more
easily (also called the “right to portability”), and they may direct a controller
to erase their personal data under certain circumstances (also called the
“right to erasure”).
- Articles
23 & 30 –
Articles 23 and 30 require companies to implement reasonable data
protection measures to protect consumers’ personal data and privacy against
loss or exposure.
- Articles
31 & 32 –
Data breach notifications play a large role in the GDPR text. Article 31
specifies requirements for single data breaches: controllers must notify
Supervising Authorities (SA)s of a personal data breach within 72 hours of
learning of the breach and must provide specific details of the breach
such as the nature of it and the approximate number of data subjects
affected. Article 32 requires data controllers to notify data subjects as
quickly as possible of breaches when the breaches place their rights and
freedoms at high risk.
- Articles
33 & 33a –
Articles 33 and 33a require companies to perform Data Protection Impact
Assessments to identify risks to consumer data and Data Protection
Compliance Reviews to ensure those risks are addressed.
- Article
35 –
Article 35 requires that certain companies appoint data protection
officers. Specifically, any company that processes data revealing a
subject’s genetic data, health, racial or ethnic origin, religious
beliefs, etc. must designate a data protection officer; these officers
serve to advise companies about compliance with the regulation and act as
a point of contact with SAs. Some companies may be subjected to this
aspect of the GDPR simply because they collect personal information about
their employees as part of human resources processes.
- Articles
36 & 37 –
Articles 36 and 37 outline the data protection officer position and its
responsibilities in ensuring GDPR compliance as well as reporting to
Supervisory Authorities and data subjects.
- Article
45 –
Article 45 extends data protection requirements to international companies
that collect or process EU citizens’ personal data, subjecting them to the
same requirements and penalties as EU-based companies.
- Article
79 –
Article 79 outlines the penalties for GDPR non-compliance, which can be up
to 4% of the violating company’s global annual revenue depending on the
nature of the violation.
GDPR Enforcement and Penalties for Non-Compliance
In comparison to the former Data Protection
Directive, the GDPR has increased penalties for non-compliance. SAs have
more authority than in the previous legislation because the GDPR sets a
standard across the EU for all companies that handle EU citizens’ personal
data. SAs hold investigative and corrective powers and may issue warnings for
non-compliance, perform audits to ensure compliance, require companies to make
specified improvements by prescribed deadlines, order data to be erased, and
block companies from transferring data to other countries. Data controllers
and processors are subject to the SAs’ powers and penalties.
The GDPR also allows SAs to issue larger fines than the Data
Protection Directive; fines are determined based on the circumstances of each
case and the SA may choose whether to impose their corrective powers with or
without fines. For companies that fail to comply with certain GDPR requirements,
fines may be up to 2% or 4% of total global annual turnover or €10m or €20m,
whichever is greater.
GDPR Applies to All Who Reach European Citizens
In addition to EU members, it is important to note that any
company that markets goods or services to EU residents, regardless of its
location, is subject to the regulation. By complying with GDPR requirements,
businesses will avoid paying costly penalties while improving customer data protection and trust.
Now that this privacy regulation is active, websites that do not
comply will be inaccessible in European states. Most notable among the list
of sites temporarily blocked were the Chicago Tribune and LA Times. If your organization’s
site collects any of the regulated data from European users — it is liable
to comply to GDPR.
Will the United States Embrace Data Privacy Laws?
Increased public and political scrutiny have thrown American data
privacy into the spotlight. At the moment, there is no federal
data privacy legislation. However, there have been increasing discussions on
the topic. The conversation took a high profile turn with the congressional
hearings of Facebook founder Mark Zuckerberg. Many states have
instituted laws of their own, the most notable to date being the California Consumer
Privacy Act.
According to an Ovum report, about two-thirds
of companies in the United States may be rethinking their
strategy in Europe as a result of GDPR. However, as companies
anticipate an increase in data privacy regulations in the United States, some
are realizing that it may be time to implement more stringent data protection
measures across the board.
Best Practices for GDPR: An Important EU Data Protection Law
All organizations, from small businesses to large enterprises,
must be aware of all GDPR requirements and be prepared to
comply with them going forward. For many of these companies, the
first step in complying with GDPR is to designate a data protection
officer that will build a data protection program to meet GDPR
requirements. Once compliant, it is important to stay informed of changes to
the law and enforcement methods. The BBC has a GDPR topic page covering
current news stories around enforcement and other subjects.
Steps to Ensure GDPR Compliance
1. Physically Read the GDPR
While there are sections which are difficult to decipher and
feature more legal language, every person in a position to be affected by GDPR
should attempt to read and understand this landmark legislation.
2. Look to Other Organizations
Businesses all over the world are affected by GDPR, not just
those in the European Union. If you, or those in your organization, still lack
understanding about the needed steps to reach compliance — reach out to those
who are compliant. Many businesses will likely share the steps taken to reach
compliance.
3. Pay Close Attention to Your Website
Cookies, opt-ins, data storage and more are things that can be
easily setup on a website. Their compliance with GDPR is another matter
entirely. While many tools used to collect and store contact data have allowed
for compliance, it’s up to you to make sure you’re compliant.
4. Pay Closer Attention to Your Data
All data in your organization must comply with GDPR if you have
a presence (either digitally or physically) in the E.U. Properly map out how
data enters, is stored and/or transferred and deleted. Knowing every route
personal information can take is vital to preventing breaches and ensuring
proper reporting in the event of data loss.