What You Need to Know About GDPR Compliance
The General Data Protection Regulation (GDPR) is a regulation requiring businesses to protect the personal data and privacy of European Union (EU) citizens for transactions that occur within EU member states. Every company conducting business within the EU will need to comply to these strict new rules by May 25th which will likely cause concerns and heightened expectations for security teams due to the broad, yet stringent nature of the GDPR requirements. For example, one such change will require companies to provide the same level of IT safeguards for things like an individual’s IP address or cookie data as they would for name, address, and Social Security number. Similar to HIPAA & PCI Compliance, GDPR seemingly allows room for some interpretation. It states companies must provide a reasonable level of protection for personal data; yet does not define what constitutes as reasonable. This vague terminology allots significant authority to the GDPR governing body to interpret each violation on a case by case basis when assessing fines for data breaches or instances of non-compliance. To help clarify and navigate through these extensive requirements, we’ve compiled a brief overview of what a company conducting business within the EU needs to know about GDPR…
What is the GDPR?
The European Parliament adopted GDPR in April 2016, replacing the outdated Data Protection Directive of 1995. Within it, there are new provisions that require businesses to protect the personal data and privacy of EU citizens for transactions that occur within EU member states as well as the exportation of personal data outside the EU. The requirements include all 28 EU member states, meaning companies have one universal standard to meet within the EU, albeit a very high standard that will require a significant investment to meet and implement.
Why does the GDPR even exist?
The most rudimentary answer to that question is that public concern over privacy drove parliament to act. Europe has had a long history of stringent rules concerning how companies use the personal data of its citizens, and the new GDPR requirements address the changes in today’s increasingly volatile technological landscape that are not addressed in the original Data Protection Directive of 1995.
There is also a very real concern over privacy as more and more high-profile data breaches occur. The GDRP functions to dually address consumer privacy concerns as well as bring security awareness to the forefront of organizations IT best practices. According to the 2017 Cost of Data Breach Study conducted by Ponemon Institute & IBM, consumers cited data breaches as a top concern, demonstrating a clear correlation in consumer loyalty and data protection. Lost information such as passwords and personal identifiable information resulted in an average loss of 3.24% in consumer retention, with countries like Italy, and France exhibiting the highest churn rates. This is exacerbated in industries that are more susceptible to losing customers following a data breach, such as the Financial and Health sectors, which exceeded a 5% churn rate.
Perhaps the most alarming takeaway from the study is that the steep fines and penalties are not the only risk associated to non-compliance, a company’s reputation and brand image are at irreparable danger following the loss of personal information.
What data does the GDPR protect?
- Basic identity information: name, address, ID numbers
- Web data: location, IP address, cookie data, RFID tags
- Health & generic data
- Biometric data
- Race or ethnic data
- Political opinions
- Sexual orientation
Does the GDPR apply to my company?
GDPR affects any company that stores or processes personal information about EU citizens within EU states, even if the company does not have a physical business presence there. Criteria for companies required to comply are:
- Presence in an EU country
- No presence in the EU, but company processes personal data of European residents
- More than 250 employees
- Fewer than 250 employees, but its data-processing impacts the rights and freedoms of data subjects, is not occasional, or includes certain types of sensitive personal data.
Effectively this means almost all companies are subject to compliance requirement. In fact, a recent PwC survey showed 92% of U.S. companies consider GDPR a top data protection priority.
How long does my company have to become compliant?
Companies must be able to demonstrate their compliance by May 25, 2018.
What happens if my company fails to meet all the GDPR requirements?
GDPR allows for steep penalties of up to €20 million or 4% of global annual turnover- whichever is highest. Estimates vary, but the consensus is that about half of U.S. companies will not meet all the requirements. According to a report from Ovum, 52% of all companies believe they will be fined for non-compliance and the management consulting firm Oliver Wyman predicts the EU could collect as much as $6 billion in fines and penalties within the first year alone. Even more alarming, according to a survey by Solix Technologies, 22% of companies aren’t even aware that they must comply with the GDPR requirements, while 38% said that the personal data they process is not protected from misuse and vulnerable to unauthorized access at every stage of its lifecycle.
How will the GDPR requirements affect U.S. companies?
The GDPR requirements will force U.S. companies to rethink the way they process, store, and protect customers’ personal data. For example, companies will only be allowed to store and process data when the individual provides consent, and the information cannot be kept any longer than is necessary for the purposes for which the personal data was processed. Personal data must also be portable from one company to another, and they must erase data upon request from the individual.
Perhaps one of the trickiest components for U.S. companies to comply with is the right to be forgotten. While GDPR does not supersede any legal requirements that an organization maintain certain information for set periods of time, such as HIPAA health record requirements, companies must have the capability to comply with an EU citizens’ right to have their personal data completely eradicated. Nearly 66% of the Solix survey respondents say they are unsure if they can purge an individual’s personal information forever by the deadline, leaving a lot of organizations vulnerable to fines and penalties.
Security teams will also be challenged to meet the requirement that companies must report data breaches to supervisory authorities and individuals affected by the breach within 72 hours of detection. The Impact Assessment requirement is another GDPR component intended to help mitigate the risk of breaches by identifying vulnerabilities and how they can be addressed to ensure reasonable protection of personal data.
What should my company be doing to prepare for the GDPR?
- Executive Leadership should set a sense of urgency and prioritize the GDPR requirements as part of their company’s ongoing operations and security strategy.
- The security & IT department should not be held solely responsible for all the GDPR requirements. We encourage executives to develop a leadership team from every major department that collects, analyzes, or uses customers’ personal information. (i.e. Marketing, Sales, Finance, Operations, etc.) This group will be able to share information critical to implementing the appropriate technical and procedural measures, as well as preparing them to manage any potential impacts the GDPR requirements may have on their departments.
- Have a full risk assessment conducted to grasp what data is being stored and processed for EU citizens. A complete assessment should also provide guidance on how to mitigate potential risks.
- The GDPR requires that a company name a Data Protection Officer (DPO) who will be responsible for ensuring the protection of personal information with no conflicts of interest. The GDPR does not state whether the DPO needs to be separate from all other positions, so a company may choose to name someone who already has a similar role to the position.
- Companies will need to implement or review and update their data protection plan to ensure all components align with the new GDPR requirements.
- As the deadline approaches, companies will need to create a plan to demonstrate and report their GDPR compliance progress. For example, establishing the Record of Processing Activities (RoPA) is essential to enabling organizations the ability to identify where personal data is being processed, who is processing it, and how long it is being stored.
- Smaller companies should seek help from a trusted partner to negate the GDPR’s potential impact. MSPs like TSI can provide the guidance and technical expertise to navigate through the compliance process while minimizing internal disruption and business productivity.
- The GDPR requires companies to continuously utilize IT best practices in order to maintain a standard of security for consumer data, and as such companies should establish an ongoing assessment process to ensure compliance. According to a survey conducted by Veritas Technologies, 47% of respondents will likely add mandatory GDPR policy observances to employee contracts, 25% might withhold bonuses or benefits if a GDPR violation occurs, while 34% say they will reward employees who follow the GDPR compliance requirements.
- Promote the GDPR compliance requirements as a way of improving business. According to a survey by Varonis Systems, 74% of respondents believe that complying will be a competitive advantage. Compliance will promote consumer confidence and loyalty. Most importantly, the technical and process improvements that are needed to meet the GDPR requirements will enable efficiencies in how companies manage and secure their data.