We’ve gathered a few of our most popular resources on privacy and data protection to…
The European Union (EU) General Data Protection Regulation (GDPR) is a comprehensive data protection and privacy regulation that becomes enforceable on May 25th of 2018. EU nations have long maintained strict legal provisions to safeguard the personally identifiable information (PII) collected online by businesses and organizations, and GDPR is a new legal means to unify and clarify these requirements. It is important for organizations to understand that the legislation applies to any company that markets goods or services to EU residents and regardless of its location is subject to the regulation. As a result, GDPR will have an impact on data protection requirements globally. GDPR is lengthy and complicated; the legislation includes 11 chapters and 91 articles which has left many organizations scrambling to add resources and being the arduous process of aligning their processes with the legislation.
Compliance with this new regulation has become a top priority for businesses around globe for three main reasons: new requirements, increased scope, and strict penalties for noncompliance. GDPR has created new, significant requirements for businesses to implement comprehensive privacy programs including mandatory privacy by design and data protection impact assessments. The regulation applies not only to EU companies, but also foreign companies processing the data of EU residents. The penalties for noncompliance can be up to 2% – 4% of annual global turnover or €10 Million to €20 Million, whichever is greater. Businesses large and small around the globe are working feverishly to comply with GDPR in advance of the upcoming deadline this coming May.
— Hitachi Sys Security (@HitachiSysSec) 10 octobre 2017
GDPR contains several key provisions to protect the privacy of EU citizens. The first is notification. Under GDPR, businesses must notify customers and regulators of any data breach within 72 hours of becoming aware of the breach.
Next is a right to access. Under GDPR, EU citizens have the right to ask businesses for confirmation if their personal data is being processed, where the data is being processed, and for what purpose.
Businesses are also obliged to provide a free copy of personal data in an electronic format. The so-called Right to be forgotten is another provision that empowers citizens to have businesses erase their personal data upon request.
Portability is a new provision under GDPR, giving citizens the right to their personal data in a commonly used and machine readable format, so that it may be passed along to another business.
Next is privacy by design – which requires that businesses build systems with privacy built-in.
Finally, businesses must appoint a data protection officer to manage the processes associated with GDPR compliance.
Most notable outside of the 6 requirements outlined above is the general privacy requirements outlined in Article 5 of GDPR. These requirements mandate that personal data shall only be collected for specified, explicit and legitimate purposes, kept accurate and up to date, stored only as long as necessary, and processed in a manner that ensures appropriate security. These broad principles and mandates for processing personal data require a comprehensive approach to data privacy that is currently lacking in many businesses without a mature approach to data privacy.
One specific area of concern for many businesses is the Data Protection Impact Assessment. GDPR requires businesses to conduct a privacy assessment for any new high-risk technologies, to assess the risks to personal data. Businesses must document a detailed assessment of the potential impact, including a systematic description of the data processing under review, whether the processing is necessary and proportionate, and any compensating controls in place to secure the operation. These reports are delivered to the EU’s lead Data Protection Authority.
The most impactful change under GDPR is its increased geographic scope. Previously, EU laws did not have a clear applicability to international entities. Under GDPR, any business processing the data of EU citizens must be in compliance, regardless of where in the world the data is processed or where the businesses is headquartered. Non-EU companies that process the personal data of EU citizens now face the daunting challenge of complying with this new regulation.
Under GDPR, the requirements apply to both personal data and sensitive data. Personal data includes any information that can be used to identify a person – anything from a name, bank details, a photo, social media posts, an email address, medical information, or a computer IP address. Sensitive data includes genetic data, information on religious or political views, and sexual orientation. While these definitions of personal data are nothing new, the clarity around the scope of impacted organizations – including those headquartered outside of Europe, processing data outside of Europe – represents an increase in scope and new requirements for many businesses around the globe.
Previously, the maximum penalty for a privacy-related incidents was £500,000. Under GDPR, as suggested earlier, organizations can be fined up to 4% of their annual global revenue, or €20 Million, whichever is greater. This maximum fine is enforced when businesses fail to have customer consent to process data or violate the Privacy by Design concepts. In addition, a tiered approach is used, with a 2% of revenue fine possible for lesser offenses like failing to maintain sufficient records. This is the main reason that businesses are so concerned with GDPR – the large fine that potentially represents bankruptcy for many organizations.
Many businesses have not started to review and implement the requirements outlined in GDPR, with some studies finding that up to 20% of businesses have still taken not steps to prepare for GDPR compliance.
A key first step is to assign responsibility a hire a specialist for compliance to a Data Protection Officer. This resource can drive the compliance and review process. A second step to take is to conduct a GDPR gap assessment or readiness assessment – reviewing the requirements outlined in the regulation and comparing current performance against target capabilities. What is most important is to take action as soon as possible, as only 8 months remain until the regulation takes effect.
GDPR has created an urgent requirement for businesses operating in Europe to take privacy seriously. At a time when data breaches make the front page almost weekly, a strict financial penalty for businesses to secure PII may be the incentive necessary for data protection to be prioritized. With the deadline for compliance looming, organizations must take action now in order to implement the required privacy principles in time and avoid the fines and penalties threatened by GDPR.