Companies that do business in European Union countries will need to comply with strict new rules around protecting customer data within the next year. The General Data Protection Regulation (GDPR) is expected to set a new standard for consumer rights regarding their data, but companies will be challenged as they put systems and processes in place to comply.
Compliance will cause some concerns and new expectations of security teams. For example, the GDPR takes a wide view of what constitutes personal identification information. That means companies will need the same level of protection for things like an individual’s IP address or cookie data as they do for name, address and Social Security number.
The GDPR leaves much to interpretation. It says that companies must provide a “reasonable” level of protection for personal data, for example, but does not define what constitutes “reasonable.” This gives the GDPR governing body a lot of leeway when it comes to assessing fines for data breaches and non-compliance.
CSO has compiled what any business needs to know about the GDPR, along with advice for meeting its requirements. Many of the requirements do not relate directly to infoSec, but the processes and system changes needed to be in compliance could affect existing security systems and protocols.
What is the GDPR?
The European Parliament adopted the GDPR in April 2016, replacing an outdated data protection directive from 1995. It carries provisions that require businesses to protect the personal data and privacy of EU citizens for transactions that occur within EU member states. The GDPR also regulates the exportation of personal data outside the EU.
The provisions are consistent across all 28 EU member states, which means that companies have just one standard to meet within the EU. However, that standard is quite high and will require most companies to make a large investment to meet and to administer.
According to an Ovum report, about two-thirds of U.S. companies believe that the GDPR will require them to rethink their strategy in Europe. Even more (85 percent) see the GDPR putting them at a competitive disadvantage with European companies.
Which companies does the GDPR affect?
Any company that stores or processes personal information about EU citizens within EU states must comply with the GDPR. Specific criteria for companies required to comply are:
- A presence in an EU country.
- No presence in the EU, but it processes personal data of European residents.
- More than 250 employees.
- Fewer than 250 employees but its data processing impacts to the rights and freedoms of data subjects, is not occasional, or includes certain types of sensitive personal data*.That effectively means almost all companies. A PwC survey showed that 92 percent of U.S. companies consider GDPR a top data protection priority.
When does my company need to be in compliance?
Companies must be able to show compliance by May 25, 2018
Who within my company will be responsible for compliance?
The GDPR defines several roles that are responsible for ensuring compliance: data controller, data processor and the data protection officer (DPO). The data controller defines how personal data is processed and the purposes for which it is processed. The controller is also responsible for making sure that outside contractors comply.
Data processors may be the internal groups that maintain and process personal data records or any outsourcing firm that performs all or part of those activities. The GDPR holds processors liable for breaches or non-compliance. It’s possible, then, that both your company and processing partner such as a cloud provider will be liable for penalties.
The GDPR requires the controller and the processor to designate a DPO to oversee data security strategy and GDPR compliance. Companies required to have a DPO process or store large amounts of EU citizen data, process or store special personal data, regularly monitor data subjects, or are a public authority.
What will preparing for the GDPR cost my company?
According to the PwC survey, 68 percent of U.S.-based companies expect to spend $1 million to $10 million to meet GDPR requirements. Another 9 percent expect to spend more than $10 million.
What happens if my company is not in compliance with the GDPR?
The GDPR allows for steep penalties of up to €20 million or 4 percent of global annual turnover, whichever is higher, for non-compliance. According to a report from Ovum, 52 percent of companies believe they will be fined for non-compliance. Management consulting firm Oliver Wyman predicts that the EU could collect as much as $6 billion in fines and penalties in the first year.
What types of privacy data does the GDPR protect?
- Basic identity information such as name, address and ID numbers
- Web data such as location, IP address, cookie data and RFID tags
- Health and genetic data
- Biometric data
- Racial or ethnic data
- Political opinions
- Sexual orientation
Which GDPR requirements will affect my company?
The GDPR requirements will force U.S. companies to change the way they process, store, and protect customers’ personal data. For example, companies will be allowed to store and process personal data only when the individual consents and for “no longer than is necessary for the purposes for which the personal data are processed.” Personal data must also be portable from one company to another, and companies must erase personal data upon request.
Several requirements will directly affect security teams. One is that companies must be able to provide a “reasonable” level of data protection and privacy to EU citizens. What the GDPR means by “reasonable” is not well defined.
What could be a challenging requirement is that companies must report data breaches to supervisory authorities and individuals affected by a breach within 72 hours of when the breach was detected. Another requirement, performing impact assessments, is intended to help mitigate the risk of breaches by identifying vulnerabilities and how to address them.
For a more complete description of GDPR requirements, see "What are the GDPR requirements?".
What should my company be doing to prepare for the GDPR?
Set a sense of urgency that comes from top management: Risk management company Marsh stresses the importance of executive leadership in prioritizing cyber preparedness. Compliance with global data hygiene standards is part of that preparedness.
Hire or appoint a DPO: The GDPR does not say whether the DPO needs to be a discrete position, so presumably a company may name someone who already has a similar role to the position. Otherwise, you will need to hire.
Create a data protection plan: Most companies already have a plan in place, but they will need to review and update it to ensure that it aligns with GDPR requirements.
Conduct a risk assessment: You want to know what data you store and process on EU citizens and understand the risks around it. Remember, the risk assessment must also outline measures taken to mitigate that risk.
Implement measures to mitigate risk: Once you’ve identified the risks and how to mitigate them, you must put those measures into place. For most companies, that means revising existing risk mitigation measures.
Test incidence response plans: The GDPR requires that companies report breaches within 72 hours. How well the response teams minimize the damage will directly affect the company’s risk of fines for the breach. Make sure you are able to adequately report and respond within the time period.
Set up a process for ongoing assessment: You want to ensure that you remain in compliance, and that will require monitoring and continuous improvement.