General Data Protection Regulation (GDPR) becomes effective May 25, 2018, introducing new legislation for data processing in European Union (EU) member countries and anywhere the personal data of EU citizens is processed. Because of this new legislation’s scope, if your business is based in the U.S. and you process personal data of EU citizens, you will be affected. GDPR provides many new personal data rights to EU citizens, including the right to erase data, the right to revoke consent, easier access to their personal data, and the right to know if their data has been compromised
by a cyber-attack.
GDPR requires a sound approach to data protection across all aspects of an institution’s operations. Like Cybersecurity, it should be viewed not as a security or technology problem, but rather a business challenge that must be solved. GDPR focuses on accountability, transparency and governance to uphold personal data protection and to minimize the risk of breaches by imposing new responsibilities on organizations.
GDPR imposes concrete measures, such as:
- The obligation to keep internal records of data protection activities;
- The requirement to notify regulators of data breaches without undue delay (organizations must report breaches to supervisory authorities within 72 hours) and document the underlying facts, effects and remedial action taken; and
- The need to appoint an official Data Protection Officer (required for many organizations).
A Business Problem, not an IT Issue
The primary principle behind GDPR is that personal data is the property of the individual, not the data controllers or processors. It applies to all EU citizens regardless of their location or the organization’s location.
The above are reasons why GDPR should be viewed as a business challenge and not simply an IT issue. Accordingly, it introduces the role of Data Protection Officer (DPO) to organizations to help mitigate the risks associated with GDPR and the Data Protection Bill. The DPO, who is responsible for that company’s data and its protection, owns responsibility and accountability for customer information and data and is a business role, not necessarily an IT role. They are responsible for keeping in contact with upper-level management and overseeing processes like data inventory, data flow mapping and privacy assessments, but may report to the compliance function, legal or Information Technology.
Because GDPR reaches all EU member countries, a rigid interpretation of GDPR suggests that tens of thousands of data protection officers (DPOs) may be required. However, current guidance suggests that the role of DPO can be outsourced, or the DPO can be a staff member or contracted employee who has expert knowledge of data protection law and practices and the ability to fulfill the tasks. Similar to the CISO required by the New York State Cybersecurity regulation (23 NYCRR 500), the DPO will be central to an organization’s compliance with the new regulation.
Start Paying Attention
The companies that need to start paying attention to GDPR are those that manage large volumes of personal data. While these tend to be larger organizations in the finance, health and retail sectors, there are smaller organizations in less obvious sectors such as media and manufacturing that could fail to see their responsibilities as it relates to GDPR. Other types of organizations that could also fail to see the GDPR connection include those that are hosting data on behalf of other organizations. These are likely to come under increasing pressure from their clients who will need to understand how these host organizations are handling their data to ensure GDPR compliance. The reality is that so many organizations of all sizes collect personal data as a standard component of their business; hence, nearly every organization needs to carefully analyze what data they are collecting and how they are using it, since they may fall under the jurisdiction of GDPR without knowing it.
Regulators are authorized to handle non-compliance with the GDPR in one of three ways:
- Issue a warning or impose a temporary or definitive ban on processing personal data;
- Impose a fine up to EUR 20 million or 4 percent of the total
worldwide turnover, depending on the circumstances of each
individual case; or
- Both of the above.
Although there will be an adjustment period after GDPR goes into effect, EU regulators indicate they plan on actively enforcing GDPR compliance. Thus, avoiding substantial fines and sanctions, not to mention serious reputational damage, requires that organizations be prepared to offer evidence of data protection processes and accountability, as well as transparency with the regulators.
Take Action Now
GDPR will take effect May 25, providing businesses a small remaining window of opportunity to get prepared. GDPR is a complex set of regulations with certain concrete expectations of how organizations use and store the data of EU members. Take action now to ensure that your institution is prepared.
Resources for additional guidance for security and compliance
The UK’s National Cyber Security Centre has published authoritative, actionable guidance for organizations to achieve cyber security and compliance in its “10 Steps to Cyber Security.
Another source of guidance is the CIS Critical Security Controls for Effective Cyber Defense. These have been developed by the Center for Internet Security with international support and input. The
Critical Security Controls are consistent with the “10 Steps to Cyber Security” and match many of the controls delineated in another widely recognized standard, ISO 27001.