The General Data Protection Regulation (GDPR) is one of the hottest topics making the rounds right now. The law will come into force in May 2018, significantly improving data protection for individuals in the EU and internationally by introducing new restrictions for companies that process the data of EU residents. Panic has already started because regulators have already been issuing huge fines for security failures — the latest example is the UK’s Carphone Warehouse, which was fined $540K for a 2015 hack — and the penalties under GDPR will be even higher.
Unfortunately, many organizations are not even close to complying with the new law: According to research by HubSpot, only 36% of organizations know what GDPR is, and 22% haven’t done anything yet to prepare for it.
According to a HubSpot GDPR Survey, just 36% of businesses have even heard of the GDPR
The deadline for compliance is quickly approaching, so companies have little time to get familiar with GDPR requirements. Netwrix is ready to help. Below you’ll find answers to the most frequently asked questions about GDPR, so you can stop seeing it as a Great Data Panic Reason and start taking steps to comply with the regulation:
#1. What is the General Data Protection Regulation?
The General Data Protection Regulation (GDPR) is a compliance standard intended to strengthen data protection for individuals across the European Union. GDPR replaces the 1995 data protection directive and changes the way companies must handle the personal data of EU residents. In particular, the new regulation requires organizations to adopt stricter data protection controls, and specifies procedures and timeframes for breach notification. The GDPR also broadens the rights of individuals with respect to their personal data, and involves larger penalties for violations.
#2. Is my company affected?
The GDPR applies to any business or public body that stores or processes the data of EU residents. This includes every employer in the EU, businesses that offer products and services to EU citizens and residents, and companies that process personal data on behalf of other organizations. The GDPR will have a global effect: It will impact both EU companies and companies that do not have a presence in the EU.
#3. What is the deadline?
GDPR will come into force on May 25, 2018. Before this date, organizations must ensure that they are compliant with the new rules; otherwise, they will be subjects to stiff penalties and fines.
#4. Data subjects, data processors, data controllers — who are they?
Article 4 of the GDPR clarifies the key concepts organizations need to know to start with the regulation. Here are the most important definitions:
- Data subject — A natural person whose personal data is processed by a controller or processor.
- Personal data — Any information relating to an identified or identifiable natural person (data subject). And identifiable natural person is anyone who can be identified by his or her name, identification number, location data or other factors.
- Consent — Consent means any freely given, specific, informed and unambiguous indication of the data subject’s agreement to process his or her personal data.
- Processing — Any operation or set of operations performed on personal data, such as collection, recording, structuring, storage, alteration, retrieval, disclosure, dissemination, erasure or destruction.
- Data controller — A person, public authority, agency or other body that determines the purposes and means of the processing of personal data. Data controllers are tasked with demonstrating that processing is performed in accordance with the regulation.
- Data processor — A person, public authority, agency or other body that processes personal data on behalf of the data controller.
- Personal data breach — A breach of security that leads to the accidental or unlawful destruction, loss, alteration or disclosure of personal data.
- Privacy by design — This is one of the key changes introduced by the GDPR. Companies will be obliged to take data privacy into account during the design stages of all projects. In particular, Article 25 requires the data controller to take appropriate measures to protect personal data from unlawful processing.
The controller shall implement appropriate technical and organizational measures for ensuring that, by default, only personal data which is necessary for each specific purpose of the processing is processed. (Chapter 4, Article 25)
#5. Who within the organization is responsible for GDPR compliance?
The GDPR defines several roles that are responsible for compliance, such as data controller, data processor and data protection officer (DPO). According to Article 37, public authorities or organizations that process large volumes of sensitive data or perform systematic monitoring of data subjects will have to designate a data protection officer. DPOs must be responsible for monitoring compliance with the GDPR and providing advice regarding data protection to senior management.
Obviously, the GDPR is going to be a primary concern of C-level executives and will require all the key people in the organization, including the CIO, CISO and DPO, to work together to ensure that the organization is ready to demonstrate compliance with all GDPR requirements.
#6. What types of data does GDPR protect?
GDPR protects almost all types of personal data, including basic identity information, financial data, web data and more. According to Article 9, certain types of data cannot be processed unless data subject has given explicit consent; this list includes biometrics, racial or ethnic origin, political opinions, and data concerning health.
#7. What are the GDPR’s main requirements?
The GDPR standard consists of 11 chapters and 99 articles. Here are the requirements that will likely have the greatest impact on security and operations:
- Extended principles of processing of personal data — All data has to be processed “lawfully, fairly and in a transparent manner in relation to the data subject” and collected only for “specified, explicit and legitimate purposes” (Article 5). Processing is considered to be lawful only under certain circumstances: for example, if the data subject has given explicit consent or processing is necessary for protecting the customer’s vital interests (Article 6).
Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject. (Chapter 2, Article 5)
- Conditions for consent — Articles 7 and 8 outline strict new requirements for obtaining valid and verifiable consent for processing personal data. Data controllers have to prove that the data subject has agreed to processing of his or her personal data. The request for consent must be given in an easily accessible form, with the purpose for data processing attached. Moreover, data subjects now have the right to withdraw their consent at any time. If an individual withdraws their consent, an organization has to erase their data as soon as possible (Article 17).
- New and expanded rights for data subjects — A large section of Chapter 3 (Articles 14–21) outlines several rights that help individuals gain better control over their data. Data subjects have the right to obtain information about whether their personal data has been processed and for what purpose (Article 15), receive notifications about data erasure (Article 19), and transfer their personal data between service providers more easily (Article 20). They can also object to processing of their data or to direct marketing (Article 21), which may affect organizations that rely on data analytics.
- Right to be forgotten — One of the most critical new requirements is the right to erasure, or the right to be forgotten (Article 17). It enables individuals to have the data controller erase their personal data or stop further dissemination of that data, or have third parties stop data processing, all without delay. The conditions for invoking the right to erasure include data no longer being relevant or processing being unlawful.
Almost 60% of consumers would ask a company to completely delete their records
- Security of processing —Article 23 requires companies to implement appropriate technical and organizational measures to ensure data privacy and protect consumers’ personal information against loss or exposure. Article 30 says that controller and processor have to maintain comprehensive records about their activities, such as the purpose of data processing, categories of data subjects and personal data, verifiable consent records, and records of data transfers.
- Data breach notification. According to Article 33, data controllers have to report a security breach to the supervisory authority no later than 72 hours after it is discovered. If a company fails to do so, it has to provide reasons for the delay. Article 34 says that data controllers have to communicate data breaches to data subjects if “the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons.”
In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority. (Chapter 4, Article 33)
- Data protection impact assessments — Article 35 requires companies to perform data protection impact assessments to assess and identify risk to consumer data. These assessments are mandatory before undertaking “high risk” processing, such as systematic monitoring of extremely sensitive data. The scope of the assessment includes a systematic description of processing operations, its purposes and necessity, and the measures being taken to address the risk and ensure data privacy.
- Transfers of personal data outside the EU — Article 46 says that it is extremely important for companies to confirm that international transfers of personal data are carried out in accordance with rules approved by the European Commission.
#8. What are the fines for non-compliance?
In comparison to the former Data Protection Directive, the GDPR has increased penalties for non-compliance. For companies that fail to comply with certain requirements, fines can be 2% to 4% of the company’s annual global revenue, or €10-20 million.
#9. What are the estimated costs to prepare for the GDPR?
According to the 2017 PwC Pulse Survey, 77% of companies plan to spend at least $1 million or even more on GDPR compliance, which indicates that GDPR’s steep fines have significantly changed the budget priorities of organizations. The same research shows that most organizations that have already begun GDPR preparation plan to invest in IT security, privacy policies, GDPR gap assessment and data discovery. For those who haven’t started yet, the top priorities are data discovery, GDPR gap assessment, information security enhancement and third-party risk management.
#10. What will consumers expect from me when the GDPR is effective?
Consumers will expect companies to be completely transparent about how their data is being used and promptly notify them of data breaches, especially given the large number of high-profile breaches over the past few years that affected the personal data of billions of people, such as the Equifax and Yahoo incidents. Once GDPR comes into full force, companies will have to prove that they are transparent about what they do with customer data and how they plan to help affected clients in case of a data breach.
European consumers expect companies to be completely transparent
How to prepare
There’s one more critical question to ask: Where should I start? Although we will study this issue in our future posts, we’d like to give several recommendations to help you avoid unnecessary panic:
- Organize an information audit. To comply with the GDPR’s accountability principles, you need to know your data well. It is essential to document what personal information you hold, where it resides, where it came from, whom you share it with and your purpose in processing it.
- Identify the legal basis for processing of personal data. Organizations need to document and explain the legal basis for processing personal data. This is critical for organizations that rely on consent as a justification to process individuals’ data. It is also a good idea to seek legal advice regarding your obligations under the GDPR.
- Make sure you can cover individuals’ rights. Individuals have certain rights that you must uphold, such as the right to access their personal data, the right to correct inaccuracies, and the right to have personal information erased. You need to make sure that you have procedures in place to address such requests from data subjects promptly.
- Hire a Data Protection Officer if necessary. If your company meets the criteria outlined in Article 37, you need to ensure that someone in your organization, or an external data protection advisor, can take responsibility for compliance and has the knowledge and authority to do so effectively.
- Develop proper procedures for handling data breaches. Personal data breaches must be detected, reported and investigated according to the new requirements. Failure to do so will result in huge fines, both for non-compliance and for the breach itself. You need to start now to make sure you have all the necessary controls in place. For example, continuous security monitoring enables you to receive the latest information about what’s going on in your critical systems, so you can refer to it if you need to investigate a security incident.