Next year (2018) on the May 25th, the General Data Protection Regulation (GDPR) will go into effect. Your company, and every other company around the world should, by now, have a good idea of how it will affect your business. If you don’t know or think that it doesn’t affect you because you’re not a European company, you are courting danger.
The main consequence you are risking is a significant fine for not complying with GDPR. These are the new rules governing the privacy and security of personal data that is being implemented by the European Commission, but which WILL APPLY to some companies located outside the European Union. This new law casts wide net, far beyond the borders of the EU. GDPR applies to your organisation, regardless of the country in which you are based or from which you operate. Unless, that is, if you do not collect or process personal data drawn from the European market.
- For the sake of clarity – your company probably needs to comply with GDPR if:
- You monitor the behaviour of data subjects who are located within the EU
- You’re based outside the EU but provide services or goods to the EU (including free services)
- You have an “establishment” in the EU, regardless of where you process personal data
This is a considerable expansion of the scope of data protection provided by European law up to now. It encompasses all people living in the EU, not just EU citizens and it expands liability beyond the current directive to include data processors as well as data controllers.
To recap European data protection concepts, there are three key terms: data subjects, data controllers, and data processors. A company, for example, is a data controller with respect to the customers or employees about whom it has personal information. In this context, the customers and employees are the data subjects (natural persons whose personal data is being processed by the data controller). An example of a data processor is a payroll company to which the employer outsources its payroll operation in its capacity as a data controller.
Main Effects of GDPR
It increases the individual’s expectation of data privacy and the organisation’s obligation to follow established cybersecurity practices.
It introduces hefty fines for non-compliance. A serious violation of GDPR, such as poor data security leading to public exposure of sensitive personal information, could result in fines of millions or even billions of dollars. Fines will be based on 4% of worldwide turnover.
It Imposes significantly greater notification requirements. Both the authorities and affected data subjects need to be notified “without undue delay and, where feasible, not later than 72 hours after having become aware”.
It requires companies to appoint a data protection officer (DPO). You will need to designate a DPO if your core activities, as either a data controller or data processor, involve “regular and systematic monitoring of data subjects on a large scale.”
It clarifies the grey area of consent. Data subjects must confirm their consent for you to use their personal data by a freely given, specific, informed, and unambiguous statement or a clear affirmative action. In other words: silence, pre-ticked boxes, or inactivity will no longer constitute consent.
It takes a broader view of what constitutes personal data, potentially encompassing cookies, IP addresses, and other tracking data.
It establishes a right to be forgotten so individuals can ask your company to delete their personal data. Organisations that do not yet have a process for dealing with such requests will need to implement one.
It gives data subjects the right to receive data in a common format and to ask that their data be transferred to another controller. Many organisations will not have this in place currently.
It states that data controllers are liable for the actions of the data processors they choose. The controller-processor relationship will need to be governed by a contract that details the type of data involved, its purpose, use, retention, disposal, and security measures.
It increases parental consent requirements for children under 16.
It requires “privacy-by-design” as a standard practice for all activities involving protected personal data. For example, in the area of application development, GDPR implies that security and privacy experts should work with the design and development teams to make sure software complies with the new regulation.
As you would expect, some companies are further along the GDPR road than others. A recent IDC Research study found that 52% of them were unsure what GDPR’s impact on their organisations would be.
GDPR Security and Notification
To dig a little deeper into GDPR’s implications for the security of personal data that your company handles, there is value in citing the relevant sections in detail. They effectively establish a baseline that companies which handle data about EU persons will need to meet to be able to defend against claims that they are “processing in infringement of this Regulation”.
Section 83 states that “… the controller or processor should evaluate the risks inherent in the processing and implement measures to mitigate those risks, such as encryption. Those measures should ensure an appropriate level of security, including confidentiality, taking into account the state of the art and the costs of implementation in relation to the risks and the nature of the personal data to be protected.”
There are few specifics about how you should approach securing data, apart from the encryption reference but there’s a clear declaration that you must perform a risk assessment. We would hope that by now every company has done a cybersecurity risk assessment and is keeping it current.
Section 83 expands on the risks that need to be considered: “In assessing data security risk, consideration should be given to the risks that are presented by personal data processing, such as accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed which may in particular lead to physical, material or non-material damage.”
Section 84 discusses the security of “high risk” data (still some debate on the definition). Where, processing operations are likely to result in a high risk to the rights and freedoms of natural persons, the controller should be responsible for carrying-out a data protection impact assessment to evaluate, in particular, the origin, nature, particularity and severity of that risk. The outcome of the assessment should be taken into account when determining the appropriate measures to be taken in order to demonstrate that the processing of personal data complies with this Regulation.
Where a data-protection impact assessment indicates that processing operations involve a high risk which the controller cannot mitigate by appropriate measures in terms of available technology and costs of implementation, a consultation with the supervisory authority should take place prior to the processing.
Section 85 states that when the data controller “becomes aware that a personal data breach has occurred, the controller should notify the personal data breach to the supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of it.” Interestingly, GDPR allows the data controller to avoid notifying authorities of a breach if it is “able to demonstrate, in accordance with the accountability principle that the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons”.
Section 86 specifies the terms of data breach notification. It states that data controllers must “communicate to the data subject a personal data breach, without undue delay, where that personal data breach is likely to result in a high risk to the rights and freedoms of the natural person in order to allow him or her to take the necessary precautions.” Some specifics of notification are spelled out, such as “describe the nature of the personal data breach as well as recommendations for the natural person concerned to mitigate potential adverse effects.”
Clearly, there is a lot to get ready for, especially if the idea of having to deal with European data protection law is new to you. If you haven’t started yet, then start now. For more information on how you can prepare for the General Data Protection Regulation contact KRYPSYS via the website www.krypsys.com.