GDPR. You may have come across the acronym lately, and for good reason. The General Data Protection Regulation is a series of articles set to replace the European Union's current Data Protection Directive, 95/46/EC, as of May 25, 2018. This change is monumental in a number of ways. The EU's Data Protection Directive was created in 1995, and has remained relatively unchanged since. Consider how technology has evolved in the last 23 years, concomitant to growing cyberthreats and crime, and the proliferation of internet connected devices. Not to mention our increasing reliance on web-based services that require personal user information. With this in mind, it becomes evident just how quickly innovation outgrew the EU's original protections.
This disconnect was largely responsible for GDPR's creation, a four-year drafting and debate process, with the intention of creating thorough and consistent data privacy laws across Europe. The push for unity favors citizens by enhancing personal privacy, and increasing transparency about how data is being used. Under GDPR, personal data will be expanded to include the following: names, photos, email accounts, bank details, posts on social networking sites, medical info, biometrics, and computer IP addresses. The process of obtaining this personal information will also be heavily regulated:
- As of May 25th, user consent forms must be written in a clear, accessible manner. The intention is to reduce lengthy forms weighed down with legalese. These documents must also provide clear options through which users may withdraw consent.
- Under GDPR's "Right to Access", users have the right to know how their data is being used and for what purpose.
- GDPR also has the section "Right to be Forgotten", which details the process of data erasure. Under this right, data collector and processors must enable users to withdraw their information, if they choose to revoke consent.
- Article 23 outlines the need for "Data Minimization," whereby controllers will "hold and process only the data absolutely necessary for the completion of its duties." The intention is to boost user security by actively removing extraneous personal information.
In order to protect personal information, GDPR will also be imposing stricter regulations on businesses that process, or control, user data. Part of this will be the leveraging of Data Protection Officers, or DPOs. DPOs are appointed within businesses where the majority of operations involve large-scale monitoring or processing of data (e.g. at a regional, national, or international level). Under Article 37, DPOs are mandatory in the following cases:
- Public authorities
- Organizations that engage in "large scale systematic monitoring"
- Organizations that engage in "large scale processing of sensitive personal data"
In the event of non-compliance, things are bound to get expensive. According to a study by Ovum Report, 52% of EU based businesses believe they will be fined for non-compliance. Current estimates predict that fines and penalties will total $6 billion in the first year. Other numbers to keep in mind:
- In the event of a data breach, companies must notify effected parties within 72 hours of discovering said leak.
- If a company fails to disclose a breach, or is otherwise in violation, they will be fined according to a tiered model:
- Level 1 fines, such as failing to have proper record keeping, are approximately $12 million (€10M) or 2% Worldwide Annual Revenue, whichever is higher.
- Level 2 fines, such as failing to disclose a data breach, are approximately $24 million (€20M) or 4% Worldwide Annual Revenue, whichever is higher.
Image courtesy of Imperva.
For those of us stateside, these numbers may not seem so intimidating. The US is not part of the European Union, so we're in the clear, right?
Not quite. A company that processes the information of EU citizens will be held to the same set of regulations, even if said business is located outside the EU. So what does it mean to "process" a user's information? As per the GDPR, this occurs when:
- "[a company's] activities relate to: offering goods or services to EU citizens (irrespective of whether payment is required) and the monitoring of behavior that takes place within the EU."
Under GDPR, these companies will have to appoint a representative in the EU, to remain compliant. These changes are an attempt to eliminate the ambiguity of "territorial applicability", an argument often leveraged by businesses based outside the EU. Furthermore, as both data controllers and processors must abide by these regulations, the cloud will now be within the GDPR's purview.
Related content: What You Need to Know About Cloud Computing
So how are US-based companies preparing? As per Spiceworks "State of IT" report, 47% of North American companies have not allocated a budget for impending GDPR changes. A further 22% did not know if their organization had any allocated funds. This does not bode well for businesses hoping to avoid a potentially costly transition period. But for those proactive organizations, looking to maximize this change, here are a few ways to prepare:
- Conduct a risk assessment and review your customer touch points. Now is the time to take inventory of your channels, including websites, landing pages and third-party lead generators.
- Check that your opt-in language adheres to GDPR consent standards:
- Is your language unambiguous?
- Is the consent form separate from the terms and conditions?
- Are opt-in boxes unchecked?
- Have you named all parties in need of user consent?
- Is it easy for a user to withdraw?
- Now that your language has been amended, it is time to focus on user data. Data transfers must be made in a secure and private manner, preferably encrypted. If data has been encrypted, and the keys to said encryption have not been compromised, it is not a reportable event.
- Check in with your third-party partners. Are they also complying with GDPR regulations? If not, they may be sharing non-compliant data, which poses long-term liabilities.
- Document all GDPR compliance efforts. GDPR necessitates that companies maintain clear user records, especially demonstrations of consent. Ensure that your company is keeping a thorough, timestamped record of all relevant documents.
- Amend your company's data protection plan. Do your company's standard practices align with those put forth by GDPR? Have you checked that your mobile devices are also compliant?
- Consider hiring a DPO. They can assist in preparatory measures such as testing incident response plans. If necessary, would your company be able to report on a data breach within 72 hours? The DPO can help this process run smoothly through risk-minimization training.
What are New York's Data Breach Notification Requirements?
What are Massachusetts' Data Breach Notification Requirements?
Pennsylvania's Data Breach Reporting Law & Requirements Overview