As the date when the EU's GDPR (General Data Protection Regulation) goes into effect approaches, many organizations in the EU and outside of it need to assess their readiness and get into gear to ensure they are compliant. However, it appears many companies inside and outside of the EU are still unprepared, and some haven’t even begun to take stock and evaluate the steps that need to be put into place to get their systems and processes up to par.
Considering the fact that currently practically every organization processes and stores personal data of some type, and everyone’s information – employees, customers and end-users – is managed and held in virtual databases of different types and sizes, combined with the fact that we are constantly hit with news about a data breach in companies of every size all over the world – it’s actually quite surprising that so many organizations are still trying to figure out how to approach compliance to the GDPR and even more are in the early stages of implementation.
Let’s take a minute to review the basics: what is the GDPR, who it impacts, and the standards that organizations and their development teams need to maintain for compliance.
The General Data Protection Regulation is the most sweeping change to data protection in over twenty years, since the now-outdated Data Protection Directive from 1995. It is an updated set of rules that the European Commission created to govern the privacy and security of personal data, aimed at unifying data protection laws and standards across the 28 member states of the EU, so that data privacy and protection laws and regulations no longer vary throughout the EU states.
The EU’s regulation will come into effect on 25 May 2018, imposing strict rules on those hosting and processing personally identifiable information (PII) data, anywhere in the world. The GDPR regards any information that relates to private, professional or public life as PII, including: IP address, banking information, email addresses, social media posts, etc. The regulation also defines standards regarding the free movement and transfer of PII data in and out of the EU.
Organizations that handle EU residents data are required to implement privacy into systems by design, create transparent processing systems, encrypt or pseudonymize personal data, conduct mandatory privacy impact assessments, design stronger consent mechanisms, follow stricter procedures for documenting and reporting data breaches; and document any use of personal data in detail.
The regulation applies to any business that stores, processes or handles the personal data of current, past or prospective customers in the EU – this includes any company that markets goods or services to the EU. All organizations that fall under those categories need to take stock of their technologies, policies and processes – regardless of their size or location. This means that the GDPR will impact the way most organizations worldwide deal with personal data.
Penalties for any organization that violates the new regulations are extremely pricey: organizations that are found incompliant with the GDPR will face fines of up to €20m or 4% of annual turnover – whichever is higher: this could cause a crippling blow to any company.
The GDPR requires organizations review their data storage, handling and processes starting from the data's point of entry up until it is deleted.
A big part of the regulation is to ensure that an individual's personal information is stored with their permission, used for the purpose it was obtained and for a reasonable duration – based on the reason the data was obtained. Under the GDPR, EU residents should be able to easily withdraw consent and have the “right to be forgotten”: this means companies need to review end user privacy notices and policies and make any changes to them in order to comply to the GDPR.
In addition, the GDPR requires that companies have the right procedures in place to detect, investigate and report personal data breaches, if and when they occur.
In order to get with the program, organizations should start out by answering the following questions regarding storage and processing of PII data: where is the data stored? Does the data fall under the purview of the GDPR? Is it at risk if it’s stolen or exposed? Who has access or might attempt to access the data? What processes are in place in the event of a data breach?
These questions are the first ones that need to be assessed moving towards compliance with the GDPR. Given the current state of data security and the high cost of breaching the new regulations, organizations need to prioritize taking a hard look at their data protection policies and processes.