Getting your data ready for the GDPR
In response to the ever-increasing number of high-profile data breaches, lawmakers and regulators around the world are enhancing existing data security compliance requirements, implementing new legal frameworks and defining new data security regulations to respond to increasing internal and external threats.
In December of 2015, the European Union agreed to a draft of one such legal framework known as the General Data Protection Regulation, or the GDPR. These new requirements will go into effect May 2018, but this year is an important one to prepare for compliance as this regulation affects every business offering goods or services to EU citizens regardless of where the company resides.
The GDPR was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens’ data privacy and to reshape the way organizations approach data privacy. But what does it actually mean for organizations that maintain data? And why should they take it seriously?
Here’s what U.S. organizations need to know about the impending GDPR requirements:
1. Larger penalties for data breaches
Even without any supposition or accusation of deliberate misuse of personal data (which is still a major part of the regulation), the introduction of the GDPR will place an even greater onus on organizations to safeguard the personal data they hold from accidental disclosure and cyberattacks. If they fail to take the proper steps and protect that data, the limits on penalties for breach are much larger than most have dealt with before – with reported fines of up to €20m or 4% of annual worldwide turnover for groups of companies, whichever is greater.
2. Outsourced risk no longer means passing the buck
The new rules also make clear another important factor: that you can outsource your risk, but you can’t outsource your responsibility. If organizations use a third-party provider to store or handle data – such as a cloud provider – they are still responsible for the correct handling and protection of personal data and must be able to demonstrate how the data is protected at all times, whether in their own or in the remote system. Therefore, formal privacy-by-design techniques need to make their way down the supply chain if companies are to avoid penalties or nightmarish discovery and analysis tasks.
3. Creation of the data protection officer
One of the most drastic changes brought about by the GDPR is the creation of an entirely new role within any organization that interacts with EU citizen information – the “data protection officer.” In a nutshell, the DPO will be in charge of making sure that EU citizens’ data is compliant with GDPR regulation. And if things should go wrong? The DPO’s neck will be on the line, facing large fines and even potential jail time if the data is not properly protected and compliant. The major hurdle in the creation of this new role is that thousands of DPO positions will need to be filled in the coming year.
4. Trust through capabilities, not contract
In the days of the GDPR’s predecessor, Safe Harbor, compliance was primarily based on a “trust through contract” model, allowing any certified entity to process personal data that had been transferred from Europe. With the GDPR, organizations must now possess clearly demonstrable data protection capabilities for the data of EU citizens. In the coming year, it’s going to be interesting to see how many organizations will be forced to shift their business models dramatically in order to maintain compliance with GDPR regulation.
5. Providing online access to personal data
Organizations will now have to provide citizens with online access to any of their own personal data they store. With the GDPR in effect, organizations must make this available for download ‘where possible’ and ‘without undue delay.’ This is a very significant change; making these online data protection requests secure – in the context of these new stricter rules for protecting it at all times – will represent a significant challenge to many organizations and will require adoption of robust cybersecurity technology across the board.
As we get closer toward the GDPR’s enactment, we’re going to see a lot more activity and questions from U.S.-based companies (and their legal counsel) around the day-to-day impact of this new legislation. I anticipate that companies will be reviewing their data security best practices throughout 2017 to ensure that they are in compliance with these stringent EU standards.
My advice for businesses is to start planning and mapping out their security strategies right away. In doing so, organizations can allow themselves the time to adopt the appropriate technologies and, ultimately, to prevent themselves from falling behind the data privacy curve.