A Practical Introduction to the European General Data Protection Regulation for SMBs
On May 25, 2018, the General Data Protection Regulation (GDPR) will take effect. The new set of reforms for data protection will be a new and significant milestone that's positioned to urge organizations to reassess their data processing controls—and whether you’re a sole trader undertaking commercial activities or running a small company, you are likely to come under its scope. The GDPR is expected to harmonize data protection across all the EU member states as well as bring in a number of key measures that includes mandatory breach disclosure, the right to data portability, and the right to be forgotten.
What is the General Data Protection Regulation?
The GDPR is a new set of rules designed to shape and enhance the privacy of data transfers across the EU states. The European Commission first proposed the regulation to the EU privacy and data protection regime in 2012, before it was adopted by the European Parliament and the Council of the European Union on April 27, 2016. The order was implemented as a regulation that applies the processing of data of individuals located in the EU. It also applies to organizations, regardless of location, that are involved with activities related to the offer of goods or services to individuals in the EU, or the monitoring of individuals as far as their behavior takes place within the EU.
Collectively, the set of rules was created to facilitate the free flow of personal data between EU member states within a harmonized framework that upholds and assures privacy and proper management of customer data, regardless of whether the data is in transit or stored.
The GDPR applies to “controllers”, or those who determine how and why personal data is processed, and “processors”, who acts on the controller’s behalf. This means that parts of IT that have been unaffected in the past will need attention from businesses to make sure they comply with the new regulation.
What will it take for SMBs to prepare for the upcoming regulation? Before any business begins its road to compliance, companies need to understand and fully comprehend what the GDPR is, the organizational changes it requires, and what key elements can help determine an organization’s next move.
What does the GDPR mean for SMBs?
While the GDPR will impact both data security and business outcomes for enterprises, it similarly requires SMBs to manage their data flows, transfers, and processes to fully comply with the regulation to the same extent. In this regard, SMBs are expected to measure the risks of their business practices over the privacy of their data subjects, align their interests with the rights of the data subjects, and provide proper documentation that guarantees that these considerations are within their business decision-making process.
The GDPR applies to each company that processes personal data regardless of the number of its employees. Small to medium-sized enterprises (SMB), or companies with less 250 employees and an annual turnover not exceeding EUR 50 million, are allowed some exceptions under the GDPR for the smaller risk that they might pose compared to bigger organizations. To this effect, Data Protection Authorities (DPA) are encouraged to take account of the specific needs of SMBs in the application of the GDPR. For instance, SMBs are relieved of maintaining a record of processed activities, and EU Member States can determine whether SMBs or micro enterprises are required to designate a Data Protection Officer (DPO).
What are the key elements of the GDPR?
In order for a business to prepare for the new regulation, they should be able to understand the scope of the fundamental elements provided by the GDPR. While there are a number of stipulations, here are some significant components that could directly impact your business:
Increased Territorial Scope
The regulatory landscape of data privacy comes with the extended jurisdiction of the GDPR. Essentially, this means that the GDPR will apply to all companies dealing with the personal data of individuals residing in the EU—regardless of whether the process happens in the EU or not. If your business isn't based in the EU but stores data of EU customers, the GDPR will still require your company to designate in writing a representative in the EU.
Data Breach Notification
The GDPR will require organizations to quickly report a breach of security leading to the accidental or unlawful access to, destruction, misuse, of personal data within 72 hours to the relevant supervisory authority. In some cases, a breach should also be disclosed to individuals that are affected, including those who are likely to suffer some form of damage such as identity theft or financial theft.
In essence, the GDPR is focused on where the business activity occurs, and not on where the business is located, hence, the implication of this affects businesses globally. The GDPR emphasizes that all penalties and fines must be effective, proportionate to the offense, and dissuasive. This means that companies that are outside the EU but doing business with companies or individuals within the EU are subject to sanctions placed by the GDPR.
Rights of Individuals/Data Subjects
The GDPR provides several new rights for individuals to strengthen those that currently exist under the data protection law. Under the GDPR, the enhancement of rights will expand the territorial scope, increase compliance and obligations, and expand regulatory enforcement powers.
- Right to information and transparency – controllers are required to inform individualsabout the envisioned retention period of their personal data, the right to withdraw their consent anytime, and the right to file a complaint. If for example, your business collects and stores customer data, you should implement policies that would provide them with a clear understanding of what you do and how long you have to store data. Businesses would also have to respond to their customers’ needs when it comes to their personal data.
- Right to erasure or Right to be forgotten – the GDPR has further enhanced this right and now comes with force of law. The individual will have the right to erase their personal data on several grounds. Additionally, the controller is obliged to take reasonable steps, including technical measures, to inform other concerned controllers of the request to erase any form of replication or link to personal data. This allows customers to request search engines to remove search results related to them unless they are necessary for exercising the right of freedom of expression and information, and businesses would have to comply without undue delay.
- Right to data portability – this new addition allows an individual to request a copy of the data in a structured, digital, and commonly used format from the controller. This allows the individual to transmit processed personal data to another controller of their choice without hindrance from the controller who collected the data.
What does it mean for your organization?
As early as now, organizations are expected to begin the process of complying with the new requirements. While there are a few areas where SMBs are recognized as having fewer resources, they are not exempted from complying. The GDPR urges smaller companies to take a more proactive, risk-based approach to data protection and privacy as most of the rules apply to all organizations regardless of its size. If you are an SMB, you may be pressured by your supply chain to fulfill data controller responsibilities.
Given these new changes, here’s how you can get a head start on your road to compliance:
Only collect what you need – in response to the increased territorial scope of the GDPR, your business should set conditions that encompass all pertinent data collection activities. If your business has existing stored data that is or will not be relevant to your current operations, it's recommended that you get rid of it. Having the proper knowledge about your data processing activities can help you come up with a tailored response to the rights of your customers. For example, if you customer wishes to withdraw their personal data or information, consider asking the following questions regarding your data-handling process:
- How often will the data be used?
- Who has access to the data?
- What do you do with user data?
- What is the value of the data?
Implement internal controls and procedures – when planning to implement these changes, the biggest challenge involves ensuring compliance, and in line with the requirements, you should seek legal advice to determine if your company should hire a DPO or not. If you fall under the exception of this stipulation, you still need to make sure that your legal team or external council understands data protection in terms of legal and information security.
Plan your resources and budget – for sure, the GDPR will result in administrative and compliance costs and not having the proper skills can be a big problem for SMBs. You can scale this challenge by partnering with a data protection expert who knows what it takes to successfully implement the necessary changes while making sure that it's financially viable. This may include an overhaul of your data capture practices, or even acquiring new technologies to ease data transfers and collection.
Use well-established security controls – encryption, firewalls, network security, logging and monitoring of your data and systems are essential areas to pay attention to. These could help you establish a starting point for your data protection practices. In the case of a data breach, this will determine that you have not been negligent.
Ultimately, the GDPR will present a significant data governance challenge to all affected businesses, but companies that can adapt quickly will be able to avoid reputational risks, and costly fines. Organizations can also expect to reap the benefits of compliance, such as increased trust, certainty of the protection of data transfers and collection, and technological neutrality.
Trend Micro’s Integrated Data Loss Prevention (DLP) protects data in endpoints, network servers, and the cloud, as well as the transfer of data between locations. DLP comes with a central policy management, so there’s no need to install separate technologies across multiple security layers. Network Security Custom Defense provides centralized data and policy management that gives IT administrators granular control and visibility to monitor, evaluate, and take appropriate action on unusual network activities based on their needs. For more insights on the impact of GDPR, read Trend Micro 2017 Security Predictions: The Next Tier.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.