Over the past several decades — and much more so now — the issue of data protection has proven to be quite challenging across Europe, as well as all over the world. Periodically we’re treated to headlines of massive data breaches from trusted companies and corporations, grievous incidents of data leakages that end up costing those businesses not only billions of dollars in revenue losses, but also in damage mitigation and customer loss. The customers of these businesses are also hurt by these events, with their personally identifiable information (PII) stolen and leaked online, given over to the hands of cybercriminals to profit off of or used to create scandals with. As the theft of PII is still a very profitable business model for cybercriminals, data breaches and theft are nowhere at an end and not going anywhere.
A new regulation about to be put into effect (and thus enforced) early next year — on the 25th of May 2018 — will herald a new era for personal information security and it may be a change for the better. This regulation is called the EU General Data Protection Regulation or GDPR, and is aimed at guiding and regulating the way companies across the world will handle their customers’ personal information and creating strengthened and unified data protection for all individuals within the EU.
In order to help you on your journey to GDPR compliance, we’ve assembled this living FAQ that includes information on various aspects of the regulation. Check back often as we will be continually updating this article.
The GDPR is a new regulation created by the European Union. It has been four years in the making and was finally approved on April 14, 2016. It will replace its predecessor, the Data Protection Directive 95/46/EC, which was adopted in 1995. The GDPR aims to regulate the processing of personal data of individuals, hereafter referred to as “EU citizens,” residing in the European Economic Area (EEA), i.e., EU member states and Iceland, Liechtenstein, and Norway. The GDPR is designed to have a wider scope and includes other major changes that take into account the current cybersecurity landscape.
In brief, the GDPR builds on the past directive. Some of the key changes are the following:
With these wide-spanning changes geared towards security, it is clear that organizations, businesses, and even sole proprietors all over the world will need to abide by a comprehensive set of regulations and corresponding legal obligations to ensure adequate protection of their customer data. Data protection is also very strongly linked to implementing comprehensive cybersecurity measures to defend against cyberattacks of all kinds, and therefore also means investing in adequate security procedures and solutions. One important consequence of these regulations, apart from making companies and organizations enforce stronger data protection and overall security posture, is also the streamlining of efforts across different industries and sectors all over the world.
Personal data or personal information is any information related to a natural person, or data subject, that can be used to directly or indirectly identify the individual/person. Photos, email addresses, bank details, social media posts, medical information, IP addresses — these all count as examples of personal data. This also matches the definition of personally identifiable information, or PII.
A data controller, in the terminology of the regulation, is the entity that determines the purposes, conditions, and means of processing the personal data — i.e., a company or organization which requires data. A data processor is an entity which processes personal data on behalf of the controller, such as cloud service providers or data analytics firms. This distinction is relevant because the former often contracts certain tasks to the latter, which, however, does not exempt the latter from any responsibility in terms of the regulation’s provisions.
The European Union takes a tiered approach to fines when violations of the regulation is concerned. There will be two levels depending on the type and scope of the infringement:
Under the GDPR, affected companies and organizations are required to notify their customers, the GDPR supervisory authorities, and at-risk individuals of a data breach within 72 hours. Failure to do so risks violating the GDPR and thus a penalty may be incurred.
We do note here that many businesses currently have different policies in terms of when they disclose the event of a data breach to the public or to the authorities, and it usually depends on the laws decreed by their state and/or country. For instance, Florida law dictates that disclosure of a data breach must be made to the individuals affected by it no later than 30 days. Puerto Rico, on the other hand, mandates that a company, upon learning about their own data breach, must notify the Department of Consumer Affairs within 10 days.
Smaller companies and organizations may likely not have any data breach disclosure policies at all, same as businesses in specific U.S. states that do not have data breach disclosure laws (Alabama, New Mexico, and South Dakota, for example). No matter the company size or location, whether in a country or state with or without data protection regulations, the GDPR will be the “standard” to adhere to.
The GDPR mainly concerns organizations and enterprises that deal with the personal information of EU citizens, regardless of where the data processing occurs. Countries around the world are also working on updating their approach to the protection of citizen data, making it clear that businesses should be approaching cybersecurity in the way defined by the GDPR — state-of-the-art technology will be the requirement and norm going forward.
The good news is, the GDPR will help businesses become more protected from advanced cyberattacks we are seeing on an increasingly frequent rate — including malware like ransomware that can have far-reaching impact on businesses beyond fines and penalties. The GDPR and similar laws and regulations also present companies with an opportunity to better secure their brand and relationship with customers and users. Users will now see new rights to control their data as well as new protective measures in how their data are processed. With the May 25, 2018 deadline fast approaching, it is important that you take steps now to understand the impact on your business and how you will need to adjust in order to comply with the regulations. The following FAQs can help your business get up to speed. Regularly check this page as we will add new information and updates about GDPR implementation.
As the GDPR states, any business that deals with the personal information of EU citizens falls within its scope. If there’s a chance that your business — no matter how small — deals, has dealt, or will deal with EU citizens and their data, regardless of your business’s size or location, it is within the scope of, and thereby affected by, the GDPR. For example, this means that businesses in the U.S., via the EU-U.S. Privacy Shield Framework, are subject to the regulation and its effects — including fines.
No matter the size or nature of your business, as long as you transact with customers from the EU and handle personal data, it is considered processing the data of EU citizens. This includes activities such as handling billing addresses and/or delivery addresses of customers in the EU, or online banking credentials of EU citizens as in the case of e-commerce payments. GDPR also includes online identifiers like IP addresses and mobile device IDs as personal data, which means small online businesses in analytics, media, and advertising could be processing EU citizen data.
In cases where a business may not be able to easily distinguish whether or not it does deal with the private information of EU citizens, the business itself must invest in the effort of determining it. For example, if a business has records stored separately, these would have to be recovered during the review process before the business can move forward in adequately securing the data, as required by the new regulation.
But even if your business has no history of dealing or transacting with a citizen of the EU, you can still assume that the GDPR applies to you, and still invest in making your business GDPR-compliant. This is not only to avoid the costly fines for noncompliance but also to adopt a pro-security policy for customers.
With the GDPR going into effect next year (May 25, 2018), there will be certain duties and tasks you and your business will be expected and required to take care of in order to comply with the new regulation. Your business should start preparing for the coming changes, reviewing what is required of it, and adjusting all aspects of your security strategy applicable to protecting user data. Some of the actions you can take to address the provisions include the following:
It depends on the data you collect and what you do with that information. The types of businesses and organizations that require a Data Protection Officer are the following:
If your company does not fall under any of these categories, then you are exempt from having to appoint a Data Protection Officer.
A Data Protection Officer’s duties are as follows:
Organizations may delegate the role of the DPO to an existing employee, so long as the employee’s background is compatible with the duties of being a DPO and there will be no conflict of interest. They may also contract the role of DPO externally if they so choose.
Noncompliance with the GDPR means that the company, either data controller or processor, failed or is neglecting to abide by the provisions laid out by the regulation, which, as a whole, seeks to protect the data privacy and safety of EU citizens. Compromise of that safety may be considered as noncompliance.
Noncompliance with the GDPR may be determined by the supervisory authorities, on their own initiative or upon the reception and investigation of a complaint lodged by a data subject (a customer) against the allegedly infringing company.
A supervisory authority is an independent entity established in each EU member state that has the duty of hearing, investigating, and ultimately verifying complaints made by data subjects. They are also empowered to impose administrative fines and punishments should the complaint be deemed valid, i.e., the company under investigation is found to have violated the GDPR.
While noncompliance and administrative fines are under the purview of the supervisory authority, courts may be involved if a data subject decides to file a legal complaint as well.
During an investigation of a complaint, the supervisory authority has the power to perform actions such as:
These actions, along with a host of others, allow the supervisory authority to gather as much evidence as it can to decide whether or not the complaint is valid and true.
Should the supervisory authority find the accused company guilty of infringing the GDPR, it can mete out punitive actions, including the following:
The supervisory authority, upon investigation of the complaint and the company involved, uses these criteria involving aspects of the infringement itself:
Other factors, such as the company’s history of past infringements (if any), how cooperative the company was in the mitigation of the infringement’s effects upon the data subjects affected, and whether the company stood to benefit, either directly or indirectly, from the infringement, are also considered in the determination of the fine.
If the infringement is found by the supervisory authority to be minor or otherwise very minimal in customer impact, the company may be issued warnings instead. But if the company is found to be guilty of multiple infringements, then it shall be fined according to the most serious one, i.e., it will not be separately fined for each provision infringed.
In this context, it is important to note that the regulations and the connected penalties apply to both the company that requires the personal data and any entity that processes the data for the company — so ‘clouds’ or cloud service providers are not exempt.
For serious infringements, the GDPR adopts a two-tiered approach to the maximum fines possible. The lower tier constitutes being fined up to 2 percent of total global turnover or 10 million euros, whichever is higher, while the upper tier constitutes being fined up to twice the amount of the former (i.e., 4 percent of total global turnover or 20 million euros, whichever is higher).
Being fined at the lower tier means the company has been found guilty of infringing provisions such as:
Meanwhile, being fined at the upper tier means the company has infringed provisions of the GDPR related to the following:
The above list is by no means an exhaustive list of the scenarios and/or infringements that can determine the final value of a fine. The full list can be read in Article 83 of the full legal text of the GDPR.
The GDPR provides a clear path to a more standardized cybersecurity across different industries, which will be beneficial to both you and your customers. The GDPR presents an opportunity not only for companies to create a better and more steadfast defense against cyberattacks, but also establish a clearer, defense-minded image of themselves to both their customers and their stakeholders.
Here are some guidelines you can start with:
It is commendable that you already have privacy and security policies in place, and depending on the region you operate in, you may be well on your way to compliance (e.g. Germany or Japan). The GDPR is, however, a stricter regulation with more provisions than most that came before it. Your current security policies may fulfill some parts of the GDPR but likely not its entirety given the requirements around the rights of users around their data. To make sure you are in full compliance, not just partially, check your current policies against the GDPR provisions.
We therefore recommend the following:
The GDPR also requires businesses to follow the principles of privacy and customer data protection “by design and by default” at the outset of any project or product development.
A security strategy that can assist your company comply with the GDPR has a strong technology component and includes solutions with the following attributes:
A suite of security solutions that has all four of the above attributes can help protect the entire enterprise — not just a single point like a database of customer information — across the entire life cycle of threats. Investing in an approach that delivers smart, optimized, and connected security, combined with the adoption of a “data protection by design” strategy, will help minimize compromises and breaches and exemplify the spirit of the GDPR.
For further guidance on the GDPR and state-of-the-art cybersecurity solutions, download our whitepaper, “Solving the GDPR Puzzle: Data Protection with State-of-the-Art Cybersecurity.”