EU General Data Protection Regulation (GDPR)
Over the past several decades — and much more so now — the issue of data protection has proven to be quite challenging across Europe, as well as all over the world. Periodically we’re treated to headlines of massive data breaches from trusted companies and corporations, grievous incidents of data leakages that end up costing those businesses not only billions of dollars in revenue losses, but also in damage mitigation and customer loss. The customers of these businesses are also hurt by these events, with their personally identifiable information (PII) stolen and leaked online, given over to the hands of cybercriminals to profit off of or used to create scandals with. As the theft of PII is still a very profitable business model for cybercriminals, data breaches and theft are nowhere at an end and not going anywhere.
A new regulation will be put into effect (and thus enforced) on the 25th of May 2018, hopefully introducing a new and better era for personal information security. This regulation is called the EU General Data Protection Regulation or GDPR, and is aimed at guiding and regulating the way companies across the world will handle their customers’ personal information and creating strengthened and unified data protection for all individuals within the EU.
In order to help you on your journey to GDPR compliance, we’ve assembled this living FAQ that includes information on various aspects of the regulation. Check back often as we will be continually updating this article.
What is the EU General Data Protection Regulation (GDPR)?
The GDPR is a new regulation created by the European Union. It has been four years in the making and was finally approved on April 14, 2016. It will replace its predecessor, the Data Protection Directive 95/46/EC, which was adopted in 1995. The GDPR aims to regulate the processing of personal data of individuals, hereafter referred to as “EU citizens,” residing in the European Economic Area (EEA), i.e., EU member states and Iceland, Liechtenstein, and Norway. The GDPR is designed to have a wider scope and includes other major changes that take into account the current cybersecurity landscape.
In brief, the GDPR builds on the past directive. Some of the key changes are the following:
- Increased territorial scope: The GDPR applies to all companies processing the personal data of data subjects residing in the EU/EEA, regardless of the company’s location. To elaborate, the GDPR applies to the processing of personal data by controllers (companies) and processors (entities that processes the data for the companies) in the EU/EEA, whether or not the processing itself takes place in the EU/EEA. Non-EU/EEA-based businesses processing the data of EU citizens will also have to appoint a representative in the EU/EEA. The GDPR will also apply to the processing of personal data of data subjects in the EU/EEA by a controller or processor not established in the EU/EEA. In essence, all companies and organizations all over the world are affected as long as they process personal data of EU citizens.
- Encompassing penalties for regulation violation: Organizations and companies found to be in breach of GDPR will be fined according to the scope and type of their infringement. A supervisory authority will assess the violation (e.g., shortcoming, data breach) in order to determine what type of penalty will be imposed. It follows a tiered approach to fines.
- Clearer and concise consent: Organizations and companies will no longer be allowed to use long and illegible terms and conditions and complex forms to request consent from customers. Such forms must be given in an intelligible and easily accessible format, using clear and plain language. Consent must be explicitly given and customers must also be able to easily withdraw that consent.
- Breach notifications: Organizations and companies must notify supervisory authorities and their customers in the event of a data breach that is likely to place at risk the rights and freedoms of individuals. This notification, which needs to happen within 72 hours after the discovery of a breach, will be mandatory. This also applies to data processors that need to notify their customers.
- Access rights: Data subjects will be able to obtain confirmation from companies as to whether or not their personal data is being processed, where, and for what purpose. The company must also provide a copy of the customer’s personal data at their request, free of charge.
- Deletion rights: The ‘right to be forgotten’ allows the data subject to have the company erase his or her personal data. This right to data erasure is not absolute and can be claimed under certain conditions: withdrawal of consent; the data is no longer relevant to the original purposes of processing. This right is subject to public interest or national security concerns.
- Data portability: The data subject will now be able to receive and transmit in a common and machine-readable format any previously obtained personal data (that concerns him) to another company.
- Privacy by design and by default: Privacy by design is a common informal approach — It means that each new service or business process that makes use of personal data must take the protection of such data into consideration. Privacy by default simply means that the strictest privacy settings automatically apply once a customer acquires a new product or service. This means no manual change to the privacy settings should be required on the part of the user to select the strictest setting. The GDPR is making privacy by design a major provision and, as a consequence, the inclusion of data protection as a key design element becomes an integral objective of any system design, at the very onset.
- Data Protection Officers: The Data Protection Officer (DPO) will be an important GDPR cornerstone. In addition to supporting an organization’s compliance with the GDPR, the DPO will have the essential role of acting as an intermediary between the organization and supervisory authorities, data subjects, etc. Not every organization/company will need a DPO; there are certain criteria that determine whether a DPO is required or not.
With these wide-spanning changes geared towards security, it is clear that organizations, businesses, and even sole proprietors all over the world will need to abide by a comprehensive set of regulations and corresponding legal obligations to ensure adequate protection of their customer data. Data protection is also very strongly linked to implementing comprehensive cybersecurity measures to defend against cyberattacks of all kinds, and therefore also means investing in adequate security procedures and solutions. One important consequence of these regulations, apart from making companies and organizations enforce stronger data protection and overall security posture, is also the streamlining of efforts across different industries and sectors all over the world.
State of the Art Security for your GDPR Strategy
Who does the GDPR affect?
- Being at heart a regulation about data protection, the GDPR first and foremost affects EU citizens whose personal data is the object of concern.
- The part of ensuring data protection is under the purview of organizations and businesses that deal with data and personal information of EU citizens (through transactions of goods and services). These businesses are affected by the GDPR regardless of size or location. This means that organizations and businesses that operate or are established outside the EU/EEA and who also do business with EU citizens also fall within the scope of the new regulation.
- Data processors, i.e., companies that perform data processing for other companies, are also under the scope of the GDPR, which makes them just as accountable as the businesses that utilize or commercialize the personal information of EU citizens. As an example, any cloud provider to whom a company outsourced storage, is also affected by the regulation.
What constitutes personal data?
Personal data or personal information is any information related to a natural person, or data subject, that can be used to directly or indirectly identify the individual/person. Photos, email addresses, bank details, social media posts, medical information, IP addresses — these all count as examples of personal data. This also matches the definition of personally identifiable information, or PII.
What is the difference between a data controller and a data processor?
A data controller, in the terminology of the regulation, is the entity that determines the purposes, conditions, and means of processing the personal data — i.e., a company or organization which requires data. A data processor is an entity which processes personal data on behalf of the controller, such as cloud service providers or data analytics firms. This distinction is relevant because the former often contracts certain tasks to the latter, which, however, does not exempt the latter from any responsibility in terms of the regulation’s provisions.
What are the possible penalties of noncompliance once the GDPR is in effect?
The European Union takes a tiered approach to fines when violations of the regulation is concerned. There will be two levels depending on the type and scope of the infringement:
- The first penalty tier is set at up to 10 million euros, or in the case of an undertaking, up to 2 percent of the company’s global annual turnover of the preceding financial year, whichever amount is higher.
- The second tier is set at up to 20 million euros, or in the case of an undertaking, up to 4 percent of the company’s global annual turnover of the preceding financial year, whichever is the higher amount. This is the maximum fine that can be imposed, as outlined in Article 83 of the GDPR, on companies found and proven to have violated specific GDPR provisions by appointed supervisory authorities of the GDPR.
How does the GDPR affect companies’ existing policies on data breaches?
Under the GDPR, affected companies and organizations are required to notify their customers, the GDPR supervisory authorities, and at-risk individuals of a data breach within 72 hours. Failure to do so risks violating the GDPR and thus a penalty may be incurred.
We do note here that many businesses currently have different policies in terms of when they disclose the event of a data breach to the public or to the authorities, and it usually depends on the laws decreed by their state and/or country. For instance, Florida law dictates that disclosure of a data breach must be made to the individuals affected by it no later than 30 days. Puerto Rico, on the other hand, mandates that a company, upon learning about their own data breach, must notify the Department of Consumer Affairs within 10 days.
Smaller companies and organizations may likely not have any data breach disclosure policies at all, same as businesses in specific U.S. states that do not have data breach disclosure laws (Alabama, New Mexico, and South Dakota, for example). No matter the company size or location, whether in a country or state with or without data protection regulations, the GDPR will be the “standard” to adhere to.
Insights on GDPR for Businesses
The GDPR mainly concerns organizations and enterprises that deal with the personal information of EU citizens, regardless of where the data processing occurs. Countries around the world are also working on updating their approach to the protection of citizen data, making it clear that businesses should be approaching cybersecurity in the way defined by the GDPR — state-of-the-art technology will be the requirement and norm going forward.
The good news is, the GDPR will help businesses become more protected from advanced cyberattacks we are seeing on an increasingly frequent rate — including malware like ransomware that can have far-reaching impact on businesses beyond fines and penalties. The GDPR and similar laws and regulations also present companies with an opportunity to better secure their brand and relationship with customers and users. Users will now see new rights to control their data as well as new protective measures in how their data are processed. With the May 25, 2018 deadline fast approaching, it is important that you take steps now to understand the impact on your business and how you will need to adjust in order to comply with the regulations. The following FAQs can help your business get up to speed. Regularly check this page as we will add new information and updates about GDPR implementation.
Is my business affected by the GDPR?
As the GDPR states, any business that deals with the personal information of EU citizens falls within its scope. If there’s a chance that your business — no matter how small — deals, has dealt, or will deal with EU citizens and their data, regardless of your business’s size or location, it is within the scope of, and thereby affected by, the GDPR. For example, this means that businesses in the U.S., via the EU-U.S. Privacy Shield Framework, are subject to the regulation and its effects — including fines.
As a small business, how do I know if I am processing the data of EU citizens?
No matter the size or nature of your business, as long as you transact with customers from the EU and handle personal data, it is considered processing the data of EU citizens. This includes activities such as handling billing addresses and/or delivery addresses of customers in the EU, or online banking credentials of EU citizens as in the case of e-commerce payments. GDPR also includes online identifiers like IP addresses and mobile device IDs as personal data, which means small online businesses in analytics, media, and advertising could be processing EU citizen data.
In cases where a business may not be able to easily distinguish whether or not it does deal with the private information of EU citizens, the business itself must invest in the effort of determining it. For example, if a business has records stored separately, these would have to be recovered during the review process before the business can move forward in adequately securing the data, as required by the new regulation.
But even if your business has no history of dealing or transacting with a citizen of the EU, you can still assume that the GDPR applies to you, and still invest in making your business GDPR-compliant. This is not only to avoid the costly fines for noncompliance but also to adopt a pro-security policy for customers.
My business is within the scope of the GDPR. What changes should I make?
With the GDPR going into effect on May 25, 2018, you are expected and required to take care of certain duties and tasks in order to comply with the new regulation. Your business should start preparing for the coming changes, reviewing what is required of it, and adjusting all aspects of your security strategy applicable to protecting user data. Some of the actions you can take to address the provisions include the following:
- Report any incident of a data breach to the GDPR supervisory authority (SA) in your country within 72 hours. Your customers need to be notified as well, especially those you can identify to be personally affected by the data breach or who would be at risk of having their rights or freedoms infringed upon.
- Carry out Privacy Impact Assessments to identify privacy risks to your customers when collecting, using, processing, and disclosing their personal data.
- Simplify your End User License Agreements/Terms of Services, especially when they pertain to requesting consent from your customers.
- Allow your customers to just as easily withdraw consent as they are able to give it.
- Inform your customers whether or not their personal data is being processed, and prepare yourself to hand them an electronic copy of their personal data you collected, free of charge, if they so choose to request one. Allow them to share this copy with another company if they choose to do so.
- Delete their personal information from your database upon their request.
- Consider customer data protection as a key feature in any new system or design you’re developing from the onset, not simply an add-on. This is the concept of data protection by design put forth in the regulation.
- Appoint a Data Protection Officer (DPO) as required.
Does my business need a Data Protection Officer (DPO)? What does a DPO do?
It depends on the data you collect and what you do with that information. The types of businesses and organizations that require a Data Protection Officer are the following:
- Public authorities, such as government agencies, public advisory bodies, state universities and schools, publicly-funded museums, and other similar bodies
- Organizations that engage in large-scale systematic monitoring of customers, such as online behavior tracking as done, for example, in online shopping websites, online banking websites, etc.
- Organizations that engage in large-scale processing of sensitive data, either for themselves or for other organizations. These include organizations that process data relating to criminals and/or criminal offenses or personal data revealing racial or ethnic origin or religious beliefs.
If your company does not fall under any of these categories, then you are exempt from having to appoint a Data Protection Officer.
A Data Protection Officer’s duties are as follows:
- Informing and advising the organization/business and its employees about their obligations to comply with the GDPR and other protection laws.
- Monitoring compliance with the GDPR and other data protection laws. This may include managing internal data protection activities, advising on data protection impact assessments, as well as training staff on GDPR compliance.
- Being the first point of contact for supervisory authorities and individuals whose data is processed.
Organizations may delegate the role of the DPO to an existing employee, so long as the employee’s background is compatible with the duties of being a DPO and there will be no conflict of interest. They may also contract the role of DPO externally if they so choose.
How is noncompliance determined, and who determines it?
Noncompliance with the GDPR means that the company, either data controller or processor, failed or is neglecting to abide by the provisions laid out by the regulation, which, as a whole, seeks to protect the data privacy and safety of EU citizens. Compromise of that safety may be considered as noncompliance.
Noncompliance with the GDPR may be determined by the supervisory authorities, on their own initiative or upon the reception and investigation of a complaint lodged by a data subject (a customer) against the allegedly infringing company.
A supervisory authority is an independent entity established in each EU member state that has the duty of hearing, investigating, and ultimately verifying complaints made by data subjects. They are also empowered to impose administrative fines and punishments should the complaint be deemed valid, i.e., the company under investigation is found to have violated the GDPR.
While noncompliance and administrative fines are under the purview of the supervisory authority, courts may be involved if a data subject decides to file a legal complaint as well.
What can a supervisory authority do if there is a complaint against a company?
During an investigation of a complaint, the supervisory authority has the power to perform actions such as:
- Ordering a company (or the data processor handling the data processing for the said company) to provide the information it requires in performing day-to-day tasks
- Ordering and/or carrying out data protection audits on the company accused
- Obtaining access to a company/data processor’s premises, including access to their data processing equipment and the information stored within that equipment
These actions, along with a host of others, allow the supervisory authority to gather as much evidence as it can to decide whether or not the complaint is valid and true.
Should the supervisory authority find the accused company guilty of infringing the GDPR, it can mete out punitive actions, including the following:
- Issue warnings
- Order the company accused to achieve full compliance with the GDPR’s provisions before a prescribed deadline (This can also be combined with fines.)
- Order suspension of company operations (and/or processing of data)
- Impose administrative fines, which range from 2 percent of global revenue or 10 million euros (whichever is higher), up to 4 percent of global revenue or 20 million euros (whichever is higher)
How does the supervisory authority determine the penalty and/or size of the administrative fine?
The supervisory authority, upon investigation of the complaint and the company involved, uses these criteria involving aspects of the infringement itself:
- The number of people affected, the damage they suffered, the duration of the infringement, and the purpose of the processing of their personal information
- Whether the infringement was intentional or due to negligence on the company’s part
- Whether actions were taken to mitigate damage to the people involved
- The categories of data/personal information affected by the infringement
- To what extent preventative measures were taken, both technical and organizational, and if they were implemented prior to the event to avoid noncompliance
Other factors, such as the company’s history of past infringements (if any), how cooperative the company was in the mitigation of the infringement’s effects upon the data subjects affected, and whether the company stood to benefit, either directly or indirectly, from the infringement, are also considered in the determination of the fine.
If the infringement is found by the supervisory authority to be minor or otherwise very minimal in customer impact, the company may be issued warnings instead. But if the company is found to be guilty of multiple infringements, then it shall be fined according to the most serious one, i.e., it will not be separately fined for each provision infringed.
In this context, it is important to note that the regulations and the connected penalties apply to both the company that requires the personal data and any entity that processes the data for the company — so ‘clouds’ or cloud service providers are not exempt.
What are the fines for serious infringements?
For serious infringements, the GDPR adopts a two-tiered approach to the maximum fines possible. The lower tier constitutes being fined up to 2 percent of total global turnover or 10 million euros, whichever is higher, while the upper tier constitutes being fined up to twice the amount of the former (i.e., 4 percent of total global turnover or 20 million euros, whichever is higher).
Being fined at the lower tier means the company has been found guilty of infringing provisions such as:
- Obtaining consent for processing the personal data of a child who is at least 16 years old (or of his/her parents or guardians, if younger)
- The application of privacy and data protection “by design and by default”
- Maintaining records on data processing activities, including information on categories of data collected and for what use
- Timely notification about data breaches to the supervisory authority and the data subjects affected
- Appointment of a Data Protection Officer (for enterprises and public authorities)
Meanwhile, being fined at the upper tier means the company has infringed provisions of the GDPR related to the following:
- The legitimate, lawful, and secure processing of the data subject’s personal information
- The explicit consent of a data subject for the collection and processing of personal information
- The data subject’s rights to privacy, access to information on data processing, data portability, among others
- Noncompliance with an order or a temporary or definitive limitation on processing or suspension of data flows by a supervisory authority
- The legitimate and protected transfer of the data subject’s information to a third country or an international organization
The above list is by no means an exhaustive list of the scenarios and/or infringements that can determine the final value of a fine. The full list can be read in Article 83 of the full legal text of the GDPR.
What steps do I need to take to make my business GDPR-compliant?
The GDPR provides a clear path to a more standardized cybersecurity across different industries, which will be beneficial to both you and your customers. The GDPR presents an opportunity not only for companies to create a better and more steadfast defense against cyberattacks, but also establish a clearer, defense-minded image of themselves to both their customers and their stakeholders.
Here are some guidelines you can start with:
- Ensure your stakeholders are aware of the GDPR and what it means for your business.
- Conduct extensive research and interview efforts/surveys to understand how prepared your company is for GDPR compliance.
- Begin compiling an inventory of the personal information that is collected, with whom it is shared, and what terms and conditions govern its use.
- Review approaches to capturing consent from your customers. Simplify them; make them easily accessible and intelligible to a general audience.
- Deploy state-of-the-art security technologies and processes to bring about a culture that puts first a clear emphasis on the protection of your customers’ private information and privacy.
- Ensure your company has the right data governance practices to respond efficiently to the new rights afforded to your customers, such as the rights to data erasure and portability.
My organization has existing privacy and security policies in place. What else do I need to do?
It is commendable that you already have privacy and security policies in place, and depending on the region you operate in, you may be well on your way to compliance (e.g. Germany or Japan). The GDPR is, however, a stricter regulation with more provisions than most that came before it. Your current security policies may fulfill some parts of the GDPR but likely not its entirety given the requirements around the rights of users around their data. To make sure you are in full compliance, not just partially, check your current policies against the GDPR provisions.
We therefore recommend the following:
- Organize a GDPR workgroup, one that will identify gaps in your current security policies as well as analyze whether or not your current security solutions are up to date/up to par with GDPR standards of compliance.
- Organize your IT security team to map out your complete customer information storage and security processes, and identify gaps, shortcomings, and obsolete hardware that may be addressed through hardware upgrades or investing in additional security software.
- Consult your GDPR local supervisory authority/local GDPR expert if possible to determine whether your privacy and security policies are up to par, before and after your compliance efforts.
- Look into and perform the steps listed in the question above.
The GDPR also requires businesses to follow the principles of privacy and customer data protection “by design and by default” at the outset of any project or product development.
What types of cybersecurity technologies/solutions should I invest in to help my organization comply with the GDPR?
A security strategy that can assist your company comply with the GDPR has a strong technology component and includes solutions with the following attributes:
- Smart: It should be able to protect personal data at all times — whether it is at rest, in transit, or in process — against known and unknown threats. It should be able to adapt to any threat scenario and does not undervalue traditional techniques that can be very effective as part of a layered security strategy.
- Optimized: It should be able to be implemented across the company and into the personal data processing systems without conflicts or issues, whether the systems are legacy or modern deployments like cloud. This includes highly efficient deployment approaches for protecting users, servers and cloud applications, and networks.
- Connected: It should be able to both prevent and remediate personal data breaches by sharing real-time threat intelligence as well as automatic security updates with all security layers. This process stops malware and/or cyberattacks before they can penetrate the network and impact the personal data archives of a business. This also assists the IT security team in isolating any infected system from the entire network, relegating potential damage and breaches to just one unit as opposed to the entire organization.
- State of the art: It should have and be able to leverage capabilities delivered in the latest generation of security technology and combine those with proven techniques to help stop advanced threats. Examples of this include Virtual Patching, which allows organizations to establish rules in order to protect a specific system or network from vulnerability exploits, even if the vulnerable system does not have an official patch or it simply has not yet been applied. This was seen in the case of the Windows SMB vulnerability that underpinned the recent WannaCry ransomware outbreak. Another is Integrated Data Loss Prevention, a technology that allows users full visibility of their data and allows them to identify, track, and secure business-critical information from all endpoints — even remotely.
A suite of security solutions that has all four of the above attributes can help protect the entire enterprise — not just a single point like a database of customer information — across the entire life cycle of threats. Investing in an approach that delivers smart, optimized, and connected security, combined with the adoption of a “data protection by design” strategy, will help minimize compromises and breaches and exemplify the spirit of the GDPR.
Visit the Trend Micro GDPR page for further details on the GDPR, guidance on how to comply with the regulation successfully, and state-of-the-art cybersecurity solutions.