The EU’s General Data Protection Regulation (GDPR) passed into law on May 25, 2018. It implements data-protection laws affecting anyone who processes personal data of EU-based individuals—that is, most businesses worldwide. Many organizations have already started their journey to comply with the GDPR, which regulates the security and privacy of an individual’s data safety. With this new legislation affecting companies all over the globe, and the recent news of California passing similar restrictions, it’s never too late to start on privacy compliance and to better understand GDPR as it relates to your business.
GDPR: The Basics
Given the vast amount of business done online, it’s clear that the GDPR has an international reach. GDPR requirements not only apply to businesses in the EU, but they also apply to the processing of personal data of EU residents regardless of company location. The location of the person and that person’s data is what’s important, not nationality or citizenship. The GDPR’s main requirements are that businesses must have full consent and a clear opt-in from the user.
Consequences for Noncompliance
One reason organizations aren’t preparing is that they often think the law doesn’t apply to them. For example, organizations commonly assume they’re exempt if they don’t have or process much personal data. Yet the essential tenet of GDPR is that every business that processes personal data of EU residents must comply. Naturally, this situation leads to the question of what to expect if your organization fails to comply?
The European Commission provides a four-step process (GDPR article 83) before a regulatory entity can impose a fine on an organization for noncompliance. These steps are (1) warning, (2) reprimand, (3) suspension of data processing and then (4) fines; the regulation says that sanctions will “in each individual case be effective, proportionate and dissuasive.” Therefore, the fine process allows an authority to impose a fine in addition to other mitigation measures.
So what does this situation tell us? Concentrate on compliance, not fines! Don’t focus on the punishment—that’s just the headline news (e.g., spreading fear, uncertainty and doubt, or FUD) that consultants and companies use as scare tactics to get you to purchase their products and services.
When it comes to compliance, regulatory authorities will focus on two main areas first: transparency (full disclosure to users) and accountability (records and rationale). In addition, you must start implementation with adequate resources for the project—that is, at a minimum, you have a plan of action.
You must also show an effort to establish enforcement policies, including the following:
- Consistency in privacy policies and processes
- Clear mitigations when things go awry or get off track
Let’s briefly address four typical questions associated with GDPR compliance.
Must I abide by GDPR?
Yes, you likely will. The rules apply unequivocally to everyone who processes EU-based personal data. Article 30 says companies with fewer than 250 employees are only required to keep records of processing activities if doing so could risk an individual’s rights or freedoms, or if it pertains to criminal activity. So what should you do? You’ll want to develop and use a formal GDPR plan, regardless of size, as it shows awareness and intent.
Do I need a data-protection officer?
Yes, you might—but probably not. It all depends on the type of data you collect and how much you collect rather than the size of your business. If your processing requires “regular and systematic monitoring of data subjects on a large scale,” you must appoint a data-protection officer (DPO). The EU says “a group” may employ one DPO between them, as long as the officer is available to all. In short, you’ll need a privacy advocate. Assign a privacy “manager/advisor” to be the focus for your organization and to lead the GDPR project.
What about those huge fines vendors discuss?
Organizations can be fined up to 2% of annual turnover or €10 million, whichever is higher, for infractions of GDPR rules. If a data breach has obvious signs of negligence, that fine can grow to 4% of turnover or €20 million, whichever is higher. But these fines must also be “proportionate,” meaning you must demonstrate (with solid record keeping and documentation) that your policies and governance framework were built to follow the GDPR. Then, if you still suffer a breach, the EU’s Information Commissioner’s Office (ICO) would be unlikely to levy a significant fine. Should a data breach occur, however, the damage to your reputation, trust, brand and market share will be significant nevertheless.
Finally, how do I best prepare my company for the GDPR?
A solid place to start is the ICO’s 12-step guide to preparing for GDPR; tailor it to your needs.
On the basis of research into numerous sources for GDPR compliance, we propose the following steps:
- Assess the need for a DPO, assign a privacy liaison at a minimum and develop a compliance plan.
- Conduct a data audit. Steps for such an audit include determining the type of data you process as well as developing a data map, an associated inventory and a risk register to manage the process from start to finish.
- Assess the privacy notices required and associated policies—begin with your website notice and draft/update policies, including data protection, retention and breach incident at a minimum.
Then, in parallel with the above steps,
- Update your risk assessment (e.g., security of processing Article 32). Take a holistic approach to your overall security posture—meaning people, policy, process and product (technology)—using a common framework (NIST CSF, SOC2, ISO27001, COBIT, etc.).
- Implement GDPR education and training, for both employees overall and data processors.
- Identify your data processors, both internal and external, and conduct third-party assessments.
- Update your data-breach-incident response plan, providing both contingencies and standard communiqués.
- Review how you ask for consent (if needed) and update that process—be specific and auditable.
- Although privacy-impact assessments (PIAs) are infrequent, develop a PIA and process.
- Understand the “individual rights” requirements; asses your subject access requests (SAR) process and establish your “lawful basis,” which drives other tasks.
The Bottom Line
Embrace and invest in the GDPR as the global standard it is (which California’s new privacy law illustrates), where protecting privacy makes both good business sense and minimizes the risk to your business—be it your company’s integrity, brand, market share or profit margin.
As my colleague and the first Secretary of Homeland Security, Tom Ridge, puts it, “Cyberattacks and information breaches will continue to be an ongoing threat to businesses around the world. It is our responsibility as both business owners and citizens to take every precaution to protect both ourselves and our customers from digital threats. Not only because it’s the right thing to do, but because a leak of customer data can cause irreparable damage to any business regardless of the size.”
About the Author
As chief information-security officer (CISO) for Alliantgroup, Michael Davis operationalizes data security, privacy and risk management while advising leadership on protecting critical information resources and managing an enterprise cybersecurity portfolio. As CISO, he executes a risk-based security strategy that enables success by securing and protecting both sensitive company and client information.