The General Data Protection Regulation (GDPR) was designated by the European Parliament and Council in April 2016. This regulation is set to replace the Data Protection Directive 95/46/ec in the spring of 2018. This regulation will act as the primary law that states how companies need to protect the personal data of the EU citizens for the transactions that occur in the EU member states and make sure that that the requirements of the GDPR are met by May 25, 2018. If the companies are unable to meet this compliance before the stated deadline then it could cost them dearly and they would have to face hefty penalties and fines.
In this Article, we will discuss the various facts that every company that is operating in the European Union needs to know about GDPR. This regulation is expected to set a very high standard for the protection of consumer rights regarding their personal data and makes it very challenging for the companies to regulate and comply these changes in their existing systems and processes. This will be the reason for new concerns and expectations for the security teams.
The primary objective of GDPR is to enable their citizens with some control of their personal data and once this regulation comes into effect it will automatically refine the other data protection regulations throughout the EU. For Example, there are certain things that are considered as the personal identification information for a particular individual and the companies will be required to have the similar kind of protection for things that might come under this list like an individual’s cookie data or IP address as they do for address name, and Social Security number. One thing that brings to the notice of the companies is that GDPR leaves many situations to the interpretation of the governing body that would be assessing the fines for data breaches and non-compliance. It states the companies should provide a “reasonable” level of protection for the personal data of the citizens but it does not establish what it considers as “reasonable”.
Since the deadline is soon approaching we have accumulated the different needs that every business needs to know about the GDPR and how can they meet their requirements. Many of the requirements are not directly related to information security but instead related to the processes and system changes that are needed to comply and could affect existing security systems and protocols.
What is the GDPR?
The European Parliament approved the GDPR in April 2016 and replaced the outdated data protection directive from 1995. This regulation provides the provision to the businesses that they need to protect the personal data and privacy of the European citizens for transactions that occur in the EU member states. This regulation also has an effect on the personal data that is exported outside the EU. The provision is consistent on all 28 EU member states, which means that there is only one standard that is required to meet across the entire EU. However, this does not mean that the process is easier as the standard that has been quite high and requires the organizations to make a large investment to meet and administer the changes that they implement. The result for this would be that companies will require rethinking their strategy in Europe.
Which companies does the GDPR affect?
There is no specific criterion that states the type of companies that need to follow this regulation. It states that any company that uses and processes the EU citizen’s personal data along with storing it must comply with the GDPR; this also includes those organizations that do not have any physical presence in the EU. There are certain criteria that such companies need to follow, these criteria are stated below:
- The company should have a presence in an EU country.
- A company with no presence in the EU, but who processes the personal data of European residents in its business processes.
- Any company having more than 250 employees.
- If a company has less than 250 employees but its data-processing impacts the rights and freedoms of data subjects, is not occasional or includes certain types of sensitive personal data. That effectively means almost all companies.
To read about LARAVEL- ALL WHAT’s, WHY’s, HOW’s REVEALED
When does my company need to be in compliance?
All Companies that fall under this regulation must be able to show compliance by May 25, 2018.
Who within my company will be responsible for compliance?
One of the big questions that arise is regarding the people who are responsible for regulating the new processes in the day to day business operations. GDPR also answers this question. It has been stated that the several roles that are responsible for ensuring the compliance are data controller, data processor, and the data protection officer (DPO). The data controller is responsible to define how personal data is processed and the purposes for which it is processed along with making sure that the outsider contractors also comply.
Data processors may be the internal groups that are responsible to maintain and process the personal data records of the EU citizens. They could also be any outsourcing firm that performs all or part of these activities. The processors will be liable for breaches or non-compliance. It’s likely that both the processing partner company such as a cloud provider and your organization might be held responsible for the penalties even if the fault is entirely on the processing partner. This means that you need to outsource this carefully to a third party.
The GDPR also states that there is a requirement for the controller and the processor to allot a DPO to overlook the data security strategy and the GDPR compliance if they process or store large amounts of EU citizen, regularly monitor data subjects, data, process or store special personal data or are a public authority.
What will GDPR preparation cost my company?
According to a survey done by PwC, 68 percent of U.S.-based businesses are expecting to spend around $1 million to $10 million just to meet GDPR requirements this does not include the 9 percent companies that expect to spend more than $10 million.
You can also take a look at IOT WILL TRANSFORM THE WORLD-KNOW HOW?
What will be the result if my company is not in compliance with the GDPR?
If an organization is unable to meet requirements of GDPR, it is liable for a steep penalty of up to €20 million or 4 percent of global annual turnover whichever is higher. There have been various surveys that have been conducted and the results state that huge percentage of companies are expecting to fall under the category of companies who will be fined for non-compliance. Oliver Wyman which is a Management Consulting firm has predicted that the EU could collect around $6 billion in penalties and fines in the first year itself. A survey done by Solix Technologies which was released in December stated that 22 percent of companies were still unaware that they need to comply with GDPR and Thirty-eight percent said that the personal data they process for their business operations is not protected from misuse and is liable for unauthorized access at every stage of its life cycle. This means that a lot of companies will be vulnerable to fines and penalties.
What types of privacy data does the GDPR protect?
Basic identity information such as name, address and ID numbers
- Web data such as location, IP address, cookie data and RFID tags
- Sexual orientation
- Biometric data
- Health and genetic data
- Political opinions
- Racial or ethnic data
Which GDPR requirements will affect your company?
The GDPR requirements will force any company that operates in the EU whether physically or virtually to change the way they store, process, and protect their customers’ personal data. For example, companies will be allowed to store and process data only when the individual has given full consent and this data cannot be utilized for the purpose of collecting it has been fulfilled. GDPR also states that companies must erase all personal data of the citizen upon his/her request.
Several requirements might directly affect the security teams as the companies must be able to provide a “reasonable” level of data protection and privacy to EU citizens. However, what the GDPR means by “reasonable” is not well defined.
What could be a challenging requirement is that companies must report data breaches to supervisory authorities and individuals affected by a breach within 72 hours of when the breach was detected. Another requirement is regularly performing impact assessments to help mitigate the risk of breaches by identifying the vulnerabilities and the way they can address them.
What should my company be doing to prepare for the GDPR?
- Ensure that the stakeholders are a part of everything: It is not necessary that the IT department is the only one who is not prepared for the GDPR requirements. They need to start a task force that includes finance, marketing, and sales operations or any other group within the organization that might analyzes, collect, or makes use of customers Personal Information. If everyone is aware of the technical or procedural changes that are about to happen after the implementation of the GDPR they will be better prepared to handle any impact on their teams if something goes wrong.
- Be quick to Hire or appoint a DPO: GDPR does not say whether every company needs to appoint a new DPO separately and should be a distinct position, therefore, every organization has an option to appoint a person as a DPO who is currently managing similar roles in the organization today instead of hiring a new person altogether. But, they need to ensure that the person guarantee’s protection of PII with no conflict of interest. If there is no such person available inside the organization then they have to hire a new person and decide whether they need him to be present full time or part time according to the need of the organization. A Virtual DPO is also a very optimal option as GDPR does not restrict the DPO to work for only one organization; its rules allow the DPO to work for multiple companies so a virtual DPO would be someone who works for your organization as and when required.
- Don’t underestimate the power of a regular risk assessment: Every organization that needs to store the personal information of EU citizens need to be very cautious of using it along with understanding the risk involved around it. They need to perform regular risk assessments and also outline the measures that are taken to mitigate those risks.
- If your organization is small, don’t be shy to ask for help: there is no doubt in saying that smaller companies will be affected by GDPR and the new regulations, some more significantly than others. They may not have the resources that are needed to meet requirements.
- Create a data protection plan: Having a data protection plan is one of those things that are mandatory for every organization and many companies already have a plan in place but they need to review and update it regularly to make sure that it coordinates well with GDPR requirements.
- Implement new measures to mitigate risk: Once you’ve identified the risks of a security breach and are aware of the measures required to mitigate them, you must put those measures into action. For most companies, that means they have a requirement of revising the existing risk mitigation measures. This means that they can now spot and investigate any risks associated with the data and determine the appropriate level of security that is required.
- Create a policy to declare your GDPR compliance progress:Organizations need to exhibit every now or then that they are moving forward by completing the Record of Processing Activities (RoPA)—article 30 of the GDPR regulation which mainly focuses on taking an inventory of risky applications so to prevent being an easy target of the regulators. Establishing the RoPA, is the essential portion to focus on at this stage in the game as it empowers the organizations to identify where personal data is being processed, who is processing it and how it is being processed.
- Test incident response plans: The GDPR requires that companies will have to report any breaches within 72 hours it occurs. Then the entire game depends on how well the response teams will be able to minimize the damage which will directly affect the risk of fines for the breach. Hence, companies need to constantly make sure that they are able to adequately report and respond within the time period.
- Set up a process for ongoing assessment: If the organization wants to ensure that they remain in compliance they will have to perform monitoring and continuous improvement regularly. Some companies are considering introducing new incentives and penalties just to ensure that employees follow the new policies along with making the GDPR policy mandatory in the employee contracts.
- Do all of this with a motive to improve your business: Many organizations believe that complying with GDPR requirements will act as a competitive advantage along with boosting consumer confidence. More importantly, many companies believe the process and technical improvements that they have to implement to meet the GDPR requirements will ultimately improve their capability in managing and securing their consumer data.
We are very well aware that choosing the right partner is the key to your success and we at Micrasystems help our customers to achieve their GDPR compliance by placing industry-leading content collaboration and data governance technologies at the core of their strategy. Our SaaS solution depicts exactly where the data is stored across the network along with identifying the personal/private and sensitive data, and reporting that information efficiently and quickly as required. We’ve done it. We can help you.
For free consultation Contact Us