Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:25 AM
Connect Directly

6 Ways To Prepare For The EUs GDPR

In less than 20 months, all US companies doing business in the EU will face new consumer privacy requirements. Here's how to prepare for them.

In less than 20 months, all companies handling personal data belonging to residents of the European Union will be expected to comply with a new set of privacy requirements under the EU General Data Protection Regulation (GDPR).

The GDPR introduces tough new privacy requirements for companies handling EU data and vests consumers with significantly greater control and rights over the manner in which their data is collected, shared, retained, and destroyed. The GDPR gives EU regulators the authority to impose fines ranging from 2 percent to 4 percent of a company’s global revenues for violations of the regulation.

“The May 2018 deadline for GDPR compliance may seem like a long way off,” says John Crossno, product manager at enterprise technology vendor Compuware, which did a recent survey on the preparedness of US firms for GDPR. “Given the complexity of change it will require in the way organizations handle personal data, it’s really not.”

Two-thirds of the CIOs at large companies in the survey said they had no plans yet for implementing critical GDPR requirements like data anonymization, customer consent, and the right to be forgotten.

Here, in no particular order, are the issues that US companies must be addressing right now to prepare for GDPR.

Develop And Articulate A Clear Privacy Policy

Under GDPR, companies must provide clear notice to their customers of the purpose for which their data is being collected, says Dana Simberkoff, chief compliance and risk officer at software vendor AvePoint.

Companies need to write a clear privacy policy that consumers will actually be able to read and understand.

In that policy, they need to clearly indicate what personal information is being requested or collected from consumers, says Simberkoff. Consumers have to be given a choice of whether or not to provide it, and any data that is collected needs to be clearly marked for the specific purpose for which it was collected.

In addition, any data that is collected for a stated purpose can only be used for that purpose and for which consent was obtained, she says.

The obligation to meet this requirement flows from the entity that collected the data to any other organization that might process or handle it. Both will be held jointly liable in the event the data is used inappropriately or if there is a data breach.

“The GDPR requires that you not only create policies that meet its mandate, but that you operationalize those policies and be able to prove that you have done so,” Simberkoff says. “Companies should already be practicing transparency around why you want to collect data and ensuring all data is only used for the exact purpose and within the boundaries of consent.”

Enable An Opt-In Requirement For Data Sharing

Most US companies currently use an opt-out policy when collecting and sharing consumer data. The opt-out model requires consumers to specifically ask data collectors and aggregators not to share their data with third parties. Otherwise, consent is assumed by default.

GDPR will require organizations to do just the opposite. They will not be allowed to collect or share EU consumer data by default. The EU consumer would specifically have to consent to such data collection and sharing by opting in.  The consent must be “freely given, specific, informed and unambiguous” Simberkoff says, quoting from the directive.

“Privacy policies must be clear and concise, and companies must provide consumers with an opt-in option to having their data shared with third parties,” she says. “Just offering an opt-out option will no longer be acceptable.”

In addition to requiring affirmative consent, GDPR also places restrictions on the ability of companies to obtain consent from children without specific parental authorization.

Start Implementing Privacy by Design

GDPR is big on the notion of privacy by design, a requirement that emphasizes the importance of baking in, rather than bolting on, privacy protections into products, processes, and services.

"Software and development practices that don't follow privacy by design principles put organizations at major risk in light of GDPR,” says Dan Blum, a senior analyst at KuppingerCole.

The earlier developers can implement privacy-friendly practices the more they can lower risks, reduce costs of compliance, and future-proof their software, he says.

Examples of privacy friendly software features under GDPR include opt-in, data use minimization, purpose-specificity, data anonymization and the right to be forgotten.

Larger organizations would benefit from establishing a privacy and data governance practice, if they don't already have one, to keep track of software and development requirements as to manage change, Blum says. “They will need developer awareness and training to get developers to align with these processes and do their part,” Blum notes.

The Information Commissioner’s Office in the UK recommends eight foundational principles for privacy by design that include fair and lawful processing of personal data, minimization, data retention, and data security controls.

Prepare For New Data Breach Reporting Requirements

GDPR requires companies to inform consumers about data breaches impacting their personal information. While that requirement is not particularly new for American companies—most states mandate it currently—the breach reporting requirements under GDPR are strenuous.

“At 72 hours, the timeline to report a breach is the tightest that we’ve seen with any regulatory measures,” says Eldon Sprickerhoff, founder and chief security strategist at eSentire. 

The potential fines that companies face for non-compliance are also the highest, he says. Importantly, non-compliance fines aren’t issued because of a data breach. “The fines are issued because an organization failed to properly report a data breach within the designated timeframe,” he says.

The key to preparedness for this requirement is knowing what data you have and what legislation covers that data Spickerhoff says. Also key is a good understanding of the threats against your organization and the ability to describe how well you are able to defend against those threats.

“Do you know what access risks exist? Can you demonstrate that you’re doing what you’ve claimed?” Spickerhoff asks. Ensuring that your organization has adequate measures to protect against cyber attacks is important, he says. “Including compliance reporting timelines as a part of incident response plans and policies is another vital exercise.”

Implement Controls For Tracking And Managing Data

GDPR gives consumers the right to ask companies holding data about them to erase that data upon request. It also gives them the right to ask for a copy of their digital data so they can transfer it to someone else if they choose to do so.

The so-called right to portability and the right to erasure or right to be forgotten provisions impose new requirements on companies doing business in the EU, says Eve Maler, vice president of innovation and emerging technology at ForgeRock.

“IT managers need to be asking themselves: can we track a customer’s personal data as it travels through our systems? Can we erase it if they request us to do so? Or better yet, can we provide them the tools to do this on their own?” Maler says. “These capabilities will be required under GDPR, and it’s a significant departure from business as usual.”

Be Ready For Data Protection Impact Assessments

The GDPR requires companies to do data protection impact assessments (DPIAs) to identify “high risks” to consumer data privacy that might surface during data processing, says AvePoint’s Simberkoff.

Only some types of data processing involving personal data will trigger the requirement. Some time between now and when GDPR goes into effect, EU data privacy authorities will release a public list of the types of processing they consider to be high-risk and needing a DPIA.

The impact assessments can be incorporated into the standard planning, development, test and deployment, and monitoring, processes, Simberkoff says. They will allow privacy teams to implement privacy by design and enable a risk-based approach to data protection.

Online tools are available that allow organizations to conduct DPIAs and the goal should be to go ahead and conduct the assessments in advance of GDPR, Simberkoff says.

When risks are identified, companies should implement measures to mitigate those risks, which under GDPR include data encryption and pseudonymization or anonymization of data.

Related stories:


Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
1/20/2017 | 6:51:09 AM
GDPR Courses are the easiest way
The real challenge is the number of days left and number of firms needing to comply with this by that date.

UK companies need to be thinking about the less than 500 days left to ensure GDPR compliance and to ensure they have their ducks lined up.

Their is plenty to read on this, but companies should consider the easy option of going on a 1 day course and getting all the tools they need to take away to get their company on the journey. Courses are available at //assuredata.eu/ for example which provide the tools to then take away to make it happen.
User Rank: Apprentice
10/3/2016 | 8:58:01 AM
A good brief introduction about the GDPR

An instructive introduction about the major functional impacts regarding the application of the new GDPR.  However I am wondering, in terms of technical measures that can fulfill the new requirements, there is no specific details about that. How one could be able to say, that this firm is compliant or not if there is no precise baseline to which the assessment can be done.!.

10 Ways to Keep a Rogue RasPi From Wrecking Your Network
Curtis Franklin Jr., Senior Editor at Dark Reading,  7/10/2019
The Security of Cloud Applications
Hillel Solow, CTO and Co-founder, Protego,  7/11/2019
Where Businesses Waste Endpoint Security Budgets
Kelly Sheridan, Staff Editor, Dark Reading,  7/15/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "Jim, stop pretending you're drowning in tickets."
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-07-16
An input validation issue affected WhatsApp Desktop versions prior to 0.3.3793 which allows malicious clients to send files to users that would be displayed with a wrong extension.
PUBLISHED: 2019-07-16
A vulnerability in various versions of Iomega and LenovoEMC NAS products could allow an unauthenticated user to access files on NAS shares via the API.
PUBLISHED: 2019-07-16
Norton Password Manager, prior to, may be susceptible to an address spoofing issue. This type of issue may allow an attacker to disguise their origin IP address in order to obfuscate the source of network traffic.
PUBLISHED: 2019-07-16
Citrix SD-WAN 10.2.x before 10.2.3 and NetScaler SD-WAN 10.0.x before 10.0.8 allow Directory Traversal.
PUBLISHED: 2019-07-16
Citrix SD-WAN 10.2.x before 10.2.3 and NetScaler SD-WAN 10.0.x before 10.0.8 have Improper Input Validation (issue 5 of 6).