8 Things Every Security Pro Should Know About GDPR
Organizations that handle personal data on EU citizens will soon need to comply with new privacy rules. Are you ready?
June 30, 2017
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt58d4bb8e56f19ccf/64f0daad1f28925474e312e2/01-eu.jpg?width=700&auto=webp&quality=80&disable=upscale)
In just under one year, the European Union's General Data Protection Regulation (GDPR) will formally begin being enforced.
The statute requires any company, or entity, that handles personal data belonging to EU residents to comply with a broad set of requirements for protecting the privacy of that data. Significantly, GDPR vests EU residents with considerable control over their personal data, how it is used, and how it is made available to others. Under the statute, data subjects are the ultimate owners of their personal data, not the organizations that collect or use the data.
Companies that fail to comply with GDPR requirements can be fined between 2% and 4% of their annual global revenues or up to €20 million - which at current rates works out to just under $22.4 million USD - whichever is higher.
Enforcement of GDPR begins May 25, 2018. It replaces Data Protection Directive 95/46 EC, a 1995 statute governing the processing and protection of private data by companies within the EU. One of its biggest benefits for covered entities is that GDPR establishes a common data protection and privacy standard for all member nations within the EU. Organizations within the EU and elsewhere will still need to deal with data protection authorities in each of the 28 member countries. But they will no longer be subject to myriad different requirements from each member nation.
The statute was written for EU companies. But any organization, anywhere in the world that collects or processes personal data belonging to EU residents is subject to GDPR requirements.
Surprisingly, given the specific and stringent nature of GDPR, a vast majority of U.S. companies covered under the statute do not appear to be in any particular hurry to comply with its requirements. A Spiceworks survey of 779 IT professionals from the United States, the U.K, and the EU showed that only 5% of entities in the US have started to prepare for it. While nearly one-third of all organizations in the EU are concerned about potential GDPR-related fines, barely 10% of U.S. companies appear worried that they could end up being on the wrong side of the law.
Here's what you need to know about GDPR and what to prepare for, according to EUGDPR.org and others.
GDPR applies equally to both data controllers and to data processors. Any organization that gathers personal data from a data subject is considered a data controller. They have to document the purposes for which they are collecting the data, how and why they will use or process the data and with whom they will share it.
Data processors are organizations that process data for a data controller, like a payroll processor or a cloud service provider. For the first time, such organizations are also directly bound by the requirements of the GDPR if any of the data they process belongs to EU residents.
Data controllers are required to notify data subjects of any breach that poses a risk to the privacy or security of their data. Such notification must typically happen within 72 hours of the breach being discovered. Processors similarly are required to inform controllers of any breach without undue delay. GDPR also requires entities to report a breach to the appropriate data protection authority in their country.
As with current breach notification requirements in the U.S., covered entities are exempt in some cases from notification if the data is encrypted or made un-identifiable using other means such as pseudonymization. In other words if a breached dataset cannot be used to directly identify individuals, or if measures have been taken post-breach to prevent this from happening there usually will be no notification requirement.
GDPR requires organizations handling EU data to incorporate privacy by design and default into their products and services. The idea is that organizations need to be thinking about and implementing appropriate technical controls and organizational processes for minimizing data collection and for protecting data from the outset rather than bolting on the controls later.
The law requires data controllers to conduct privacy impact assessments (PIA) in certain situations where there is a high risk of identity exposure or misuse, including those associated with the use of new technologies or processing of certain data categories, for instance.
GDPR encourages organizations to pseudonymize personally identifiable data or to essentially render it in a form that makes it impossible for anyone to directly identify individual data subjects.
Data subjects can ask for and obtain a copy of all personal data held about them by the data controller. Upon demand, organizations will be required to confirm to individuals whether or not personal data about them is being processed, where it is being processed and for what purpose.
Organizations will need to provide the requested data in electronic format and typically for free, except in situations where an individual might be making excessive or unreasonable demands. EU citizens can ask data controllers to rectify any incorrect or incomplete information about them.
The requirement highlights the need for organizations to have well-defined measures for documenting what personal data they have, where it came from and how it is being used and shared, according to the U.K.'s Information Commissioner's Office. "You may need to organize an information audit across the organization or within particular business areas," it says.
GDPR gives EU residents the right to ask data controllers to transfer personal data to another controller, where technically feasible. The statute requires controllers to provide the requested data in a structured, standard, machine-readable format. In most cases, controllers will not be allowed to charge a fee for such requests.
The requirement applies in situations where an individual provides data to the controller, and where processing of the data is automated.
The GDPR legalizes the right for data subjects to ask organizations to erase personal data about them. It gives them the right to ask data controllers to also stop the dissemination, sharing, or processing of their personal data with others.
Data erasure is a requirement in situations where an individual's data is no longer needed for a particular requirement, or if a data subject withdraws consent for its use.
When considering data erasure requests, data controllers will need to first verify if there is a public interest in the data continuing to be available, before erasing it.
Public authorities and organizations whose core activities involve the systematic monitoring or processing of certain types of data, such as that revealing an individual's racial or ethnic origin, religious or political beliefs will be required to appoint a Data Protection Officer.
The DPO's role will be to inform and to advise the data controller or data processor about their obligations under GDPR and to monitor compliance with those requirements. Their responsibilities include advising the controller or processor about privacy impact assessments and serving as the contact point for issues involving processing of personal data.
GDPR gives individuals in the EU a whole lot more control over their personal data and how it is used. A core part of this control is consent. Organizations that collect, store, and process individually identifiable data on EU residents will need to obtain informed consent from data subject.
The statute requires the request for consent to be intelligible, concise and clear, and stripped away of all legaleze and jargon. The request for consent will need to clearly and in plain language explain the purpose of the data processing for which the consent is being sought. Importantly, organizations will need to make it as easy for an individual to withdraw consent, as it is to give consent.
GDPR gives individuals in the EU a whole lot more control over their personal data and how it is used. A core part of this control is consent. Organizations that collect, store, and process individually identifiable data on EU residents will need to obtain informed consent from data subject.
The statute requires the request for consent to be intelligible, concise and clear, and stripped away of all legaleze and jargon. The request for consent will need to clearly and in plain language explain the purpose of the data processing for which the consent is being sought. Importantly, organizations will need to make it as easy for an individual to withdraw consent, as it is to give consent.
In just under one year, the European Union's General Data Protection Regulation (GDPR) will formally begin being enforced.
The statute requires any company, or entity, that handles personal data belonging to EU residents to comply with a broad set of requirements for protecting the privacy of that data. Significantly, GDPR vests EU residents with considerable control over their personal data, how it is used, and how it is made available to others. Under the statute, data subjects are the ultimate owners of their personal data, not the organizations that collect or use the data.
Companies that fail to comply with GDPR requirements can be fined between 2% and 4% of their annual global revenues or up to €20 million - which at current rates works out to just under $22.4 million USD - whichever is higher.
Enforcement of GDPR begins May 25, 2018. It replaces Data Protection Directive 95/46 EC, a 1995 statute governing the processing and protection of private data by companies within the EU. One of its biggest benefits for covered entities is that GDPR establishes a common data protection and privacy standard for all member nations within the EU. Organizations within the EU and elsewhere will still need to deal with data protection authorities in each of the 28 member countries. But they will no longer be subject to myriad different requirements from each member nation.
The statute was written for EU companies. But any organization, anywhere in the world that collects or processes personal data belonging to EU residents is subject to GDPR requirements.
Surprisingly, given the specific and stringent nature of GDPR, a vast majority of U.S. companies covered under the statute do not appear to be in any particular hurry to comply with its requirements. A Spiceworks survey of 779 IT professionals from the United States, the U.K, and the EU showed that only 5% of entities in the US have started to prepare for it. While nearly one-third of all organizations in the EU are concerned about potential GDPR-related fines, barely 10% of U.S. companies appear worried that they could end up being on the wrong side of the law.
Here's what you need to know about GDPR and what to prepare for, according to EUGDPR.org and others.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024