GDPR Compliance: 5 Early Steps to Get Laggards Going
If you're just getting on the EU General Data Protection Regulation bandwagon, here's where you should begin.
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt90397935fb6cc9cf/64f0d7e5fef3c372af2ee0d3/shutterstock_461950756.jpg?width=700&auto=webp&quality=80&disable=upscale)
Although the European Union's General Data Protection Regulation (GDPR) has been in effect since 2016, and although enforcement actions kick off a mere seven months from now, many companies didn't really appreciate the magnitude of the new privacy legislation until the Equifax breach.
An American company exposed the sensitive private data of 700,000 citizens of the United Kingdom (still part of the European Union); "sensitive, private data" that is, by the American definition. The European Union's definition is significantly broader, and in all Equifax exposed 12.5 million UK clients' records. It is possible that European data authorities might do different accounting.
Monetary penalties for GDPR are up to 20 million Euros or 4 percent of annual turnover (similar to revenue), whichever is higher. Data privacy authorities can also ban companies from processing certain kinds of data entirely, which can massively disrupt entire business models. Organizations must also consider the costs of defending themselves in the many lawsuits that citizens and data authorities might bring against them.
With retributions like that looming overhead, it's no wonder that organizations are waking up to the importance of GDPR preparation. Here are a few places to start.
You might think you've closed all the holes, but don't be so sure. According to a recent report by Veritas, although 31% of companies surveyed believe they are already compliant with GDPR, only 2% actually are.
The first place to start, of course, is to find out if GDPR even applies to you. As ESET senior security researcher Stephen Cobb once explained in a blog: "Your firm probably needs to comply with GDPR if: you monitor the behavior of data subjects who are located within the EU; you're based outside the EU but provide services or goods to the EU (including free services); or, you have an 'establishment' in the EU, regardless of where you process personal data (e.g. cloud-based processing performed outside of the EU for an EU-based company is subject to the GDPR)."
(Image by Gwoeii, via Shutterstock)
Obviously your legal, compliance and privacy teams must be involved in your GDPR efforts. However, your heaviest users of private data must now become your best friends, lest they become your worst enemies. The leader of every line of business should be paid a visit, but there are certain obvious places to start.
Does everyone on your marketing team know (and possibly fear) the letters GDPR? If not, then they need to. The CEO of the DMA (Direct Marketing Association) group said in a statement in April that the GDPR deadline of "May 2018 should be a date that is in every marketer's diary."
Remember too that the regulation does not apply only to customer data, but to employees as well, so get human resources involved.
Lastly, find out if GDPR requires your organization to have a discrete "data protection officer." Your DPO is a key figure who should be organizing your GDPR efforts; if you don't have one yet, now is the time.
(Image by Suzanne Tucker, via Shutterstock)
Recent studies show that many IT decision makers don't know what data they need to protect, and don't even know where they'd need to go looking for it.
McAfee found that only 47% of the respondents to their study were completely confident they know where all of their sensitive corporate data is physically stored all of the time. And respondents to a Trend Micro survey revealed 64% of the respondents didn't realize customers' birthdates are considered PII; 42% would not tag email marketing databases as PII; 32% would not place physical addresses into a PII category; and 21% would do likewise for customers' email addresses.
Information about location, income, cultural information like religion and political affiliation, and more are protected GDPR. If "parental consent" is necessary, it is required for all children under age 16; in the US it's only children under age 13.
(Image by Annette Shaff, via Shutterstock)
Article 25 of GDPR mandates "data protection by design and by default," which means that your applications need to have security and privacy built in from here on out.
Developers are essential to ensuring compliance with many of the other GDPR requirements; in particular updating all the ways that users grant -- and withdraw -- consent to collect, process and store their private data. The old stand-by of pre-checked "I agree" boxes will no longer be acceptable. Further, users must be able to withdraw their consent with as much ease as they granted it.
It's a paradigm shift for developers, who are used to putting user experience above user privacy; now privacy itself is part of the experience.
(Image by WAYHOME studio, via Shutterstock)
Equifax has taken a lot of heat for the leisurely pace they took informing users of their data breach -- which they discovered July 29th and did not report until Sep. 7th. Yet even Anthem Healthcare, which was praised for informing its customers a mere eight days after its breach of 80 million records, might have had trouble complying with GDPR.
GDPR requires that organizations report breaches to data authorities (if not to customers) within 72 hours of breach discovery. McAfee's report found that only 26% of organizations believe that they can meet the regulation's 72-hour deadline.
Security departments are always looking for ways to detect attacks more quickly, but being prepared with a smooth notification process, just in case, is essential to comply with privacy regulation and to avoid the sort of customer relations flack incurred by Equifax.
(Image by pathdoc, via Shutterstock)
Dark Reading has been covering GDPR for years. For more information and insight on GDPR, read a few of our latest stories on the subject:
You Have One Year To Make GDPR Your Biggest Security Victory Ever, Part 1 and Part 2
GDPR Compliance Preparation: A High-Stakes Guessing Game
The Right To Be Forgotten and the New Era of Personal Data Rights
Dark Reading has been covering GDPR for years. For more information and insight on GDPR, read a few of our latest stories on the subject:
You Have One Year To Make GDPR Your Biggest Security Victory Ever, Part 1 and Part 2
GDPR Compliance Preparation: A High-Stakes Guessing Game
The Right To Be Forgotten and the New Era of Personal Data Rights
Although the European Union's General Data Protection Regulation (GDPR) has been in effect since 2016, and although enforcement actions kick off a mere seven months from now, many companies didn't really appreciate the magnitude of the new privacy legislation until the Equifax breach.
An American company exposed the sensitive private data of 700,000 citizens of the United Kingdom (still part of the European Union); "sensitive, private data" that is, by the American definition. The European Union's definition is significantly broader, and in all Equifax exposed 12.5 million UK clients' records. It is possible that European data authorities might do different accounting.
Monetary penalties for GDPR are up to 20 million Euros or 4 percent of annual turnover (similar to revenue), whichever is higher. Data privacy authorities can also ban companies from processing certain kinds of data entirely, which can massively disrupt entire business models. Organizations must also consider the costs of defending themselves in the many lawsuits that citizens and data authorities might bring against them.
With retributions like that looming overhead, it's no wonder that organizations are waking up to the importance of GDPR preparation. Here are a few places to start.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024