General Data Protection Regulation: A primer
The General Data Protection Regulation (GDPR) — the most important change in data privacy laws in 20 years — requires rigorous compliance. Failure to do so can result in substantial penalties and fines as well as damage to your reputation. Find out how you’ll be affected.
The General Data Protection Regulation (GDPR), which the European Union (EU) Parliament passed in 2016, is probably the most prescriptive and far-reaching privacy law or regulation ever adopted. Consequently, even though it pertains to protecting the data privacy of people located in the EU, its scope is global in nature and applies to virtually any company processing the personal data of any person within the EU, including personal data utilized for e-commerce purposes. Companies found to be out of compliance can be fined as much as 20 million euros or 4 percent of their annual total revenue.
What does GDPR compliance look like?
GDPR specifies requirements companies must follow in such a fashion that they can demonstrate ongoing compliance focusing on five major areas:
- Data control
- Data security
- Right to erasure
- Risk mitigation & due diligence
- Breach notification
Specific requirements include:
- Maintaining accurate and specific records and controls for data of EU data subjects, only processing data for authorized uses, and minimizing the exposure of data subject identities.
- Updating privacy policies, statements, and processes utilized to obtain the consent of data subjects.
- Being responsive to requests from data subjects, e.g., right to be forgotten (with specific legal exceptions identified in the regulation).
- Appointing a data protection officer (DPO).
- Performing data protection impact assessments (DPIAs).
- Tailoring control frameworks, such as ISO 27001, to GDPR.
- Establishing and maintaining relationships and communication with European Supervisory Authorities (ESAs).
- Notification to EU authorities within 72 hours of a breach.
Will I be affected?
Questions of whether GDPR applies to you should be answered by legal counsel. However, executives can begin to educate themselves by considering the following questions:
- Do you have a physical presence in the EU?
- Do you conduct e-commerce with customers or potential customers residing in the EU?
- Do you have a privacy program or at least address privacy within your information security, risk management, and/or compliance programs?
- When did you last have a privacy gap or risk assessment performed?
Actions to take
GDPR compliance is likely going to present unique challenges to each organization. Therefore, the exact steps of an action plan might vary from one business to another. However, a solid methodology that almost any enterprise can follow will resemble the following:
- Obtain advice from legal counsel on whether GDPR applies to your company.
- Review publications and articles to obtain a high-level understanding of the requirements, including:
- Examine how GDPR can be incorporated into control frameworks.
- Conduct a risk-based gap assessment on your privacy program.
The threat of being fined 20 million euros or 4 percent of total annual review should command the attention of many CEOs whose companies handle privacy data. However, there continues to be a lot of uncertainty about GDPR because it hasn’t yet gone into effect. (It’s probably unlikely that EU regulators are going to start showing up at the front doors of a lot of small and medium-sized businesses in the United States, asking to review their privacy procedures.) As a result, many companies may feel it prudent to take a “wait-and-see” approach.
The threat of being fined 20 million euros or 4 percent of total annual review should command the attention of many CEOs whose companies handle privacy data.
Fortunately, for the sake of comparison, we have the benefit of another compliance deadline that also went into effect: the Defense Federal Acquisition Regulation Supplement (DFARS), which stipulates that defense contractors abide by NIST SP 800-171 by Dec. 31, 2017. Language pertaining to this requirement has already begun to appear in contracts from their business partners, which means that affected companies are assuming legal risk in addition to cyber risk, if they’re not in compliance. We can expect a similar situation with GDPR. The most likely source of pressure to become compliant will come from business partners, vendors, service providers, and other third parties. In this scenario, “wait-and-see” followers might miss business opportunities due to the lack of comfort signing contracts that include GDPR-compliance language.