All you wanted to know about GDPR, but were afraid to ask
In case you didn’t already know, the EU Commission, Parliament and Commission negotiated and finalized the text of what is called the “General Data Protection Regulation” (GDPR) in December of 2015. This was officially approved as Law in April 2016, which means GDPR goes into effect in May, 2018. And, if you’re an organization that does business in the EU or even has customers from those geographies, this could significantly change the way you do business.
There are primarily two drivers for GDPR.
While EU does have an existing directive under data protection called the “Data Protection Directive” (DPD), the fact that it was drafted in 1995 during the pre-cloud, pre-social media era meant that it needed some serious updating.
Also, the DPD acted more as a template or guidance based on which individual EU nations developed their own legislation. This led to inconsistencies in laws between different EU nations making it harder for businesses to understand laws and comply.
Most importantly, since the EU believes that data protection should apply across national boundaries, GDPR seeks to regulate not only the protection of data within the EU, but extends the law to all businesses that hold data about EU citizens, even if such a business is based outside the EU. So, in cases where a business is based outside the EU, but offers goods and services to individuals in the EU or monitors their behavior, the GDPR will apply. This means that a lot more businesses than previously, especially based in the US and other parts of the world now come under the ambit of GDPR.
Lastly, because GDPR is a regulation (and not a directive), it doesn’t require each EU nation to pass any laws for it to take effect. It takes effect automatically on May 25, 2018.
How it affects everyone
The GDPR affects several stakeholders and affects them differently. For instance:
- If you are an EU member nation, you will need to set up an Independent Supervisory Authority that can review complaints and set penalties.
- If you’re a business, you will need to demonstrate compliance. Towards this end, you’ll need to document their processes and may also have to appoint a Data Protection Officer
- Individuals have the most to gain. If you’re an individual in the EU, you will have rights to access your data, ask for rectifications, demand portability of data (to alternate vendors), and to ask for erasure based on grounds such as unlawful processing or withdrawal of consent.
Also, transfers of data out of the EEA (European Economic Area) to the US which used to be governed by the Safe Harbor rule will now need to be compliant with a new guideline called the Privacy Shield which imposes a greater standard of protection and compliance that US companies will need to adhere to.
One of the directives that has received a lot of coverage in the media is the Mandatory Breach Notification Scheme, because of the public relations fallout it could cause an organization. If a business suffers a data breach in the form of a loss (accidental or unlawful), alteration of data, or unlawful access to personal information), such a breach needs to be reported to a Data Protection Authority within 72 hours of your organization becoming aware of it.
Not just that, if the breach is likely to result in discrimination, fraud or identity theft, financial loss, damage to reputation, or any other economic or social disadvantages to the subjects, then the breach will need to be reported to each of the subjects (individuals) as well – even *before* the Data Protection Authority is notified.
Quite significantly, if businesses have implemented appropriate technical security measures with respect to the data affected by the breach, they may not need to notify data subjects. For instance, if prior to the breach taking place, the data had been rendered unintelligible, by means of technologies like encryption, businesses will not need to notify data subjects of the breach.
What has also grabbed attention in the GDPR is the stiffness of the penalties involved. Certain breaches can result in a fine of € 10M or 2% of a company’s annual revenues – whichever is greater. More serious breaches could result in a fine that is the greater of € 20M or 4% of a company’s annual revenues. In some cases, the Data Protection Authority can impose a complete ban on data processing operations by an organization.
What you should if you’re a Business
If you’re a business that is new to the EU market, then some aspects of the GDPR might seem challenging. But if you are a company that follows IT industry best practices (like PCI-DSS, SANS, ISO 27001 etc.), you probably won’t find GDPR too burdensome.
While there could be several things that you should do to be compliant, one area to focus on immediately is protection of the data you’re storing, especially Personally Identifiable Information about your customers.
With increased usage of cloud storage services, the risk of exposure for a business is now that much greater. Keep in mind the mandatory breach notification clause. Think about solutions that can effectively encrypt your data in the cloud. And, when you think about data – think about all data – Primary storage, Secondary storage and data you store in the cloud using SaaS based cloud storage services.
Encryption is a suggested, even if not mandated way to protect customer data. Many regulations may not be prescriptive about encryption but almost all of them consider it an acceptable and effective way to protect data. Taking that important step and including that in your data processing workflow will significantly reduce your liability in terms of reporting breaches, should they occur, and help you avoid crippling penalties.
I am eager to hear your thoughts and yes, do reach out to me if you want to discuss this further.