The GDPR is now in effect – is it too late to act?
Have you been receiving a raft of emails from several companies you did (or didn’t) do business with, informing you of their updated privacy policies?
If so, well, then you have General Data Protection Regulation (GDPR) to thank. The sweeping new data privacy regulation is now in force, and applies to all companies collecting and processing personal data of EU subjects. In fact Google and Facebook were hit with lawsuits to the tune of $8.8B the very day GDPR came into effect. And since then, Honda and Flybe, too, have been fined a total of £83,000 for emailing customers asking to reconfirm their marketing information and/or to get re-permission for email marketing.
Did you miss the Compliance Deadline?
Many organizations have spent the last several months scrambling to be ready for GDPR when it came into effect on the 25th of May. But now that it is in effect, is it too late to do anything?
The good news is that it is not too late. Even in the event your organization becomes the target of an investigation, the fact that you are taking steps to become GDPR-compliant will demonstrate your commitment to the law and will work in your favor.
A few things to keep in mind about GDPR
- It is mainly designed to protect personal data of private subjects of the EU.
- Remember that personal data doesn’t just mean the data belonging to your customers, it also covers your employees and suppliers you may be doing business with.
- From now, it is imperative to seek explicit consent from respective individuals before using their data in any way. Automatic consent (pre-filled checkboxes), for example, aren’t allowed any more. Consent must be sought using unambiguous language. Also, remember that consent can be withdrawn by an individual at any time.
- Separate consent is required for each type of activity you intend, may intend to perform with their data. As an example, you will seek separate consent for emailing them, calling them, and/or sending postal mail to a mailing address.
- Individuals may also invoke their right to be forgotten – in which case you will need to purge their data or at the least, make it inaccessible except for specific cases such as issues of public interest, legal compliance and public health.
Data Backup: An Essential Part of Compliance
While it is clearly important that your organization not misuse personal data, your responsibilities under GDPR go beyond that. You are supposed to protect this data from all kinds and forms of breach. Article 4, (12) from the text of the GDPR regulation says a ‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.”
It is clear from the above that a personal data breach isn’t only an instance of misuse or theft. Ransomware attacks, accidental destruction, data loss, and alteration of data can all have you fall afoul of GDPR compliance.
The simplest and the best way to comply is to have a solid data Backup & Recovery strategy. After all, without a reliable backup, years of stored data could be lost in a matter of moments. Just the costs associated with data loss, theft and hard drive crashes – not to mention legal and disclosure costs associated with GDPR – should build a compelling case for regular and safe backups.
In fact, GDPR makes the case for Backup and Recovery procedures unambiguously. “Article 32, (1) – c states that “The controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.”
Don’t forget Your End User Data
Remember that personal data belonging to customers, employees and suppliers can be stored anywhere, including on your employees’ endpoint devices, such as their desktops, laptops, and mobiles. So, it is important that you include them in your Backup & Recovery strategy.
It is useful to consider a few important statistics:
- Two Thirds of Enterprise data lies outside the data center on end user devices (like laptops).
- 99% of employees have sensitive data on their laptops and almost a third admit to uploading it to the cloud
- A little-known fact is that most SaaS vendors don’t take responsibility for backing up your data. Many of them operate in a “shared responsibility model” which means that you are responsible for your data backups – even when your data is in the cloud.
Protecting end user data has never been more critical. If you don’t have an end user data protection strategy, consider an endpoint backup solution. Get one that can use cloud storage for the backup repository. In fact, look for solutions that can leverage cloud storage you may have already purchased for your end users (like OneDrive for Business or Google Drive).
Additionally, GDPR strongly advises pseudonymization and/or encryption of all personal data. This is certainly a well thought out position that the authors of the GDPR have taken. Gemalto’s Breach Level Index demonstrates that, since 2013, only 4% of data breaches been “secure breaches”, i.e. where data was encrypted.
Consider a solution that can ensure security and privacy by encrypting files with a clear segregation of duties. While encrypted data is important for GDPR compliance, proper segregation of duties ensures that you, as the data owner, control the encryption & decryption keys, and not the cloud or software vendor.
It isn’t too late
So, remember that it isn’t too late. Despite all the scary media coverage, it is not as if supervisory authorities are simply out to get you. In fact, the ICO (Information Commissioner’s Office) in the UK as gone on record saying that businesses will face the maximum penalty only in extreme cases. They want businesses to focus on the fact that the law is really about putting customers and citizens first.
If you missed the May 25 deadline to become compliant, don’t despair. And definitely don’t stop now. Redouble your efforts and work faster to get GDPR compliant as quickly as possible.