On May 25th, in the year 2018, something called the General Data Protection Regulation (GDPR) will go into effect. That means your company, and every other company in the world, should already have a good answer to this question: "How will GDPR affect us?" In fact, I would argue that you are currently courting danger if your answer is either “I don’t know” or “it doesn’t affect us because we’re not a European company” or “GDPR is irrelevant to us because we are located in America/Australia/India/etc.”
The main danger that you are courting is a big fat fine for non-compliance with GDPR, a set of rules governing the privacy and security of personal data that is being implemented by the European Commission, but which DOES APPLY to some companies located outside the European Union (EU).
In this article I have outlined why GDPR could have serious implications for your organization, starting with a few words about the wide net that this law casts, far beyond the borders of the EU. I will end with links to resources that can help you prepare for GDPR.
Another fine mess EU’ve landed US in?
I know that I am badly misquoting Laurel and Hardy there, but hopefully you are now paying attention because this is very serious. GDPR applies to your organization, regardless of the country in which you are based or from which you operate, unless you do not collect or process personal data drawn from the European market.
"If in doubt about GDPR compliance, ask corporate counsel. If corporate counsel responds by saying “GDP what now?” consider retaining new counsel."
In other words, you are only off the hook if you do not offer goods or services to, nor track or create profiles of, European citizens.
If you do engage in any of those activities then you most likely will have to comply with GDPR. If in doubt ask corporate counsel. If corporate counsel responds by saying “GDP what now?” consider retaining new counsel.
For the sake of clarity and emphasis, let me summarize. Your firm probably needs to comply with GDPR if:
- You monitor the behavior of data subjects who are located within the EU, or
- You’re based outside the EU but provide services or goods to the EU (including free services), or
- You have an “establishment” in the EU, regardless of where you process personal data (e.g. cloud-based processing performed outside of the EU for an EU-based company is subject to the GDPR).
Clearly, this is a considerable expansion of the scope of data protections provided by previous European laws. And it encompasses all people living in the EU, not just EU citizens. In addition, GDPR expands liability beyond the current directive to include data processors as well as data controllers.
(Need a quick refresher on the language of European data protection? There are three key terms: data subjects, data controllers, and data processors. For example, a company is a data controller with respect to the customers or employees about whom it has personal information. The customers and employees are the data subjects in this context: natural persons whose personal data is being processed by the data controller. An example of a data processor would be a company to whom payroll operations are outsourced by the employer in its capacity as a data controller.)
11 key things that GDPR does
- Increases the individual’s expectation of data privacy and the organization’s obligation to follow established cybersecurity practices.
- Establishes hefty fines for non-compliance. An egregious violation of GDPR, such as poor data security leading to public exposure of sensitive personal information, could result in a fine in the millions or even billions of dollars (there are two tiers of violations and the higher tier is subject to fines of over 20 million euros or 4% of the company’s net income).
- Imposes detailed and demanding breach notification requirements. Both the authorities and affected customers need to be notified “without undue delay and, where feasible, not later than 72 hours after having become aware of [the breach]”. Affected companies in America that are accustomed to US state data breach reporting may need to adjust their breach notification policies and procedures to avoid violating GDPR.
- Requires many organizations to appoint a data protection officer (DPO). You will need to designate a DPO if your core activities, as either a data controller or data processor, involve “regular and systematic monitoring of data subjects on a large scale.” For firms who already have a chief privacy officer, making that person DPO would make sense, but if there is no CPO or similar position in the organization, then a DPO role will need to be created.
- Tightens the definition of consent. Data subjects must confirm their consent to your use of their personal data through a freely given, specific, informed, and unambiguous statement or a clear affirmative action. In other words: silence, pre-ticked boxes, or inactivity no longer constitute consent.
- Takes a broad view of what constitutes personal data, potentially encompassing cookies, IP addresses, and other tracking data.
- Codifies a right to be forgotten so individuals can ask your organization to delete their personal data. Organizations that do not yet have a process for accommodating such requests will need to work on that.
- Gives data subjects the right to receive data in a common format and to ask that their data be transferred to another controller. Organizations that do not yet have a process for accommodating such requests will need to work on that.
- Makes it clear that data controllers are liable for the actions of the data processors they choose. (The controller-processor relationship should be governed by a contract that details the type of data involved, its purpose, use, retention, disposal, and protective security measures. For US companies, think Covered Entities and Business Associates under HIPAA.)
- Increases parental consent requirements for children under 16.
- Enshrines "privacy-by-design" as a required standard practice for all activities involving protected personal data. For example, in the area of app development, GDPR implies that "security and privacy experts should sit with the marketing team to build the business requirements and development plan for any new app to make sure it complies with the new regulation".
GDPR cost and timing
As you might expect, when it comes to getting ready for GDPR, some organizations are further along than others. In January of this year PwC surveyed 200 US companies with more than 500 employees and found that 92% considered compliance with GDPR a top priority on their data-privacy and security agenda in 2017. More than half said it was the top priority and 38% said it was among their top priorities. Of course, compliance will not come cheap and 77% of folks in the PwC study said their organization was planning to spend $1 million or more on GDPR.
"When it comes to getting ready for GDPR, some organizations are further along than others."
While you might expect European companies to be on top of GDPR preparation, a recent IDC Research study conducted on behalf of ESET found that a quarter (25%) of the 700 European companies surveyed admitted they were not aware of GDPR. In addition, more than half (52%) of them were unsure what GDPR’s impact on their organizations would be (see this article on WeLiveSecurity).
Security and notification under GDPR
To drill a little further into GDPR’s implications for the security of personal data that your organization handles, I think it is worth citing the appropriate sections at length. In effect, these establish a baseline that companies which handle data about EU persons will need to meet in order to defend against claims that they are “processing in infringement of this Regulation” and thus potentially subject to fines.
In section 83 we read that “… the controller or processor should evaluate the risks inherent in the processing and implement measures to mitigate those risks, such as encryption. Those measures should ensure an appropriate level of security, including confidentiality, taking into account the state of the art and the costs of implementation in relation to the risks and the nature of the personal data to be protected.”
In other words, there are very few specifics about how you should approach securing data, aside from the encryption reference; but there’s a clear assertion that you must perform a risk assessment. (I would hope that by now every organization has done a cybersecurity risk assessment and is keeping it current, yet we still see HIPAA fines in the US due to failure to do so.)
Section 83 elaborates on the risks that need to be considered: “In assessing data security risk, consideration should be given to the risks that are presented by personal data processing, such as accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed which may in particular lead to physical, material or non-material damage.”
Section 84 goes on to discuss the security of “high risk” data, a distinction I will address in a separate article (there is an ongoing discussion about how that distinction will be made).
"Nothing sheds light on organizational cybersecurity posture like security breaches."
Nothing sheds light on organizational cybersecurity posture like security breaches, and these are addressed in Section 85. This states that when the data controller “becomes aware that a personal data breach has occurred, the controller should notify the personal data breach to the supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of it.”
Interestingly, GDPR allows the data controller to avoid notifying authorities of a breach if it is “able to demonstrate, in accordance with the accountability principle that the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons”.
GDPR specifies the terms of data breach notification in Section 86 which states that data controllers must “communicate to the data subject a personal data breach, without undue delay, where that personal data breach is likely to result in a high risk to the rights and freedoms of the natural person in order to allow him or her to take the necessary precautions.”
Some of the specifics of the notification are spelled out, such as “describe the nature of the personal data breach as well as recommendations for the natural person concerned to mitigate potential adverse effects.” For a look at some of the implications of these notification rules, including a possible surge in notifications, read this article on the IAPP blog.
More GDPR resources
Clearly, there is a lot to get ready for, especially if the idea of having to deal with European data protection law is new to you. Here are some additional resources:
- ESET has several GDPR guides available for download from this page.
- There is a growing collection of articles about different aspects of GDPR on WeLiveSecurity.
- For privacy and security purists who want to read the GDPR for themselves (like I did) here is a link to the final version as a PDF, all 150 pages of it.
Finally, it should noted that I am not a lawyer and you should not rely on this or any other internet article for legal advice. You should consult suitably qualified legal counsel on matters relating to GDPR interpretation and compliance. However, I do have one pro legal tip: if you bring up GDPR with your company’s counsel and they respond with something like “G-D-P-what?” then they are probably not yet suitably qualified (so tell them you know a good article they can check out to learn more).
For more information on the General Data Protection Regulation, ESET has a dedicated page to help ensure that when the time comes, you have everything covered.