The GDPR – The European Union’s EU General Data Protection Regulation is an important regulation that is stated to come into effect on 25th May, 2018.
The regulation is standard for all 28 member-nations and thankfully saves you the hassle of having to meet individual data security requirements of countries.
However, the bummer is that meeting the GDPR requirements is not easy as we’d initially thought it might be. Here’s a quick simplified summary of this:
What is the GDPR and why it was brought in:
Long story short, the EU had an old data privacy law established in 1995. This law was viewed as archaic considering the technological advancements in the past 2 decades. Obviously, this posed a data security threat which might be misused by companies.
To tackle this challenge, in 2016 the EU brought into place the General Data Protection Regulation – The GDPR which aimed to save data privacy of EU residents by making companies more responsible. The regulation gets into effect from May 25th 2018.
Who falls under the scope of the GDPR ?
The EU does not specify if the GDPR applies to EU Citizens or EU residents. It rather uses the term “Data Subject”. The GDPR article 3 (2), states:
“This Regulation applies to the processing of personal data of data subjects who are in the Union “ (Cybercounsel)
In essence, the GDPR “Data Subject” is anyone within the borders of the EU at the time of processing of their personal data. If you’re an EU expat you don’t fall under GDPR. If you’re a person even crossing through EU at the time of data breach, you fall under GDPR.
For sake of clarity, I will talk of the Data subject as EU residents in this article.
Does the EU public need this?
To give you a sense of the public’s mood on this, the following results were reported after a survey of 7500 people across various countries by RSA (a prominent business security solutions company)
- 80% respondents marked Banking and Financial data as a threat.
- 76% finding loss passwords and identity theft (driving licenses, passports etc.) as leading were top.
- 51% felt their personal information could be used for blackmail.
- 62% people felt they would blame the company for losing their data than the hackers.
You can read the full report here – RSA Data Privacy & Security Report
Add to this recent events like when Uber compromised the data breach of 57 million records and chose not to talk about it for an entire year or the Facebook Cambridge Analytica fiasco !!
The EU council therefore stands wise in going ahead with GDPR.
What it means for EU residents:
The EU, in order to address the public’s data privacy concern and empower EU residents made it mandatory for every company handling data of EU residents, to protect the data like it was liquid gold.
It empowers EU residents to file class action lawsuits against companies if they lose or compromise personal data. If you’re a EU resident, you can sue companies who lose your data and make you vulnerable to identity theft/misuse etc.
What it means for Companies:
This regulation only affects companies who are dealing in any way with any data on EU residents. This can be with a business presence within the EU or dealing with EU data from a non -EU member. E.g. if you are a local bank in Australia or a pizza chain in the US, then this will not affect you. However, if you are a technology or retail company which has business in Europe then you come under the scanner.
The GDPR makes you liable to be sued in class action lawsuits, in case you compromise the data of any EU individual at any point of time. So basically, you must be super careful about the data of EU residents.
The GDPR not only expects you to safeguard the passwords or financial data but even the cookies, IP addresses, Biometric data, sexual orientation or political opinions. Almost everything.
In a recent survey by PWC on GDPR preparedness , 54% plan to de-identify European data and 26% of companies planned to exit the EU market altogether to avoid any high fines or injunctions. The survey also states that 68 % of U.S.-based companies expect to spend $1 million to $10 million to meet GDPR requirements. The numbers would be bigger for bigger corporations.
What must companies do to be GDPR compliant?
Okay if you’re not one of those who plan to de-identify European data or wash your hands off the European business you built, then read on.
1. Defined Roles:
The EU has defined certain roles in companies which will focus on the implementation and upkeep of GDPR within companies. These would be data controllers (those who make the data strategy and finalize the use of the data and manage 3rd party vendors), Data processors (the ones who actually handle the data) and data protection officers (DPOs) who ensure GDPR liaison and compliance.
DPOs would have the onus of being responsible for liaising with the EU in case of any data breach and knowing the right process to follow in case of a crisis. (Don’t forget, you have 72 hours to report data breach with all details)
2. Know your data. “Really well”
Data can be classified into 2 categories broadly:
a) Generic data- e.g. company details where email IDs are support @companyname.com don’t tell the data of a specific individual but a company. This kind of data doesn’t fall under GDPR
b) Personal data: firstname.lastname@example.org would be personal data. Any piece of data that can help a person to be identified uniquely falls under personal data.
3. GDPR protects individual humans and not companies.
Under no circumstances do GDPR laws favour European companies over Non-European. Strategize accordingly.
4. Play by the rules:
The GDPR allows you safe and legal processing of EU resident’s data as long as you abide by the following tenets: Lawfulness, fairness, transparency, adequacy, relevance, limitedness, accuracy, storage limitation, integrity and confidentiality.
5. Get all your vendors to be GDPR compliant:
Under GDPR you are as liable as your third-party vendor for data privacy being maintained. For e.g. If you have a SaaS business (You’re the data controller) and use a 3rd party to process 10% of the data (data processor) who is not GDPR compliant, then your business will not be considered GDPR compliant by the EU. At all times you must be aware how your vendors process their data and what data security measures are in place. In case they are hacked they need to communicate this to you within 24 hours or less because in 72 hours from time of hack you need to tell the EU that data you collected was compromised.
6. Know the processes:
Notify each of the 26 member-nations of the Data breach within 3 days of any data breach containing EU residents’s data. You have to tell them every person’s name and data points that got stolen or compromised within these 3 days (The usual cycle for this is 45-60 days currently)
7. Have stringent security protection measures in place:
You cannot stop data security leaks from happening all the time. A typical organization has about 5000 threats happening at any point of time says Gary Southwell, vice president and general manager, products division, at CSPI. Considering these numbers, you need to have your best measures in place to avoid data breaches in your own and vendor sites.
What If I am not GDPR compliant by 25th May 2018?
1. Less Business with European firms. – You might be willing to take the risks here, but others might not. You not being GDPR compliant will make the companies you work with GDPR non-compliant even if you’re a 3rd party to a European firm.
2. The financial penalties for non-compliance are higher than for the old Data Protection Act. There’s an upper limit of €20 million or 4% of your annual global turnover, whichever is greater. Source: Riverbank
It’s important to note that GDPR has really brought data security and data privacy to the forefront and in the coming months/years we will see other countries also formalise their laws around it. We must not see it as constricting. In all fairness ,being GDPR compliant has its own benefits:
1. Increased Trust – Customers of GDPR compliant companies will be super excited about having their data in the hands of companies that are safeguarding it well.
2. Global thrust on data security – Companies who are even dealing indirectly with EU data need to be GDPR compliant to continue to be vendors with bigger corporations who are dealing with EU residents’ data.
Closing this GDPR summary with a graphic I found on the internet.