Beginning May 25, 2018, organizations that store data relating to European Union (EU) citizens will be subject to the new General Data Protection Regulation (GDPR). Those affected will need to have the GDPR-prescribed information system governance and privacy controls in place by the regulation’s effective date or face potentially significant fines.
It’s important for organizations to start understanding how the GDPR will affect their operations, before compliance becomes an issue.
Protecting Personal Information
The primary objectives of the new regulation are to give control back to EU citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.
The GDPR makes the distinction between personally identifiable information (PII) and sensitive PII.
PII
Any information that can be used to identify an individual is considered PII. This information can identify someone, but likely won't cause harm because it’s readily available.
Examples
- Names
- Birth dates
- Email addresses
- Cookies—web browser history files
- IP addresses
- Physical addresses
Sensitive PII
Information that’s not available elsewhere or that may harm the individual by being made available is considered sensitive PII. If lost, compromised, or inadvertently disclosed, it could result in substantial harm, embarrassment, inconvenience, or unfairness to an individual, such as identity theft, blackmail, stalking, or other crimes.
Examples
- Racial or ethnic origins
- Political opinions
- Religious or philosophical beliefs
- Healthcare-related information
- Genetic or biometric data
Ownership and Proof
It’s the stance of the European Parliament, the Council of the European Union and the European Commission that PII belongs to the individual. Under the GDPR, any organization that collects or processes this type of data must be able to prove consent—that the citizen opted in—and consent must be able to be easily withdrawn. Consent for children must be given by the child’s parent or custodian and be verifiable.
Once consent is withdrawn, the controller or processor of the PII must be able to prove that it’s no longer storing the PII of the individual.
Companies that violate the GDPR may face a fine of up to 4% of their annual revenue or $27 million. Any business not properly protecting PII or sensitive PII is at risk of a fine.
Preparing for Compliance
The main challenge for organizations preparing for GDPR compliance is determining their appetite for risk and investing in the tools and processes necessary to achieve their desired level of security and privacy.
Before considering an exhaustive and potentially expensive data and security overhaul, however, it’s important for organizations to remember that awareness around the primary elements of the GDPR is fundamental. With this knowledge, organizations can then assess what actually needs to change within their existing IT environment and what doesn’t.
Key Considerations
- Assessing EU activities—Does the organization sell to EU nations or make payments to or employ EU citizens? Does it perform any data processing or storage for an organization that has EU data?
- Looking at data security and data management—These are very different things and both are addressed in the GDPR.
- Finding a Data Protection Officer—This person will have knowledge of the GDPR articles and the requirements that need to be met.
- Understanding breach notification requirements—A breach under the GDPR may not be considered a breach by US state data breach laws.
- Knowing the difference between PII and Sensitive PII—This will be essential in determining what data needs additional protections under the GDPR.
- Understanding how the organization currently handles PII and sensitive PII—This includes how it’s disseminated, processed, retained and how and when it’s destroyed
- Assessing third-party service providers—Know what they’re accessing on the organization’s behalf, what they’re doing with any type of PII, and the security and privacy controls they have in place.
- Knowing what privacy practices are already in place—This could include how consent to PII is granted, stored, and if it can be rescinded or not.
- Updating privacy policies and procedures—Consider if they’ll meet the new GDPR requirements before implementing them.
- Making the organization’s privacy policy public—This is required by the GDPR and is most easily done by posting it on the company’s website.
- Staying alert to news and events surrounding the GDPR—It’s an organization’s responsibility to stay current with the law, and specific rules may change moving forward.
Next Steps
There’s been a wide array of responses as to preparedness of meeting the GDPR regulations. A recent Trend Micro Survey found top executives may be overconfident in their compliance efforts, small and mid-size companies face uncertainty as to who is held accountable for the loss of EU data by a service provider, and many of these companies believe they’re as prepared as they can be while 64% of C-level executives are still unclear over what constitutes PII. These statistics point to the need for organizations to create and execute a detailed plan for compliance.
Creating a Plan
A data breach represents a significant financial loss for most businesses. With GDPR, additional fines and penalties may be assessed to your business if the appropriate steps aren’t taken; even if you’re the victim of an attack. When it comes to service providers or processors of PII data, both the controller company and the service provider will be held accountable for compliance and for subsequent data loss.
Active participation, assessing information security risk areas, building respect for privacy into the culture, and incorporating a commitment to security governance as part of a strategic plan will go a long way toward minimizing the risks.
It’s important for organizations affected by the GDPR to plan for:
- Responding to customers about the privacy of their information
- Understanding how PII is collected, disseminated, processed, retained and removed from systems
- Knowing what contractual requirements can be entered into with EU citizen’s data
We’re Here to Help
The details of compliance with the EU’s regulation are somewhat ambiguous and raise as many questions as problems it attempts to solve. The fact remains that it’s being implemented, it will be enforced, and the efforts are to be commended. If you’d like to learn more about how the GDPR may affect your organization and what you can do to better prepare for compliance, contact your Moss Adams professional.