Beginning May 25, 2018, organizations that store data relating to European Union (EU) citizens will be subject to the new General Data Protection Regulation (GDPR). Those affected will need to have the GDPR-prescribed information system governance and privacy controls in place by the regulation’s effective date or face potentially significant fines.
It’s important for organizations to start understanding how the GDPR will affect their operations, before compliance becomes an issue.
The primary objectives of the new regulation are to give control back to EU citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.
The GDPR makes the distinction between personally identifiable information (PII) and sensitive PII.
PII
Any information that can be used to identify an individual is considered PII. This information can identify someone, but likely won't cause harm because it’s readily available.
Examples
Sensitive PII
Information that’s not available elsewhere or that may harm the individual by being made available is considered sensitive PII. If lost, compromised, or inadvertently disclosed, it could result in substantial harm, embarrassment, inconvenience, or unfairness to an individual, such as identity theft, blackmail, stalking, or other crimes.
Examples
Ownership and Proof
It’s the stance of the European Parliament, the Council of the European Union and the European Commission that PII belongs to the individual. Under the GDPR, any organization that collects or processes this type of data must be able to prove consent—that the citizen opted in—and consent must be able to be easily withdrawn. Consent for children must be given by the child’s parent or custodian and be verifiable.
Once consent is withdrawn, the controller or processor of the PII must be able to prove that it’s no longer storing the PII of the individual.
Companies that violate the GDPR may face a fine of up to 4% of their annual revenue or $27 million. Any business not properly protecting PII or sensitive PII is at risk of a fine.
The main challenge for organizations preparing for GDPR compliance is determining their appetite for risk and investing in the tools and processes necessary to achieve their desired level of security and privacy.
Before considering an exhaustive and potentially expensive data and security overhaul, however, it’s important for organizations to remember that awareness around the primary elements of the GDPR is fundamental. With this knowledge, organizations can then assess what actually needs to change within their existing IT environment and what doesn’t.
Key Considerations
There’s been a wide array of responses as to preparedness of meeting the GDPR regulations. A recent Trend Micro Survey found top executives may be overconfident in their compliance efforts, small and mid-size companies face uncertainty as to who is held accountable for the loss of EU data by a service provider, and many of these companies believe they’re as prepared as they can be while 64% of C-level executives are still unclear over what constitutes PII. These statistics point to the need for organizations to create and execute a detailed plan for compliance.
Creating a Plan
A data breach represents a significant financial loss for most businesses. With GDPR, additional fines and penalties may be assessed to your business if the appropriate steps aren’t taken; even if you’re the victim of an attack. When it comes to service providers or processors of PII data, both the controller company and the service provider will be held accountable for compliance and for subsequent data loss.
Active participation, assessing information security risk areas, building respect for privacy into the culture, and incorporating a commitment to security governance as part of a strategic plan will go a long way toward minimizing the risks.
It’s important for organizations affected by the GDPR to plan for:
The details of compliance with the EU’s regulation are somewhat ambiguous and raise as many questions as problems it attempts to solve. The fact remains that it’s being implemented, it will be enforced, and the efforts are to be commended. If you’d like to learn more about how the GDPR may affect your organization and what you can do to better prepare for compliance, contact your Moss Adams professional.