GDPR (General Data Protection Regulation) compliance is coming on May 25th to companies that operate in the European Union or have customers there. Fines for noncompliance can run into the millions. Are you prepared? And do you even have to worry about it, if you’re a US-based operation?
If your organization at any point handles personal data of EU citizens, you must comply. There are more specific rules around which companies fall under GDPR, including having operations within the EU’s borders, having more than 250 employees, or if less than 250 employees, having frequent data processing that impacts the rights and freedoms of EU citizens – but ultimately, if you handle data of EU citizens at any point, you likely must comply.
The EU citizen must be within the EU at the time of data collection for GDPR to apply — an EU citizen on US soil does not fall under GDPR. You also must be marketing towards EU subjects in general. If you intend to do business with a citizen of the EU, you must comply with GDPR. If you have no reference to EU countries on your website or product, but an EU citizen happens to send you their data, you may not need to comply.
That means hospitality, travel, software, eCommerce, and technology companies, as well as government organizations, are among those most likely to fall under GDPR standards.
GDPR is a European Union law to regulate data protection and privacy for individuals. It applies only to citizens of the EU, but if you handle their data, that means it could extend to your operations as well. The goal behind GDPR is to provide control and security over data to citizens, while also clarifying international business regulations. It takes effect on May 25th, 2018.
It does include regulations around exporting personal data from the EU to other countries, so it could have an effect on your operations for overseas customers, if you are a service provider.
Like many compliance standards, GDPR is a bit vague, requiring a “reasonable” level of data protection, but not specifying individual controls or monitoring measures. Data may be stored for no longer than necessary for the “purposes for which the personal data are processed” (talk about vague). All personal data must be exportable, or able to move from one organization to another.
GDPR requires notification of authorities if a data breach occurs within 72 hours. Having a pre-planned reporting process is vital for notification, as you must include the scope of the breach and how it occurred. That can be tough in only three days.
Companies are only permitted to use personal data with explicit consent. Each type of data processing and use must be clearly explained when consent is given, so if you plan to e-mail customers or potential customers with marketing, share their information with partners, or store it long-term for future use, each use must come with a choice to concede that use.
Only ages 16 and up can provide their own consent, so age verification is also required. For those under 16, parental or guardian consent is required.
GDPR includes a “right to be forgotten” clause, which states than upon request, a company must purge all personal data for an individual, or remove them from automated programs and marketing. This can be difficult to guarantee in a large IT environment, especially for service providers with multiple customer tenants within a data processing system. You must be able to provide personal data upon request and allow corrections as well.
Talk to one of our experts today.
GDPR does define roles within your organization that must be created to maintain compliance.
The Data Controller describes how and why personal information is processed by your organization. For example, an eCommerce company might have a Data Controller who creates a document stating they use addresses, names, and credit card information to process transactions and ship goods, as well as for marketing and customer communication. The document would also describe how that information is processed and/or stored. The Data Controller is also in charge of ensuring contractors and other external agents use data in compliance.
Data Processors can be roles within your organization or their duties can be fulfilled by an external company. These are the departments that are responsible for the actual activities of processing and storing personal data — your systems administrators, storage administrators, network engineers, software developers, or even front-line workers doing data entry or point of sale. Obviously all or part of these roles could be filed by a service provider like a cloud service provider (CSP). Both parties (your organization and the service provider) are held accountable for compliance, regardless of where a breach occurs.
Finally, the Data Protection Officer (DPO) is in charge of data security and compliance. Many organizations already have a Chief Security Officer of a Chief Compliance Officer, or roles that share compliance responsibilities.
GDPR focuses on personal identifying information (PII) rather than business data, so if you work for a primarily B2B company that doesn’t store PII, you may not need to comply. However, many B2B organizations end up storing PII of some type, as it extends from basic ID down to health information.
The GDPR covers names, addresses, ID numbers, device location, IP addresses, web cookies, RFID tags, health information (already regulated in the US under HIPAA), biometric data, race, political affiliation, and sexual orientation.
To get ready for GDPR compliance this May, you may not need to adjust much if you are already compliant with other standards like HIPAA or PCI-DSS, which require similar standards of auditability and security. The biggest changes may be adding options for consent to process and store data, and adding a process for the right to be forgotten and 72 hour reporting mandates.
You should begin a formalized documentation process for data storage, processing, and security, which outlines your entire environment and how data travels within it. Be ready to report at any time on your security measures and data storage sites, as well as possible data exports under your control. Document relevant vendors and service providers and revise any contracts with those players to account for GDPR compliance as necessary.
Test your reporting plans to ensure you can successfully trace a breach, record the scope of records affected, and plan for remediation within 72 hours.
Finally, plan for continual self-auditing and training for all employees at all levels of the organization to maintain compliance going forward.