The coming year could provide a major wake-up call for organisations in the EU who think that their data privacy and security programs are 'good enough'. We're not talking about new types of threat or a rise in malicious activity – instead the challenge concerns 1) how organisations obtain personal data, 2) how organisations use personal data, 3) how organisations transfer personal data, and 4) how organisations protect personal data that they hold. These all come from regulation – the GDPR.
GDPR Summary
First of all, though, what is the GDPR? The General Data Protection Regulation[1] is a European Union regulation bearing the full title of 'Regulation on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)'. It's the first comprehensive overhaul and replacement of European data protection legislation in over twenty years and it will impact both your organisation and the way you think about its privacy and security programmes.
Let's find out more about how it could affect you.
Does the GDPR Apply to Me? If So, When is the Implementation Date?
The first thing to note is that the GDPR is an EU Regulation, and not a Directive like the legislation it replaces. That means it has binding legal force in every member state and member states do not have the discretion to decide how to transpose the regulation into national law. Therefore, no local implementing legislation is needed – on 25th May 2018, it takes effect, even if Member States choose to enact additional laws on the same subject matter.
The second is that it doesn't matter where you are based, within the European Union or even outside it. If your company receives, holds, or otherwise processes in any way data on EU residents, it applies to you.
The third is that it contains some aspects that are noticeably different from (and tougher than) previous legislation. Let's look at these.
GDPR Changes and Penalties
The GDPR contains a number of new features, compared to the Data Protection Directive, which is the previous legislation it will supersede. Here are some of the most important key points:
- You have just 72 hours after learning of a data breach to send a data breach notification to your national regulator.
- Fines could reach 4% of your annual global turnover (this means revenue, not profits). Or €20 million, whichever is greater.
- New rights for individuals have been created such as the right to have their data deleted (the right to erasure), the right to move their data to another organisation (the right to data portability) and the right to object to the processing of their data, among others.
GDPR Principles and Key Points
You might ask what underlies these key changes. We see the intention behind the new aspects to the GDPR as being easily grouped into three major concepts – transparency, compliance and punishment. These concepts produce the three key pillars that the GDPR is built on:
- A new transparency framework
- A new compliance journey
- A new punishment regime
A New Transparency Framework
Proper data management is essential to comply with GDPR requirements. While the law already obliges organisations to be transparent about the purposes for which they process data, GDPR compliance extends the obligation of transparency much further with regards to purposes and means of data collection, data use and data management. It explicitly requires controllers to communicate information about these areas to customers, suppliers and the regulator in a 'concise, transparent, intelligible and easily accessible form' and it requires the use of 'clear and plain language' to do so.
Transparency also means that consent rules are becoming tougher, with the data controller now required to show that consent to data processing has been obtained. Consent can also be withdrawn. Data subject access rights are now stronger and more comprehensive.
In addition, if anything goes wrong, greater transparency about this is also a must. Data breach disclosure by the controller is now mandatory within 72 hours of learning of the breach, along with proposed or actual mitigation methods.
From a data security perspective, this requires far greater visibility and control of the data lifecycle, from collection, through handling through ability to identify a breach or other problems.
A New Compliance Journey
The GDPR changes the historic understanding of what data privacy and data security compliance mean. No longer is it purely a checklist ticking exercise. Now the journey to compliance is more risk management focused. Risk calculations and appropriate privacy protections, as well as data security are up front and central in all aspects of personal data management.
That's not to say that compliance is voluntary. The principle of accountability means that organisations are required to document their efforts to comply with the GDPR in order to be able to show proof of compliance. There will be certification bodies and certification schemes; further guidance on GDPR certification is expected by May 2018.
Regular risk assessments are a must. In fact, the GDPR requires what it calls Data Protection Impact Assessments on any type of data processing such as profiling that could result in a high risk to the rights and freedoms of the data subjects before the processing occurs.
While GDPR guidelines outline what such assessments should involve, we do recommend that organisations should seek expert advice to ensure that their assessments are comprehensive. In addition, as the way data is processed often changes on an ongoing basis, these assessments too must be an ongoing requirement to maintain compliance.
New concepts called 'privacy by design' and 'privacy by default' are also required in order to achieve compliance. Process design must incorporate privacy considerations from the outset as an integral part, not just an option. For instance, it must be possible to show that adequate data security and privacy protections are in place and are continually monitored. Systems obtaining personal data from an EU data subject must default to strict privacy settings (e.g. not to share the data subject's personal data) so that it is a deliberate choice on the part of the data subject to share their personal data.
Data subjects now also have the right to data portability, requiring that, in the context of processing based on a contract or on the data subject's consent, data controllers transfer data subjects' data to another organisation if the data subjects request this.
While achieving compliance with these requirements certainly appears onerous, there are benefits. GDPR compliance will help you build trust with clients and safeguard personal data. And it will also help organisations avoid a new and more rigorous punishment regime.
A New Punishment Regime
The GDPR introduces much more robust enforcement powers for regulators, making previous calculations that a lightweight fine is an easier option than upgrading its privacy program or security systems a thing of the past for data processing organisations.
Now fines for the most serious infringements can rise as high as 4% of global turnover or €20,000,000, whichever is higher. Other infractions such as failure to report a data breach within 72 hours can incur a 2% or €10,000,000 fine. For a small organisation with a low global turnover, that could be crippling. On top of this, organisations can lose the right and ability to process data at all, a virtual death sentence for customer facing organisations.
These greatly expanded penalties mean that it's well worth making GDPR compliance your top priority for the coming months to minimise the risk of being fined when it comes into effect. It can really pay to work with a trusted partner such as SecureWorks that offers security operations services solutions which can help clients around the world detect and respond to breaches in GDPR scope.
Compliance and Beyond
It's clear that ongoing adherence is vital to not just lessen your organisation's chances of being penalised but to ensure its survival. However, a compliance-only mindset also lessens your chances of creating additional and real business benefits from compliance. Instead, the GDPR should fundamentally change how you think about data protection.
SecureWorks' GDPR practitioners and solutions are dedicated to helping organisations comply with information security and incident response standards under the GDPR. Our solution will enable organisations to monitor personal data processing systems, people and processes and support response processes when a breach is detected. Our goal is to support clients in their security assessment, reviews and builds, as well as manage information security risks, while staying within the rules of the GDPR regulation, while enabling security to become a business enabler.
In our next blog in this series we will take a more detailed look at how meeting the requirements created by the GDPR align with a holistic, end-to-end approach to information security.
[1] General Data Protection Regulation, http://ec.europa.eu/justice/data-protection/reform/files/regulation_oj_en.pdf