What is GDPR? GDPR or General Data Protection Regulation is new European Union data protection legislation outlining the various data protections for EU citizens data. It replaces the 1995 EU Data protection directive and defines a variety of users or customers rights and responsibilities on the part of organizations that store, process EU citizens data. It specifically outlines that individuals own and can control their data as a fundamental right. Organizations are also required to take steps to bake in security as a fundamental element — into their IT infrastructure, people and process. Furthermore, organizations must also adhere to the standards required process for data breach notification to maintain compliance. Fundamentally the GDPR defines the following:
- Data privacy is a fundamental right
- Individuals have a ‘right to protection’ & control their personal data
- User should be able to view, amend, move and delete their personal data
- Anyone suffering damages as a result of compliance infringement can seek compensatory damages
- Personal data covers a wide range of personal identifiers
- Details responsibilities of data controllers and processes for data protection
- Formalizes rules for data breach notification
- The data controller should be able to demonstrate compliance at all times
- Organizations should have a DPO (Data Protection Officer)
- Bolsters ad standardizes enforcement of regulatory powers
- Aims to be global standard in data protection
The GDPR defines special categories of data which require specific consent of the individual to be process. Without such consent processing these categories of data is prohibited:
Racial or ethnic origin, Political opinion, Religious belief, Trade Union Membership, Health Data and Sexual Orientation
It is important to note that these ‘special categories’ of data if involved in improper use, processing or data breach will result in significantly higher GDPR penalties levied.
How GDPR Relates to Information Security
GDPR makes some information security assumptions we ought to be making fundamentally as well managed organizations anyway. It assumes we are taking steps to bake in security by design and by default into everything we do. It assumes we hold the least amount of data or data minimization to lessen the likelihood of a breach of confidentiality, availability or integrity. To this end an organization should implement pseudo-anonymization, encryption and data minimization. One should assume these as best practices regardless of whether GDPR applies to us or not.
Does GDPR Apply to Me?
Some of us in the good old U.S.A. might wonder why EU regulations would matter. Fact is, if we have a presence in an EU country or customers from the EU it applies to us. This means most U.S. companies should be preparing to be compliant. EU regulators are quite serious about this and will enforce rigorously.
When Do You Need to be Compliant?
Organizations who have customer data or process that data need to be compliant by May 25th 2018. Fundamental to compliance is:
- Security by default
- Security by design
- Implement proper safeguards to data
- Encrypt and Minimize storage of Data
- Assign a DPO (Data Protection Officer) responsible for GDPR
- Complete a Data Protection Impact Assessment
- Complete a Privacy Impact Assessment
- Have a proper breach notification process in place
- Appropriate security & privacy policies
- Be able to show compliance at all times
Cost of Non-compliance
Some regulation is all bark and no bite. GDPR is quite the opposite, it states that fines for non-compliance should be ‘effective and dissuasive.’ Fines scale to size and scope of the violation but can be as high as 20 Million Euro or 4% of global revenues. OUCH, non-compliance is an expensive and fool hearty mistake.
Hopefully this short exploration of GDPR give you a general understanding of the regulation. In the next few blog posts we will explore more of how it applies to your enterprise. If you found this post useful feel free to join our free newsletter and get this and other IT insights in your inbox. If you have further questions on GDRP please feel free to leave a comment/question below we’d love to help.