In May 2018 the European Union’s (EU) newly revised General Data Protection Regulations (GDPR) will come into effect after many years of work. The regulation has substantial implications for businesses, not only in the EU but in regions that deal with EU companies and customers.
Let’s take a look under the covers.
The GDPR requirements apply to any organization doing business in the EU or any organization that processes personal data originating in the EU — be it the data of residents or visitors.
Things can be confusing because of the borderless nature of the internet. But in short, organizations of any size, in any country, that process personal data originating in the EU are subject to the GDPR articles. We previously addressed the scenarios and specifics of the new European Union laws here.
Enforcement of the GDPR is a year away, but companies should revisit their security and compliance strategies now to make sure they’re ready in advance of the regulation. Penalties will be imposed on organizations that miss the deadline.
Five Important Changes
The GDPR is lengthy and isn’t a simple read. We summarized some pertinent information in a previous post. In this post we focus on five most salient GDPR articles from a data security perspective. If you’re in the data protection industry, these regulations relate to you.
Article 25 – Data Protection by Design and by Default In other words, the controller must implement appropriate technical and organizational measures to ensure that the data protection principles in the GDPR are met.
Article 32 – Security of Processing Controllers and processors must implement technical measures now and into the future.
Article 33 – Notification of a Personal Data Breach to the Supervisory Authority Notifications need to be timely, and include the nature of the breach. Information, however, can be provided in phases as it becomes available.
Article 34 – Communication of a Personal Data Breach to the Data Subject Businesses are required to notify a user in the event a person’s rights and freedoms are compromised.
Article 35 – Data Protection Impact Assessment (DPIA) Controllers must now perform a DPIA when a new data process (or processing) technology is introduced that may adversely affect the rights and freedoms of individuals.
Plan Now to Avoid Unnecessary Pressures
Even though GDPR enforcement doesn’t begin until May 2018, there are some key questions every organization should be asking itself. More detailed information can be found (here). To start, focus on the following stages: Identification, Analysis and Execution and Report.
Identify Your Current Policies
- Inventory data repositories and personal data
- Review current policies and procedures affected by GDPR principles
- Analyze data flows through your systems
Analyze Your Technology and Processes
- Perform inventory and gap analysis of current technology, controls and processes
- Analyze the status of third-party vendors that are included in your process
- Determine the need for a data protection officer (DPO) and evaluate the need to transfer data to other countries
- Perform a privacy impact analysis
Execute Revisions and Report Your Findings
- Implement compliance technology
- Develop and implement new or revised policies, procedures and resulting controls
- Perform compliance audits and management reporting
- Define the role and responsibilities of a DPO, if required, and or train team to take on the responsibilities
- Develop breach discovery, response and notification processes
- Negotiate agreement and process updates with third-party vendors
- Update legal contracts and agreements to provide compliance coverage to external parties
- Establish certifications to enable trust
The Penalties of Non-Compliance
Fines for GDPR non-compliance are severe based on the nature of the infringement.
Compared to its predecessor the Data Protection Directive (DPD) 95/46/EC, the new regulation provides the data protection authorities more powers of investigation, enforcement and the ability to levy more substantial fines. Previously, each member state was free to adopt laws in accordance with the DPD. This led to vast differences in the way each member country implemented and enforced the DPD. To create standards of implementation and enforcement, the GDPR will be implemented consistently across all EU member states.
Failure to adhere to core principles of data processing, infringement of personal rights or the transfer of personal data carry a fine of $22 million (or four percent of global annual turnover from the prior year), whichever is greater.
Additionally, failure to comply with technical and organizational requirements such as impact assessments, breach communications and certificates will cost you $11 million (or two percent of global turnover from the prior year), whichever is greater.
More Information on GDPR
To learn more about the data security requirements of the GDPR, you can check out the resources below.
- GDPR Series, Part 1: Does the GDPR Apply to You?
- GDPR Series, Part 2: What Rules Require Data Protection Technology?
- GDPR Series, Part 3: Preparing Your Organization for the GDPR
- GDPR Series, Part 4: The Penalties for Non-Compliance
- GDPR text
- GDPR codes of conduct and certification mechanisms
The GDPR requirements are a big step toward strengthening online security and privacy of personal information. Being prepared for the changes before May 18, 2018, will help you test your processes and systems well ahead of the deadline.
We will follow up with an article on how to find out if your cloud provider is equipped to comply with GDPR.
Imperva Incapsula cloud service reduces the risk of compromising data for companies by protecting your infrastructure and internet environment from attack. This includes a direct attack on your web environment or an infrastructure attack which both could lead to data personal data exploitation.
Find out more about how Imperva can assist your organization’s transition at Imperva.com/go/gdpr.