European organizations are stepping up efforts to prepare for a compliance bombshell the EU dropped back in April, 2016. The new rule, called the General Data Protection Regulation (GDPR), replaces the Data Protection Directive that has been in place since 1995. This imposes new data management requirements designed to provide better privacy and protection for consumers. GDPR compliance does not apply only to businesses within the EU. It also applies to companies anywhere in the world outside of the United States that collect personal data from EU residents.
Perhaps the most discussed aspect of the GDPR regulation is that it also mentions fines for breaking the rules. The Data Protection Directive only stated that sanctions for non-compliance are defined by EU member states. In contrast, the GDPR defines exactly what administrative fines can be incurred for violating these rules.
Under GDPR organizations in breach can be fined up to 4% of annual global turnover or €20 Million (whichever is greater). This is the maximum fine that can be imposed for the most serious infringements, with a a tiered approach to fines. For example, a company may be fined 2% for not having their records in order.
What’s more, these rules apply to both controllers and processors — meaning ‘clouds’ will not be exempt from GDPR enforcement.
GDPR Compliance Requirements
The EU is calling for organizations to optimize their data handling practices in a number of key areas, including the following:
Accessibility: All EU residents have a legal right to access the data an organization has collected about them. As an organization, you are responsible for making sure you provide the right information to the right individual upon request.
Transparency: Organizations need to provide more details about how they are using consumer data. They must provide details in a language that easy for consumers to understand.
Portability: Consumers have the right to request that the company transfers their data to another party. This is one of the more contentious requirements. It gives businesses an opportunity to gain new customers from other companies, but also lose existing customers to the competition.
Removal and deletion: One of the most important components of GDPR is about data removal and deletion. Consumers have the right to be removed from the records of companies they have previously authorized to collect and store their data. Upon request, organizations must ensure that all traces of personal information is wiped form their systems.
Breach notification: Organizations need to notify both affected individuals and the National Supervisory Authority of data breaches. Notification must be sent to the authority within 72 hours of the breach.
GDPR Prep Pointers
The GDPR will have a major impact on organizations in Europe and beyond. Some businesses may need to perform a dramatic overhaul of their existing policies and practices in order to meet compliance. The following guidelines detail some of the critical steps organizations must take to fully embrace the new GDPR requirements.
Backup and Disaster Recovery Concerns
Article 32(1), sections (a)-(d) of the GDPR law mandates that companies must have a disaster recovery plan in place and that this is tested regularly. Companies must have the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident. Moreover, the GDPR rules mandate pseudonymisation and encryption of personal data, and the ability to ensure confidentiality, integrity, availability and resilience of processing systems and services.
Designate a Data Protection Specialist
GDPR compliance provides all the justification needed to get serious about cyber security and bring a skilled data protection expert into the fold. Perhaps it’s a member of your IT security staff. Or maybe it’s someone outsourced from a third party. Whatever the case, it’s crucial to assign a specialist with the role of safeguarding your data at all costs!
Implement Data Access Controls
Staff and suppliers should have access to nothing more than the resources required to do their jobs. In addition to creating a strict policy, organizations should invest in technologies that help better manage access to data. There are many ways to improve access control, among which:
- implementing granular password policies;
- multi-factor authentication;
- role-based privileges.
Practice Access Governance
Considering that failing to meet GDPR compliance comes with stiff penalties. It’s not a bad idea to go beyond basic access management. In general, governance calls for IT managers to periodically review access rights to assure that user permissions align with their roles so you can manage ongoing compliance requirements with the utmost efficiency. In a nutshell, it helps companies make sure that employees have the access they need without compromising data security.
Guard the Perimeter
Sound data security starts with securing the outer walls of your infrastructure. Don’t get comfortable with built-in Windows security features. Investing in state of the firewalls, intrusion detection/prevention systems, content filtering, and virtual private networks can significantly reduce your exposure to security breaches. Effective perimeter security requires a combination of complex technologies that all play their part in combating cyber threats.
Prepare For Forensics
In the event that a breach does occur, IT security must not only react swiftly to meet the GDPR breach notification requirement, but also deliver the insight needed to prove compliance and move towards a resolution. Log analysis can play an integral part in the remediation process. The activity in the logs generated by your data processing applications is essentially a digital fingerprint that can help you determine what happened and when. This is why proper management for log activity is important. Logs will go a long way in identifying the cause of a breach and gathering evidence that may come in handy for pursuing legal action.
The GDPR officially goes into effect May 25, 2018. There is technically still time to prepare. But waiting until the last minute is the worst thing you can do outside of doing nothing at all. Most companies will need to make substantial preparations in order to achieve compliance. There is no time to waste!