While not every IT-related update is a welcome one, some are heralded – especially if they’re approximately ten years overdue. Such is the case with the European Union’s General Data Protection Regulation (GDPR), legislation intended to fortify data protection for individuals within the European Union. This legislation replaces the Data Protection Directive, legislation that was written in 1995 and last updated in 2003 – prior to the invention of major data holders Facebook, Instagram and Twitter, and back before online shopping was a weekly or even daily reality for many people.
Just because it was about time for new legislation doesn’t mean it’s smooth sailing for everyone, though. The heightened protection individuals are now allotted under the law comes with many data security considerations for companies involved in controlling or processing data.
The ABCs of GDPR
The most important thing to know is to whom the new legislation applies. As expected, the GDPR applies to all companies either controlling data in the EU or processing data in the EU. International companies are by no means off the hook, however. If the data is either controlled or processed by an organization originates from an individual physically in the EU, whether a resident or a visitor, the GDPR applies, no matter where in the world that data is being controlled or processed. The GDPR even applies to websites collecting personal data if the data is collected from a person who is physically in the EU when the data is collected.
The second most important thing to know is what constitutes personal or consumer data under this legislation. It’s any data that could help identify someone – dates of birth, passwords, PINs, social security numbers, email addresses, location data, IP addresses and information on physical characteristics including gender, age, race and many more.
Also essential to be aware of is the date this new legislation will be enforced – May 25, 2018 – and that even if an organization is not responsible for a data leak or the sharing of data with unauthorized third parties, say in the event of a hacking, the organization from which the data was stolen is still liable and could be hit with anything from a written warning to a fine of 20 million EUR or up to 4% of the annual worldwide turnover of the preceding financial year for enterprises – a potentially fatal blow.
Playing by the rules
When it comes to data security, there are five key points in the GDPR. They are as follows:
- Technical and organizational measures. Under the new legislation, companies that act as data controllers are required to take technical and organizational measures to ensure that personal data cannot be attributed to an identified or identifiable person. This may mean using a technique such as data masking, otherwise known as pseudonymization, which maintains data format but changes the data.
Data controllers also have to be careful to process only the data needed for the specific processing that is being completed. (Article 25 in the GDPR)
- Data security requirements. Both controllers and processors are required to implement technical measures to prevent breach, taking into account the state of the costs, and purpose, context, nature and scope of the processing as well as the risk to the individual attached to the data. These measures must be implemented:
- For the masking and encryption of personal data
- To ensure processing systems are confidential, resilient and available
- To enable access to data. This includes restored access following an incident.
- To regularly test technologies and processes that protect data (Article 32)
- Notification of data breaches to the regulator. When a data breach is discovered, the processor must notify the controller without undue delay, and the controller must then notify the appropriate regulator within 72 hours. If the 72-hour deadline cannot be met, the controller must be able to provide reasons for this. Notifications must include the nature of the breach, number of persons affected, number of records, type of data affected, potential consequences of the breach, measures either proposed or taken to mitigate the data breach, and the name and contact information for the organization’s data protection officer. This information can be provided in stages in order to facilitate faster notification. (Article 33)
- Notification of data breaches to the affected individual. Controllers must notify the individuals affected by a data breach without undue delay in the event that there is a high risk to the individuals’ rights and freedoms. The notification must include the same information as provided to the regulator, but it must be easy to understand. (Article 34)
- Data protection impact assessment. Controllers are required to perform a data protection impact assessment whenever a new processing technology or data process is introduced and could result in a high risk to individuals’ rights and freedoms.
To begin to prepare to comply with the GDPR, organizations need to examine the type of data they either process or store, where it’s stored, and determine its risk profile. Following that, the data flow needs to be examined as well as all possible access points.
Organizations also need to assess their existing data protection policies and procedures, perform a gap analysis relating to the new requirements, and address the gaps through resources, technology, processes and contracts. There is nearly a year left in the transition period preceding the May 2018 beginning date for enforcement, and though it may feel onerous for some organizations, it’s not a bad period of time considering how long ago these measures ought to have been enacted.