In less than 1 year, the GDPR will go into effect for all organisations using, processing, and holding data on EU citizens. What do businesses need to know?
European Union: General Data Protection Regulation (GDPR)
The European Union passed the General Data Protection Regulation (GDPR) on 14 April 2016. Beginning on 25 May 2018 the EU will begin enforcing the regulation. Currently European companies and global technology firms are making the shift to compliance, but organisations in non-compliance will face heavy fines beginning in May 2018.
Any organisation that does business with Europe or specifically handles personal data of EU citizens must comply with the General Data Protection Regulation (GDPR).
Infringement carries heavy fines: €20 million or 4% of worldwide annual gross revenue, depending on the violation. This new piece of EU legislation is the legal framework for data protection across Europe.
Worryingly, an early 2017 study by Mailjet found that only 17% of respondents have taken all of the recommended steps towards GDPR compliance, while the same proportion admit they have not enacted any such checks or changes.
What do organisations need to do to comply?
- Know if it a applies. Businesses doing business in Europe and any business that handles personal information for European citizens. The regulation applies if any of the following are based in the EU:
- data controller (organization that collects data)
- data processor (organization that processes data , including cloud providers)
- data subject (person)
NOTE: The UK’s decision to leave the European Union will not affect the commencement of GDPR.
- Know how to apply it.
- Data protection by design. Article 25 requires organizations to design data protection into business processes to protect personal data.
- Data privacy. GDPR requires “pseudonymisation” or the process of transforming personal data in such a way that the end data cannot identify the specific data. An example is encryption. Additionally, the GDPR also requires the associated information, like the decryption keys, must be kept separately from identifying data.
- Data removal. EU citizens (data subjects) have the right to request their data be erased from organisations. This is a revision of the “right to be forgotten” concept proposed in earlier drafts.
- Data portability. A person shall be able to transfer their personal data from one electronic processing system to and into another, without being prevented from doing so by the data controller.
- Know when it applies. All organizations must be in compliance by May 2018.
How can organisations comply?
One of the big benefits of GDPR will likely cause the most headaches: full organisation involvement. This cross-functional exercise should involve legal, risk and compliance, IT, and security departments. Involve teams from both technical and business perspectives.
The first, major step to complying with GDPR is to understand the data the organisation holds. Multiple departments will likely hold lists of personal information, such as email lists for marketing, human resources’s personnel files, and so on. Understanding what you must protect is the first step to protecting it.
Next, the teams from multiple departments should compare data policy and procedures already in place. An in-depth audit of policies can help reduce the burden of beginning a new data protection policy later on. The upfront work of comparing compliance standards now will save efforts in the future.
Asses your organisation’s requirements. Changes in GDPR include added protections for children, the “right of erasure” and new timelines for consent for data collection. Under GDPR, an individual has the right to request information from a company within 30 days and the data must be in electronic format. Likewise, the rules on data portability will require forethought about how data are being managed currently.
Hire a data protection officer. The GDPR requires a data protection officer (DPO) to coordinate reporting with the EU and manage data requests with data subjects. This DPO will manage the Data Subject Access Request (“DSAR”) Systems to coordinate data subject’s request for access, erasure, correction or portability. For all private sector enterprises, a single point of contact can manage IT processes, data security, and business continuity processes.
How can IT teams prepare?
In addition to working with the cross-functional teams, IT should evaluate incident reporting and responses. IT systems should be re-evaluated with security in mind. Now is the time to reign in “shadow IT” in other departments so that all data processing is in compliance.
Monitoring and compliance can be very time consuming. Automating any part of network scanning, log analysis, and compliance tracking can speed up time to compliance. In cloud-based systems providers usually offer tools like Amazon Inspector, AWS CloudTrail, Azure Service Trust Portal (STP), Microsoft Common Controls Hub in addition to many third-party tools.
Reevaluate access controls for IT teams and other departments. With cloud-based systems, it should be easier to implement strong password and authentication programs. With access mangaement tools IT teams can also gain insight into what users require access to each service or application and apply the rule of “least privilege” required for each.
Add encryption in-transit to any existing encryption best practices. Cloud providers offer excellent encryption for data at rest, but only some services and intra-region transfers have data-in-motion encryption. Any data traveling between cloud regions, traveling over the public internet, and between organisation locations should be encrypted.
Prepare with security, but plan for a data breach. GDPR requires all organisations report any data breaches involving personal information within 72 hours of discovery. Along with controls to detect any unwanted network access, your teams should also have a plan to control and shut down any malicious actors.
VNS3 can help organisations meet data security measures for data privacy compliance. Even if your company is not located in the EU, your data might include information on a “data subject.” For organisations with large amounts of data and data that travels between networks the best options include adding encryption in-transit. Cloud providers offer excellent encryption for data at rest, but only some services and intra-region transfers have data-in-motion encryption. Any data traveling between cloud regions, traveling over the public internet, and between organisation locations should be encrypted.
Get in touch with our sales team for BYOL versions for other large clouds, custom pricing, or for a POC.
By: Margaret Valtierra