For any company that is handling data in any way, the acronym “GDPR” is likely already well-known in your universe. GDPR is an acronym for General Data Protection Regulation, and it’s part of a far-reaching set of rules set forth by the European Union to help better manage data protection in the digital economy for EU residents.
GDPR will affect any business that has access to, or has the ability to process, personal data of any EU resident. In other words, if your business sells small kitchen tools online, and you sell to European customers, your data collection and privacy practices will be impacted by GDPR. This regulation will become mandatory for any company that deals in Europe, regardless if the business is located inside or outside the European Union.
GDPR is slated to go into effect on May 25, 2018. Experts say GDPR is the largest change in several decades to data security in the European Union. GDPR will have an impact on many companies, including large corporations, data security companies, third-party data vendors like email service providers, CRM companies, and others.
At Alpine Security, we take data security seriously. So should you. People all over the world are worried about their internet privacy, personal data, and private information. And the recent Facebook data scandal is a large nail in the coffin for what used to be friendly data give-and-take.
Research firm RSA polled 7,500 consumers in EU countries and found that three-fourths of these surveyed consumers are concerned about their security and stolen identity. Lost or stolen banking passwords and financial data also ranked highly in areas of concern.
That’s why we have produced this comprehensive article on the General Data Protection Regulation, how it will impact businesses, consumers, and vendors, what compliance means, and how to get your compliance program ready by the May 25th deadline.
In this article, we’ll look at the following topics, and offer our best insights and analysis in the answers:
- What is GDPR?
- When does GDPR go into effect?
- What is the purpose of GDPR - why and how did it come about?
- Who is impacted by GDPR? Consumers? Businesses?
- How do businesses achieve GDPR compliance?
- What are companies obligated to do in case of a breach?
- What's the impact if businesses do not become compliant?
- How does GDPR tie into other audits, such as HIPAA, Privacy Shield, PCI DSS, ISO 27001? Is there overlap that can be leveraged?
What is GDPR?
As mentioned above, the General Data Protection Regulation is a policy regulation that requires companies to protect the personal data and privacy of EU citizens for any businesses transactions that happen within the 28 member states of the European Union. GDPR has been initiated to protect its citizens on the digital security and data protection front.
As anyone who’s been on the Internet in the past decade knows, data breaches happen. Ask Sony, Yahoo, Equifax, Facebook, Target Stores and others - all of these major companies have been hit with data breaches. In these instances, data from these breaches can end up in criminal hands and can be misused for millions of dollars on the black market.
The GDPR process aims to prevent data breaches. Organizations all over the world that sell, market or do any kind of consumer business with European Union citizens must follow the new regulations. U.S. companies that sell in Europe or have a market presence there, must make needed in order to comply. Non-compliance by companies could cost them dearly with stiff fines and penalties.
When does GDPR go into effect?
May 25, 2018, is the date on the GDPR timeline for the law to become effective. After this date, companies will have to show compliance with the regulation.
What is the purpose of GDPR - why and how did it come about?
Six years ago, the European Commission began talks about how to make Europe better positioned for the inevitable arrival of the digital economy. In 2016, after much discussion on how to achieve data protection, the EU updated the old Data Protection Directive and approved the Privacy Shield agreement between the United States and Europe. Within this agreement was the introduction of the General Data Protection Regulation, applicable to all EU member states and European businesses and individuals.
What is GDPR’s impact on consumers?
GDPR will help the average EU citizen be protected from security breaches, data hacks, and stolen identity cases. Like many far-reaching laws, GDPR may not have an immediate effect on EU individuals’ personal data. But long-term, consumers will likely feel better protected from company privacy intrusions.
Consumers will have privacy data protection through a GDPR audit in the following areas:
- A person’s basic identity data like name, race, ethnicity, address and ID numbers
- Internet data (i.e. IP address, cookie data, location, etc.)
- Medical, health, biometric and genetic data
- Sexual inclination/political bias
One area in which the GDPR process will impact consumers is by giving them a 'right to know’ when the person’s data has been hacked. Knowing when their data has been compromised will allow European Union citizens to take necessary steps to prevent any further data misuse.
What is GDPR’s impact on businesses?
Companies that do business in the EU under GDPR must put in place “appropriate technical and organizational” guidelines to protect consumer’s privacy and data. GDPR verbiage mentions both 'controllers’ and 'processors’ as being part of this equation.
Controllers are the companies or organizations that offer services to process a person’s data. A financial institution can be a controller, but the financial institution can work with other firms, like data centers or digital asset management companies (processors) that may store, analyze and also handle the data.
Collectively, these organizations are ultimately responsible for the handling of an individual’s data.
How organizations handle the procedures will go further than simply sending an email about how a person’s data is being used and offering an opt-out feature. Essentially, companies must assess their privacy, security and data protection controls and procedures, according to inbound marketing leader Hubspot. Some of the questions that companies must ask themselves, per Hubspot, include:
- Are our procedures in place around privacy controls?
- Do we have staff trained to handle any kind of data breach?
- Do our contracts with 3rd-party vendors have contract clauses that ensure they meet GDPR compliance on our behalf?
Overall, companies must provide easier access to individuals to their own data in terms of how it is collected, used and processed. Having this information available in a clear manner will help foster more trust between consumers and companies web practices.
Some companies are already moving ahead with their own GDPR compliance steps. Research finds that some companies are even cold-calling customers to see if they want to be included in their marketing database. Once GDPR comes into force, organizations will need to adhere tightly to these consumer rights.
How do businesses achieve GDPR compliance?
For businesses working in cybersecurity and individual data, doing a GDPR audit means that companies will have to make public their data collection practices, as well as any legal recourse for consumers in case of possible misuse of that data.
The May 25 compliance date is required for any “companies doing business within EU member states.” That also impacts American companies that have an Internet presence and market their products over the Internet. Our guess is that’s close to about 99% of US companies!
The official language in the GDPR shows that the compliance directives are numerous. Many B2C companies will have to definitely take extra steps to comply, not only for consumer data security, but in internal operations like information technology and services, legal compliance, buying and procurement, public relations and communications, marketing and customer relations, and human resources and insurance.
Requirements will also be upheld for businesses on other various data protection practices, including:
- Requirement to obtain a consumer’s explicit consent;
- Requirement to notify consumers in case of a data breach or security hack;
- Requirement to appoint data protection officers.
Banks and other financial institutions will have even more stringent requirements, including making a person’s personally identifiable information (PII) anonymous, meaning the data can’t be traced back to any particular individual.
And the costs will be burdensome to businesses. A recent PwC survey found that nearly 70% of U.S.-based companies will spend upwards of $10 million to meet the new GDPR process requirements. Another 10% is expected to spend more than $10 million on compliance-related issues.
Though the added compliance measures will cost companies in the short term, there are expected long-term savings. By making a single law for all 28 member states, the European Commission will help save money for the EU and make it less complicated for companies to deal with data and privacy issues for all regions.
How long does it take to get GDPR compliant?
This answer is not yet clear. Since there is not yet an official overseeing body or certifying agency in charge of enforcing GDPR, It’s difficult to say how long compliance can happen. It’s very likely that the 28 EU member states are simply adjusting to the new regulations, and in the process of figuring out how oversight will work.
Essentially, compliance will be an internal matter for many companies. All types of businesses will have to do a complete audit of data security practices, review current privacy protocols already in place, assess the levels of GDPR compliance that they achieve, or improve the practices that put customer’s data at risk.
What are companies obligated to do in case of a breach?
Under GDPR, businesses must report any breaches or hacks. Companies must disclose the information about the breach or hack if it poses a risk to the “...rights and freedoms of individuals and lead to discrimination, damage to reputation, financial loss, loss of confidentiality, or any other economic or social disadvantage.” In other words, look forward to the second half of this year for a higher number of public disclosures around personal privacy and data security issues.
What's the likely impact if a business does not get compliant?
This is the tough spot for companies. To achieve compliance with GDPR will cost companies plenty. To not achieve compliance may cost them potentially much more.
Failure to comply with GDPR can result in a fine ranging from 20 million euros or 4% global revenue (whichever is higher). Fines will depend on the severity of the breach and on whether the company is deemed to have taken compliance and regulations around security in a serious enough manner. Fines can be for infringements of the rights of the data subjects, unauthorized international transfer of personal data, and failure to put procedures in place for or ignoring subject access requests for their data.
A lower fine of 10 million euros or two percent of global revenue will be applied to companies which mishandle data in other ways. They include, but aren't limited to, failure to report a data breach, failure to build in privacy by design and ensure data protection is applied in the first stage of a project and be compliant by appointing a data protection officer -- should the organization be one of those required to by GDPR.
If a company is already compliant with other compliance audits (like HIPAA, Privacy Shield, PCI DSS, ISO 27001), can the company leverage those for GDPR compliance?
Our clients have asked us the question above often in recent months. The short answer is "it depends". Some policies and procedures may be able to be leveraged from other compliance regulations for GDPR. However, GDPR's reach is more encompassing than other regulations, like HIPAA that only applies to PHI or PCI that only applies to credit card data. GDPR applies to just about every piece of data that can be tied to an individual.
Companies need to move on GDPR compliance steps. If your organization is not yet fully undertaking GDPR to heart, it’s time to start. Here are three key areas in which to move ahead with compliance readiness:
- Analyze, develop, and execute GDPR programs across your organization’s systems, processes, people, and policies
- Make it a team effort - Get all of your relevant teams working together
- Ensure buy-in from your management to stay on top of GDPR compliance
GDPR will ultimately lead to companies gathering just enough data from individuals in order to complete any type of conversion, transaction, or order agreement. But the optimistic viewpoint is that with greater clarity of data protection and privacy controls, consumers in the European Union will become more comfortable with emerging digital practices, and when working with companies, will be able to form trust with these companies to hold their personal information in high regard.
Have questions or need help with GDPR compliance? Contact us today.