The GDPR: Who, What, Where, & When?
The European Parliament has recently voted to approve the long-awaited General Data Protection Regulation (GDPR). The bill was drafted in 2012 and passed with the EU’s Committee on Civil Liberties, Justice and Home Affairs with a 54-3 vote (with one abstention) in April 2016.
The GDPR replaces 28 European national laws with one central EU law. Parliament is lauding this as a positive change for companies, noting the change improves trust between citizens and businesses and simplifies the regulation process.
Why is it important?
The data protection legislation signals a major shift for privacy laws in the EU and has significant and important implications for businesses, third parties, and citizens.
The law is extremely broad and covers a lot of ground around data protection and privacy, including:
- “a right to be forgotten,
- ‘clear and affirmative consent’ to the processing of private data by the person concerned,
- a right to transfer your data to another service provider,
- the right to know when your data has been compromised,
- ensuring that privacy policies are explained in clear and understandable language, and
- stronger enforcement and fines up to 4% of firms' total worldwide annual turnover, as a deterrent to breaking the rules.”
The General Data Protection Regulation laws have created obligations to protect personal data on two types of companies: controllers and processors. The GDPR Directive defines a controller as “the person or entity that determines, alone or jointly with others, the purposes and the means of the processing of personal data.” In other words, a controller is a first-party company. A processor is defined as “the person or entity that processes personal data on behalf of the controller,” which makes this entity a third party.
The new laws denote that controllers should work with processors that are able to implement appropriate security measures to protect personal data. It also holds that controllers are to be held liable for their processors’ actions if they do not adhere to the appropriate security standards and a loss of personal data takes place.
When there's so much personal data at risk, the new law also states that there should be systematic monitoring systems in place—both in-house and also on third-party processors; however, the law does little to fully define what these monitoring systems should look like.
Boards need more information about cybersecurity than ever before. Can you present it effectively?
How can EU controllers prepare?
This law is being lauded as a game changer, and preparation for these changes is high priority for nearly every business in the EU.
In a recent Wall Street Journal article, the global privacy officer for Intel, David Hoffman, said the company is concerned about the potentially high fines, noting that “such high sanctions dis-incentivize business and investment.”
What needs to be done to prepare for these laws is specific to each company and depends on the industry, business relationships, and a number of additional factors. Even so, there are several best practices every EU organization should look into:
Revisit contractual agreements with processors.
Controllers will need to begin revisiting each contractual agreement with their processors to ensure that they are clear in their security expectations to the sufficiency called for in the GDPR. This is a whole-of-company problem, so be sure to involve individuals from your legal and IT security teams to renegotiate your processor contracts. This article further details the data processors’ new obligations—so be sure to give it a read.
Continuously monitor your processors.
Even if your contracts are airtight, you won’t want to sit around and hope your suppliers are taking their security obligations as seriously as you—because if they don’t, you could be liable! So be sure to take a look at continuous monitoring software, so you can ensure your processors are in good standing and be constantly updated with their cybersecurity posture.
Get started right away.
While companies do have a two-year period once the law is published to prepare for compliance, the sanctions that will begin in 2018 will be steep. Begin researching the data protection legislation immediately and implementing the changes necessary at once to avoid potential fines.
