The goal of the General Data Protection Regulation (GDPR), which goes into effect in May 2018, is to protect the fundamental rights and freedoms of individuals in the EU as it pertains to their personal data. As you might imagine, it is a broad and complex piece of legislation, with far-reaching implications for businesses inside and outside the EU.
If you’re just becoming familiar with the General Data Protection Regulation and need a GDPR summary, take a look at this article. Then, familiarize yourself with 12 frequently asked GDPR questions below.
The GDPR is comprised of 99 articles and isn’t easily summarized, but three of the most noteworthy compliance implications are as follows:
Organisations have until 25 May 2018 to become fully compliant with the GDPR.
The maximum fine for not complying with the GDPR is €20,000,000 or 4 percent of a company’s worldwide revenue (not profit), whichever is greater. These staggering penalties are one of the reasons why the GDPR has caused such a stir in boardrooms across the EU and across the world.
Even if your organisation has no physical presence in the EU it is not necessarily exempt from GDPR enforcement. If you process the data of any EU citizen—regardless of where your business is located in the world—you must be GDPR compliant. This means that a large number of internet-based organisations around the world will be impacted. Additional details on this can be found in article 3 and in articles 44-50.
Not necessarily—but you might. Certain organisations are required to appoint a Data Privacy Officer, depending on the scale and nature of the data they’re processing. To determine if you need to appoint a Data Protection Officer, see articles 37-39.
Under the GDPR, data processors can be liable to data subjects directly (rather than just to the controller) where such data processor has failed to comply with the GDPR (in addition to any liability the processor has to the controller). In addition, controllers who are concerned with article 32 compliance will put their processors through more rigorous due diligence processes to ensure their own compliance (as well as any additional contractual protections they may try to negotiate).
Per articles 12-23, if an individual requests access to their data or requests that data be removed from a company’s records, your organisation must take action within one month. This concept will likely prove particularly difficult for many organisations since data is easily stored and copied to many places. Now is the time to think about technical solutions that will assist with your compliance.
Controllers have limited options for legal cross-border data transfers from the EU to the U.S. One of the most popular is the use of Model Clauses. The European Commission has put into place two sets of standard contracts “for transfers from data controllers to data controllers established outside the EU/EEA, and one set for the transfer to processors established outside the EU/EEA”. Most of the provisions in these contracts cannot be altered nor negotiated, and are rather rigid in their requirements.
Article 4 of the GDPR states that consent is "any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her".
This definition dramatically impacts how businesses can use personal data of EU citizens, and how those businesses obtain that data. For example, you can no longer bury consent in a privacy policy; under the GDPR, your intentions for data use must be stated explicitly. Additionally, individuals have a right to know precisely what their data will be used for; organisations must not use the data for any other reason (with a few limited exceptions).
As previously noted, article 32 emphasizes that organisations that collect personal data must follow proper processes to ensure the appropriate controls are in place before they share data with third-party vendors. But it also states that those organizations need “a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures”.
Unfortunately, there is not one correct way to assess these measures; it is a challenge that all organisations affected by the GDPR will have to face. Some organizations choose to perform regular audits, some use vendor questionnaires, and others use continuous monitoring tools.
A Data Protection Impact Assessment (DPIA) is a formal process to determine GDPR compliance. As described by Ireland’s Data Protection Commission, a DPIA “describes a process designed to identify risks arising out of the processing of personal data and to minimise these risks as far and as early as possible”.
This ISACA article does a good job describing what a Data Protection Impact Assessment is and what it isn’t. For example, the author explains that a DPIA is not synonymous with a PIA, though closely related.
Without understanding how your data flows through your network, you probably won’t ever achieve full GDPR compliance. So while creating a “map” of how your data moves throughout your organisation isn’t strictly required (the GDPR just requires a “record of processing activities,” as found in article 30), it is a valuable activity.
While there are myriad options for creating your data map—from simple spreadsheets to complex Data Mapping tools—you’ll want to be certain you know where personally identifiable information (PII) is collected and stored, and the routes it takes to get to those areas.
Download the guide below for even more information about the GDPR, including additional compliance implications, six ways you can begin to prepare for the GDPR, and much more. Get started with your GDPR compliance program today!
While security ratings are a great way to demonstrate that you’re paying attention to the cyber health of the organization you also need to show that you’re adhering to industry and regulatory best practices for IT security and making...
In November 2019, the Federal Financial Institutions Examination Council (FFIEC) released an update to the Information Technology Examination Handbook (IT Handbook). This handbook is a guide for examiners at its member agencies, which...
Early in 2019, unknown threat actors attempted to hack the Australian federal Parliament’s computer network and the servers used by every politician, staffer, and security officer in Parliament House. Authorities believe there is a strong...
© 2021 BitSight Technologies. All Rights Reserved. | Privacy Policy | Security | For Suppliers
Contact Us | BitSight Technologies | 111 Huntington Ave, Suite 2010, Boston, MA 02199 | +1-617-245-0469