The General Data Protection Regulation (GDPR) is a complex piece of legislation and - as such - there are often more questions than answers from the CISOs, CIOs and CEOs trying to ensure their organisation is compliant with these new requirements. With that in mind, in this article, we answer the biggest questions around GDPR.
What is GDPR and when is the deadline for compliance?
The General Data Protection Regulation (GDPR) is the new EU-wide data protection law that replaces the 1995 EU Data Protection Directive and the patchwork of individual country laws that implemented the Directive in each EU member state.
It is the result of several years of negotiation: the proposal was released in 2012 and was finally adopted in April last year by the Council of the European Union and by the European Parliament. The law was passed in May last year, setting in motion a two-year transition period before the law comes into full effect in May 2018
GDPR will apply across all EU member states from May 25 2018, including the United Kingdom. It’s particularly important for UK businesses to note that Brexit notwithstanding, they will be required to comply, as the UK will still be a member of the EU when the regulation comes into force.
So, with the regulation little may than one year away, we look at the big security questions around GDPR:
What happens if you’re not compliant – how big are the GDPR fines?
Potential fines under GDPR are much higher than they are under the current data protection laws in EU member states.
For example, under the Data Protection Act in the UK, the biggest fine a non-compliant business faces in the UK is £500,000, though in practice fines have been lower than that. The biggest penalty the UK Information Commissioner (ICO) has levied was on the telecoms provider TalkTalk, which was fined £400,000 in October 2016 after its investigation found that TalkTalk had failed to take “basic precautions” to protect customers’ data.
That all changes under GDPR: maximum fines from May 2018 can be up to €20m or 4 percent of global turnover – whichever is greater.
This is clearly a huge jump, and significantly alters the risk a business faces – and thus will have an impact on risk management strategies.
What are the main changes?
There are numerous eye-catching requirements under GDPR, but it could be argued that increased territorial scope, greater emphasis on transparency, and much broader rights for individuals are the most significant changes.
One of the biggest changes of GDPR is the broad territorial scope of the law which will likely apply to any company that processes EU personal data, whether the company is based in the EU, Silicon Fen (UK) or Silicon Valley. In short, if your staff, contractors, customers or suppliers are EU citizens or residents and you process their data, then you’ll almost certainly have to be compliant or face the consequences.
Transparency means that businesses must use language that’s clear and appropriate when setting out what they plan to do with personal data: that means no more unintelligible pages of legalese. If you are relying on an individual’s consent to process their data, they must understand what they’re consenting to for that consent to be valid.
Judith Vieberink, a Dutch barrister with Netherlands-based First Lawyers, says: “That means an opt-out is no longer adequate: it’s a much higher bar under GDPR.”
Tim Turner, a GDPR expert who runs the consultancy 2040 Training, points out that under the UK’s existing Data Protection Act, a great deal is left to the discretion both of organisations and of the Information Commissioner. GDPR, however, is much more explicit, with “much more concise language”. He adds: “At the moment, the Information Commissioner has broad powers, but they’re hard to tie down.”
This feeds into the greater rights for individuals. Turner says: “The massively bolstered rights for people is one of the clear intentions of GDPR: to bring the person and the organisation a bit closer together in terms of power.”
Part of this is the GDPR requirement the ‘right to be forgotten’ (RTBF), where an individual can ask an organisation what data it holds and can ask to have it deleted in certain circumstances.
“There are many opportunities for an organisation to mess you about now,” says Turner. “The individual will be much more empowered [thanks to GDPR].”
Who does GDPR affect the most?
Arguably, it is the data subjects who are most affected, as they will have much more information and greater rights both in terms of how their data is used and compensation from organisations who fail to comply with the law.
However, GDPR will also impact businesses inside and outside the EU that will have to comply, and it will also affect the leadership teams in businesses: the assumption of privacy by design that’s such an important plank of GDPR means that data policy and strategy has to be set from the C-suite and driven through so that it’s part of all the process, from the early stages of scoping a project right through to delivery and execution. This is not something that can be palmed off on the IT team.
Businesses may also be required to have a Data Protection Officer (DPO), an expert whose job it is to monitor compliance and to liaise with the local data protection authorities.
Vieberink says that “to balance the commercial interests of the company with the privacy rights of the data subject, the DPO should be independent of the boardroom (art. 38 sub 3 GDPR) and independent of the internal and external auditor”, adding: “You could have one in your company, but then you have to ask: how do we maintain their independence?”
How will it impact my information security team and how do I get compliant?
Information security teams have a huge job on their hands, yet survey after survey indicates that many European businesses have barely started preparing for GDPR.
Turner says that the starting point is to “start gathering information. Look at the flows of information in and out of your organisations. Look at who holds data, who is responsible for it. If you don’t have a strategic understanding of that, if you don’t know what information assets you hold, you can’t be compliant.”
“Compliance is not a small undertaking,” adds Vieberink.
How will it affect the information I collect on my customers?
As already mentioned, organisations that process personal data based on consent will have to be confident that they have valid consent from the people whose data they hold to retain and process it (although it should be noted that, under GDPR, there are other legal bases where consent is not required – Ed). Additionally, organisations will have to be able to comply with the right to be forgotten. Says Turner: “Organisations hold on to a lot of data they really don’t need”, pointing out that they’ll need to be able to locate a user’s data and permanently delete it.
What happens if my data is stored in the cloud?
Again, being compliant when you’ve got data stored in the cloud comes down to knowing where that data is held. Your organisation will need to show that data is stored and transferred in a way that’s consistent with GDPR requirements, and that starts with “understanding where those flows are, and what you’ve got in the cloud,” says Turner.
Furthermore, other privacy experts have argued that organisations may wish to stipulate that they will only work with cloud providers that can give assurances about privacy and being compliant with GDPR, especially as some cloud providers are still scrambling to achieve GDPR compliance by the May 2018 deadline.
Vieberink adds that businesses should be able to answer the question “Who outside my company am I exchanging this data with? What rules should I apply?”
GDPR is an enormous shift for businesses, requiring strategic leadership from the very start and right the way through the process of preparing and implementing data policies. If you’re one of the organisations that hasn’t made much headway, now really is the time to start.