After years of patchwork privacy and data handling rules causing headaches across the various nations of the European Union, the EU passed the General Data Protection Regulation (GDPR compliance) in 2016 to make things easier across all member states. The GDPR aims to protect the data of all EU residents and make it easier for organizations to understand and comply with data protection rules. Though the GDPR was officially adopted in 2016, its formal implementation date is May 25, 2018, giving member states about two years to ramp up their preparations to comply.
Even if your organization does not have a location in the EU, if you handle the personal data of any EU citizen, you will need to comply with the General Data Protection Regulations or risk being hit with hefty fines—up to 4% of your company's annual revenue or up to €20 million, whichever is higher.
Privacy By Design: The aim of the GDPR is to protect the Personal Data of EU citizens, including data such as their name, email address, financial or medical details, and even their IP address. As such, a key component of the GDPR is building in privacy from the start in all systems—called Privacy By Design—provided by default for all end users.
Data Custodianship: In addition, better data custodianship rules are also part of the General Data Protection Regulation. The regulations dictate that organizations should only keep the data they absolutely need for only as long as they need it. Once that data is no longer needed, the data should be destroyed or anonymized.
Right To Erasure: Building off the “right to be forgotten” concept introduced in a 2006 lawsuit against Google, the GDPR includes a right to erasure. This means that users can request for their Personal Data to be deleted from an organization for any number of reasons, including suspected non-compliance with the GDPR. Additionally, explicit consent, which must be given freely, is required for the processing of Personal Data, and organizations must provide users with the same ease of consent withdrawal should the user wish to do so.
Breach Notification Requirements: Along with the requirements around keeping users’ data safe, the GDPR also includes mandatory and stringent data breach notification rules. In the event of a data breach of Personal Data, the breach must be reported to the Supervisory Authority of the EU member states affected within 72 hours of the breach’s discovery. Depending on the severity of the data breach, the organization may also need to notify the affected users as well.
1. Understand your network and the scope of the data you have
Make sure you have a grasp on your ecosystem and the scope of the data your organization holds: who has access to it, and what kind of data is it? Once you have an idea of the scope, you can start to implement access limits and monitoring to make sure there’s no unauthorized access.
2. Assess the strength of controls and programs
You’ll want to test and assess the efficacy of any critical security controls and programs currently in place—not just technology, but people and processes, too. Make sure to scan for vulnerabilities and weak points regularly and address any gaps.
3. Formalize and practice notification processes
No one wants a data breach to occur, but it’s best to be prepared for the worst-case scenario well ahead of time. Put in place a formalized data breach notification process and take it for a few trials runs, and be sure it includes incident detection and response capabilities.
The General Data Protection Regulation will be formally implemented on May 28, 2018, and impacted organizations should begin moving toward compliance as soon as possible. Not only will it make them compliant in the eyes of the law, but it’s never a bad idea to continuously be evolving your security stack, especially where personal data is concerned. Learn more about complying with the General Data Protection regulation.