In this week’s Whiteboard Wednesday, Samantha Humphries, international solutions marketing manager at Rapid7, explains the EU General Data Protection Regulation (GDPR), which organizations around the world must be compliant with by 25th May 2018.
Welcome to Rapid7's Whiteboard Wednesday. My name is Sam Humphries and I am the international solutions marketing manager for Rapid7. Today we're going to talk about the general data protection regulation, or GDPR. Whilst this is something that's come from the EU it doesn't just apply to organizations who are physically based in the EU. It's there to protect the personal data of EU citizens, no matter where they are in the world and no matter where the organization that processes their data is in the world. So if you hold data on EU citizens, GDPR will apply to you.
So, no matter which kind of compliancies you already have to have in place depending on the industry that you're in, none of these line up perfectly to GDPR. There will be changes that you need to make to people, process, and technology, which may include appointing a data protection officer, who is an individual within your organization who is charged with the task that ensuring that GDPR is properly implemented. There will be also changes to technology, so this goes across things like understanding what sort of data you have, where that data is, who has access, why you have the data, and also making sure that it's secured.
It comes into effect on May 25th 2018. From that date the fines, which as you can see here are pretty horrific, can be charged to your organization if you're found to be in infringement. Organizations are given two years from the date this was signed into law, that started in 2016, and everyone has to be ready for May 25th 2018. The infringement fines, depending on the level of the infringement, the worst case scenario is 20 million euros, or 4% of your gross worldwide revenue for the previous year, whichever is the higher amount. Originally the fines were set at 1 million euros, that was deemed to be too low and not necessarily dissuasive for infringement or noncompliance. So as you can see here, that fine level could be catastrophic, certainly for smaller organizations, and certainly not great for larger organizations, too.
So, these six principles of processing personal data are here. So first of all, it must be processed lawfully. You cannot be using data for illegal reasons. You have to collect the data for legitimate purposes only, and you have to state what they are. So for instance, first of all, it's important that you gain consent from the data subject for taking their data in the first place. You have to state what you're going to do with it. You have to state how long you will hold it for. People must be able to withdraw consent as easily as they gave it, so this isn't just having a checkbox for people to uncheck, more process will be needed and further documentation on your website to say why you are requesting the data and what you're going to do with it.
Additionally, it has to be limited only to what is necessary. It's not acceptable to just request a bunch of data with no real purpose. If it's not something that's deemed to be necessary, you shouldn't be asking for it. So there may be cases where you already have data that you need to go back and look at to see, well, why have you got this? And do you really need it? And if the answer is no, that data has to be deleted. Data also has to be accurate. If a data subject feels that the data you have about them is inaccurate and they request for you to change it, that's important that you follow that request very quickly, otherwise you can be found to be infringement of GDPR. Also, it has to be retained only as long as necessary. You can't hold onto that data for longer than you actually need it for the task that you're performing.
And then finally, securing that data is vital. Not just the data itself, but the systems and the ecosystem that it lives within, making sure that that's secure. There's a whole section on breach notification too. So if you are unfortunate enough to be breached, you have to make sure you have good incident response in place to be able to handle that breach and do what you can to limit the damage to the data subjects if their data is breached and removed from your organization. If you need further help, please have a look at the links at the bottom of the screen here, and we'll see you again soon. Thank you.
