On May 25, 2018, the most comprehensive modification to data protection in over two decades becomes effective: the European General Data Protection Regulation (EU GDPR). The GDPR consists of 11 chapters and 91 articles that outline the specific requirements and regulations organizations must comply with pertaining to the rights of individuals and their personal data.
While there are clear benefits to GDPR, not only for individuals but for enterprises as well, the change is nonetheless a major one, and many companies may be struggling to determine exactly what changes they’ll need to make to ensure compliance. We’ve put together this comprehensive guide to help you make sense of the new regulations and understand the steps you’ll need to take to bring your company into compliance.
For an easy-to-use, step-by-step checklist, download our interactive GDPR Compliance Checklist.
In this guide, we’ll discuss:
The primary objective of the GDPR is to improve data and privacy protection for EU residents, while also simplifying regulations for global enterprises. The GDPR states that organizations are required to provide a “reasonable” layer of protection over personal data, with personal data being defined as ANY data that can be used to identify an individual. This broader definition is one of the major shifts under GDPR, with things like genetic and mental information, as well as cultural, economic, and social information now falling under the definition of personal data.
Individuals residing in the EU benefit from enhanced privacy thanks to GDPR, as well as greater transparency into any potential risks resulting from data breaches, as companies are now required to notify all affected individuals in the event of a breach. Companies are now required to be more transparent about obtaining consent from individuals to collect and use their personal data, using simple language when asking for consent and being clear about how the information will be used.
Companies that already comply with the Data Protection Act (DPA) may find many of GDPR’s main principles familiar. These organizations can use their DPA approach as a starting point.
The EU GDPR is now a regulation that applies to each member state of the EU, so it actually works to eliminate many inconsistencies associated with local laws. It’s also a benefit to international enterprises, as they no longer have to navigate and comply with several data privacy and protection laws for individual states in the EU; instead, all such regulations will now exist as a part of the broader GDPR. Additionally, GDPR is a comprehensive regulation that provides a more straightforward approach related to personal data processing for companies entering the EU market.
Note that this umbrella now includes companies that, under the previous Data Protection Directive (DPD), were able to skirt around compliance requirements by maintaining their data processing outside the EU, a practice that was commonly used by service or app providers. While this was a grey area even under the DPD, the GDPR now makes it clear that these organizations must comply.
There are some exceptions, however. While GDPR requires compliance from small-to-medium sized enterprises (SMEs) and major enterprises alike, there is an exception for companies with 250 or fewer employees, as smaller companies are likely to pose a smaller privacy risk to data subjects. According to GDPR Article 30, organizations with less than 250 employees are not required to maintain a record of processing activities under its responsibility, “unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as referred to in Article 9 or personal data relating to criminal convictions and offences referred to in Article 10.”
GDPR is a comprehensive set of rules and regulations, and there are several important steps organizations must carry out in order to comply, such as:
New policies will have to be formed around how organizations engage with people, permissions processes, and how they communicate around what activities are involved with personal data. Then, if a security breach does occur, companies must notify the regulators and in some scenarios, the individuals who have been affected by the breach.
Individuals have important rights under GDPR including:
To avoid fines and other penalties for non-compliance, CISOs will need to have an in-depth understanding of where personally identifiable information is stored and processed throughout the organization. Should an individual request that their personal data be deleted, organizations must be able to find and destroy all copies of this data in a timely fashion.
In some cases, organizations may want or need to maintain personal data about an individual who requests deletion. CISOs should have a clear plan and process in place for identifying and responding to those cases. For individuals requesting that their data not be processed, companies should have procedures in place to temporarily remove that person’s data to avoid further processing and flag the data to make it clear that processing is restricted.
These processes are not an insignificant task. According to a report in Computer Business Review, “Analysts estimate the cost of enabling customers to request Fortune 500 companies to find and delete data held on them could hit $7.8bn, the FT reports. This amounts to a rough average of $16m outlay per organisation.”
Within the GDPR, three of the 91 articles deal with breaches. According to the GDPR, a “personal data breach” is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.” The Information Commissioner’s Office (ICO) explains that a personal data breach, therefore, does not refer only to the actual loss of personal data. “A hospital could be responsible for a personal data breach if a patient’s health record is inappropriately accessed due to a lack of appropriate internal controls,” the ICO explains.
Most of the GDPR revolves around how companies collect data, how they inform their clients of their data storage practices, how they store personal data and who is allowed to access the personal data. Within the legislation, it also identifies two types of data-handlers: processors and controllers. Article 4 of the GDPR defines each of these types of data handlers as follows:
In general, a controller decides how personal data is processed, while a processor, as the term suggests, carries out the actual processing of data based on direction from the controller. Controllers are responsible for ensuring that any and all processors they do business with are in compliance with GDPR, although both processors and controllers can be liable if they’re responsible for a breach.
Other major points of the GDPR legislation include:
Based on the GDPR, all companies amassing personal data must prove they have clear consent to process the data. This may be one of the biggest challenges many organizations will face. Silence or non-responsiveness in response to requests for consent will no longer constitute consent – in other words, consent must be clear and affirmative, and companies should be prepared to prove that clear and affirmative consent was obtained. Otherwise, authorities can put an end to personal data processing activities.
Currently, Subject Access Request (SAR) allows EU-based businesses to charge £10 for personal data requests. That will change in May 2018. The GDPR now stipulates that when someone requests their personal data, companies must hand it over within one month, free of charge. Moreover, every data subject will have the right to know if a company has information on them, as well as other supplementary information. This gives data subjects much more control over their information.
While there are a few exceptions, data subjects must also receive information if a decision has been made about them. This also means that companies must be able to provide all personal data stored about an individual in a readable, commonly used format, in the event that a data subject requests that information – and they must be able to do so promptly.
“The GDPR regulation is very clear on what needs to be done to protect the Data Citizen’s rights, but the open question most companies are facing is how to comply with the regulation and/or go beyond the minimum and make GDPR work for them,” says Collibra. The answer to this question, according to Collibra, lies in a robust data governance program, one that takes both a top-down and bottom-up approach.
In the top-down approach, the GDPR team aims to gain an in-depth understanding of all business processes that involve personal data in any way. For every process involving personal data, a number of factors must be understood, including, but not limited to:
Top-down data governance will be an ongoing process by necessity. After all data processes are identified and categorized, they will require ongoing maintenance as the company’s processes and infrastructure evolve over time.
The bottom-up approach, on the other hand, is more technical in nature. Companies that have already established metadata management tools are at a slight advantage. As Collibra points out, metadata solutions can be used “to identify personally identifiable information (PII) and attempt to categorize these data elements and assign the relevant attributes for GDPR.” However, bottlenecks can result as the same data is often used for multiple business purposes, making classification difficult.
A risk-based approach is required, meaning companies will need risk metrics in order to distinguish the high-risk processes and data elements from those with lower risk. For high-risk processes and data elements, a Data Protection Impact Assessment is in order, and mitigation (such as pseudonymization and anonymization) is required to lower the risk.
The GDPR is a lengthy text, and it’s imperative that organizations that must comply with the regulations are familiar with all the requirements. The following articles are particularly relevant for companies that are implementing processes and procedures to ensure compliance.
Article 25(1). Organizations must implement principles such as data minimization to protect the rights of individuals, or “data subjects.” These rights include, but are not limited to the following:
Companies must use both organizational and technical methods for compliance, with the goal of ensuring that only the personal data necessary for the specific purpose is processed. “That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons.”
Article 32.This article states that companies must find, implement, and update current security measures in order to ensure a level of security that’s appropriate for the risk (thus the need for companies to have the ability to classify data and processes according to the level of risk), including:
Article 5(2). This article pertains to the principles relating to the processing of personal data, including the requirement that personal data is processed “lawfully, fairly and in a transparent manner in relation to the data subject,” that personal data is collected for legitimate, specified purposes and not further processed for any reason that’s incompatible with those purposes, and that only the data that is relevant and necessary for that purpose is processed. Article 5(2) further clarifies that data found to be inaccurate should be erased or corrected without delay, that data is only kept in a form that can be used to identify subjects for as long as necessary, and that data must be processed in a way that ensures appropriate security. Finally, controllers must be able to demonstrate compliance with these requirements.
Article 30. Also related to data processing, Article 30 states that controllers and processors are required to maintain a record of all processing activities under the controller’s responsibility. The Article specifies the information that must be maintained in this record for controllers and processors, respectively, including information such as the name and contact information for the controller or processor, categories of data subjects and data, the purpose of the processing, categories of recipients of the data, and other specifics.
Article 17. Article 17 covers the right of individuals to request that their personal data be erased. When an individual requests erasure, the controller is obligated to delete the data when:
If a controller has made the data public, they must make a reasonable effort to inform any other controllers processing the individual’s data of the erasure request. Article 17 further outlines the legal grounds that may negate a controller’s obligation to comply with an individual’s request for the deletion of their personal data.
Article 18. Article 18 covers the individual’s “right to restricted processing.” What this means is that data subjects have the right to request that the processing of their personal data is restricted under the following conditions:
In cases when the processing of an individual’s data is restricted, the controller must notify the subject prior to lifting that restriction.
Article 33. Article 33 relates to the notifications controllers are required to make when a breach has occurred. Specifically, Article 33 requires controllers to notify the supervisory authority of a breach within 72 hours after they become aware of it. If the breach is unlikely to result in “a risk to the rights and freedoms of natural persons,” notification is not required. If the notification is taking place more than 72 hours after the controller becomes aware of the breach, they must also provide an explanation for the delay. When processors become aware of a breach, they must notify the controller without delay.
Notifications must include specific information about the breach, including:
Article 34. Like Article 33, Article 34 outlines the notification requirements following a personal data breach, but this article focuses on the notifications controllers must make to affected data subjects. Notification to data subjects is required only “is likely to result in a high risk to the rights and freedoms of natural persons.” When that’s the case, controllers must notify affected individuals without delay, in clear and plain language, including information about the nature of the breach, as well as much of the information required in notifications to supervisory authorities (found in Article 33). Article 34 also outlines several exceptions to this notification requirement, such as when the data is encrypted and indecipherable to anyone without authorization to access it.
Article 31. Article 31 states that controllers are required to cooperate with supervisory authorities.
Article 32. Article 32 relates to the “security of processing,” outlining the requirements for controllers to take technical and organizational measures “to ensure a level of security appropriate to the risk” in processing personal data, based on the nature of the data and the processing, as well as the likelihood and severity of the risks.
Article 45. This article relates to the obligation of international companies that collect and process the personal data of EU citizens to comply with GDPR requirements. Specifically, Article 45 explains the process of the Commission in determining whether an international organization ensures an adequate level of protection to allow the transfer of data to those entities.
The GDPR makes it clear that companies must demonstrate they are taking relevant measures to keep personal data secure, such as:
These requirements do not go away when a business works with a third-party service or a partner. All contracts must ensure continued compliance in terms of mitigating potential risks.
Note that the GDPR doesn’t offer a prescriptive approach to dictate precisely how organizations should achieve these goals. Instead, GDPR outlines the requirements, and organizations are then tasked with conducting their own risk assessments and implementing the appropriate organizational and technical safeguards to minimize risks to data subjects.
GDPR also expands the responsibility, making processors liable as well as controllers for the adequate protection of data. That means that controllers will need to be increasingly diligent in ensuring that processors and business associates have appropriate safeguards in place. Additionally, processors are no longer permitted to enlist other data processors without the explicit consent of the controller. Processors and controllers are now required to have contracts in place that describe the data involved in processing and the security measures that are in place to protect it.
Based on a PwC survey, 68 percent of U.S.-based companies expect to spend between $1 million and $10 million to ensure GDPR compliance. In addition, nine percent expect to spend over $10 million. Only 24 percent of respondents plan to spend under $1 million.
PwC also identified several trends related to the way that U.S. companies plan to respond to GDPR, including:
The survey also found that binding corporate rules are gaining popularity in response to GDPR. When asked about the cross-border data-transfer mechanism they intend to use to process EU data outside of Europe:
Supervisory authorities have the right to impose fines for non-compliance, in varying amounts based on:
If non-compliance is determined to be related to technical measures (e.g., impact assessments, breach notifications, etc.), the fine imposed may be up to €10 million or 2% of global annual turnover (from the prior year), whichever is greater.
If the fine is imposed as a result of non-compliance with key provisions of the GDPR, such as transferring data to processors that don’t have adequate data protection measures in place, fines imposed may be up to €20 million or 4% of global annual turnover for the prior year, whichever is greater.
What happens if an organization has infringed on multiple provisions of the GDPR? It’s not all bad news: Rather than being fined separately for each provision, organizations will be fined based on the gravest infringement. Fines may be imposed for any infringement on any provision of the GDPR, including infringements on:
For example, a company may be subject to fines for the following:
While these fines are substantial, supervisory authorities have the discretion to issue warnings, orders, and reprimands rather than immediately imposing fines. Because the fines are prohibitive, any company doing business in or handling the personal data of EU data subjects should take immediate steps to ensure complete compliance to mitigate the financial risk of non-compliance. Additionally, investing in cyber insurance is an option that many companies may choose to exercise to protect their financial interests in the event of inadvertent infringements; however, cyber insurance typically covers only the costs involved in investigating and addressing the breach itself, but not indirect consequences such as regulatory fines and penalties.
For many organizations, GDPR compliance means a significant change to their information security policies and procedures, meaning that staff training is imperative. Every employee needs to have a thorough understanding of their individual responsibilities.
Since data breaches can cost companies millions of dollars in losses – not just from the breach itself, but also from the negative publicity – then, prevention is the best medicine. Unfortunately, many data breaches occur as the result of human error – often, employee error. To minimize the risk of non-compliance, there are a few best practices for employee training, including:
For more information on GDPR requirements and what your company needs to do to ensure compliance, visit the following resources:
The GDPR greatly improves the privacy of individuals residing in the EU through regulations that give them increased rights related to how their data is used and processed as well as greater transparency into when and why their data is being used. For some organizations, compliance may be an uphill, ongoing battle, but non-compliance is a costly risk no organization wants to take. Understanding the key provisions of the GDPR and the steps your company should take immediately to ensure compliance is a must for any organization that controls or processes the personal data of EU subjects, followed by ongoing auditing, improvements, and due diligence. When you’re ready to get started, get a comprehensive list of action steps you need to take to ensure compliance by downloading our interactive GDPR Compliance Checklist.
NGDATA helps brands in data-driven industries, such as financial services, telecom, utilities and hospitality, to drive connected experiences. Our Next Generation Customer Data Platform, Lily™, puts people at the center of every business via Lily’s Customer DNA, which continuously learns from behavior to deliver compelling experiences for companies, such as Belfius Bank, Innogy and Telenet. NGDATA is headquartered in Gent, Belgium and has offices in the United States, Europe and Asia-Pacific.Learn More...