The European Commission has always been mindful of the need to regulate and enforce the protection of private information of its citizens. With the constant state of change on how data is received, processed, consumed, stored, and destroyed, the European Commission proposed new guidance in 2012 called the European Union General Data Protection Regulation (GDPR). The guidance was finalized and approved in December 2016, with the new regulations coming into effect on May 25, 2018. Those that are found to be not compliant subsequent to the effective date may be fined up to 4% of annual global sales or €20 million (whichever is greater).
What constitutes personal data?
According to GDPR, personal data includes “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specified to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.” As you can see, this definition is specifically broad as to include all personal identifying information.
To whom does it apply?
GDPR provides regulation that applies to any company (whether a controller or a processor) established in EU that processes personal data, regardless of whether the processing actually takes place in the EU or not. Additionally, it applies to companies NOT established in the EU if they process the personal data of EU based individuals for the purpose of: (a) offering them goods or services; or (b) monitoring their behavior within the EU (e.g. social media, online tracing, data analytics). In short, if your business processes and holds the personal data of data subjects (even website cookies) residing in the European Union (residents or visitors), GDPR would most likely apply to you.
The guidance categorizes such companies into controllers or processors. According to GDPR, controller is defined as “a person, public authority, agency or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.” Examples of such controllers would be Facebook and its employees. In this example, Facebook would be the controller if its employee is an EU resident. GDPR further defines processors as “a person, public authority agency or any other body which processes personal data on behalf of the controller.” Examples of a processor relationship would be Facebook and its subscribers. Ultimately, the difference in the definition rests with who is directing the use of the personal data collected.
If GDPR applies to me, what do I need to be aware of?
Besides the change in application as described above, the key changes to GDPR includes the following:
- Consent – Consent must be obtained through easily accessible forms using clear and plain language.
- Breach Notification – Any data breach that may “result in a risk for the rights and freedom of individuals” must be notified to the data subjects and supervisory authorities within 72 hours.
- Right to Access – Any data subjects may request from the data controller confirmations as to whether or not personal data concerning them is being processed, where and for what purpose. Controllers must also provide a copy of the personal data of the data subjects, free of charge, in an electronic format, when requested by the data subjects.
- Right to be Forgotten – Data subjects may request at any time for the data controller to erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data.
- Data Portability – Data subjects have the right to receive the personal data concerning them upon request in a “commonly used and machine readable format” and requires the processor or controller to assist to transmitting that data to another data controller.
- Privacy by Design – All system designs must include data protection measures. These measures should include only allowing the use of data that is absolutely necessary for processing, as well as limiting the access of personal data to those needing to act out the processing.
- Data Protection Officers and Monitoring – Processors and controllers must formally assign Data Protection Officers to perform internal recordkeeping requirements, including the monitoring of such requirements. Such monitoring requirements also include a data protection impact assessment specifically addressing GDPR requirements. Please note that while there were some discussions on potentially limiting this requirement to only companies with more than 250 employees, the final version omitted such thresholds, but instead mandates compliance to this requirement by entities that perform “regular and systematic monitoring [and processing] of data subjects on a large scale.” As such, this wording could impact small businesses as well.
What should my next step be?
Companies that are just starting out on the implementation should began by performing the following steps:
- Perform a Data Inventory – Begin by taking an inventory of your data. Understanding what data is in your system that may be subject to GDPR will help you pinpoint the area where your system maybe vulnerable. In addition, understanding the type of data subject will also help you identify what you will need to obtain in order to satisfy the data subject rights as previously mentioned in the new GDPR requirements.
- Perform a Data Protection Impact Assessment – There are many tools out there that help guide you through the new GDPR requirements. The most comprehensive and useful tool that we have found is one published by ISACA. Performing such assessments would help your company identify the control gaps that may need to be mitigated.
- Assign a Data Protection Officer – Once such control gaps are identified, the Company should assign an appropriate Data Protection Officer that will be responsible to manage the implementation of these controls.
- Design and Implement Controls to Mitigate Control Gaps – A cross-departmental steering committee may be useful in ensuring the implementation is completed successfully and timely. The team should meet regularly to ensure progress is made on the mitigation plan. When complete, this team should also meet regularly with the Data Protection Officer to monitor its progress and status.
Larson & Company can help meet with your team and perform a Data Protection Impact Assessment with your organization. We have been performing security audits for various companies in the industry over the last decade. If you are interested in scheduling an appointment to learn more about how Larson & Company may help you with your security needs, please contact firstname.lastname@example.org.