Information Security

GDPR - A Primer

This upcoming European Union data privacy regulation has nearly global reach. Are you ready?

What is GDPR?

GDPR stands for General Data Protection Regulation and it spells out new, and more stringent, data privacy regulations stemming from the EU. GDPR applies to all companies processing personal information of European citizens and goes into effect May 2018.

Who should be most concerned with GDPR?

Given that GDPR applies to any entity processing personal information of European citizens, it is global in nature and has a broad reach including US based companies conducting business in the EU. “Processing” is a broad term, but it means you’re doing something with data – whether that’s collecting, using, sharing or storing data. Likewise, personal information is also becoming a broader term and it goes beyond the common data elements that people usually think of such as a name, physical address, email address, or phone number.  Personal information includes data elements like Social Security Number, identifiable health data, images, geolocation, IP address and even things like social identities and the unique ID associated with your smart phone.

Many smaller organizations have the common misconception that they’re not in scope of GDPR, but that’s just not the case. Regardless of volume or industry, if you’re processing EU citizen data, you’re impacted. The ‘wait and see what happens’ approach is absolutely not advised – you really need to get out in front of any compliance obligations you may have and the sooner the better.

What are the privacy requirements for GDPR?

GDPR is vast and complex, but I believe three of the most difficult requirements for companies to meet are in regard to consent management to ensure that permission to process data is clear and unambiguous; the right to be forgotten, which basically states that a company needs to be able to erase, stop processing, or stop sharing an individual’s data, and right to access and rectification, which allows individuals to access and correct their personal information.  Also worth noting is the need for some companies to have a designated Data Protection Officer(s) in place – the number of individuals needed in this role depends on the size and complexity of the organization and how data is managed.  I recommend downloading our GDPR summary or checking out http://www.eugdpr.org/ for more information.

What happens if I’m not in compliance with these regulations by May 2018?

The steep financial penalties for non-compliance and the threat of inability to conduct business are major motivators for most companies to begin preparation for the new regulations. Governing authorities can assess up to 4% of annual revenue for non-compliance – which is a lot of money no matter what size organization is impacted. If you’re negligent and knowingly processing impacted personal information, there can be repercussions.

How do I know if I’m in compliance?

The best ways to make sure you’re prepared for the impact of the new regulations next year is to first understand what data you have and how it’s used, and then conduct a GDPR-readiness assessment. It will help determine capabilities and maturity levels around the obligations with the law. I can’t urge strongly enough that companies need to start planning for this now to avoid financial and other business related penalties.