May 25, 2018 is an important date for all companies who collect and store personal information on European Union (EU) citizens. It’s the date that the European General Data Protection Regulation (GDPR) comes into force. In the EU, privacy is a fundamental right. Therefore, the regulation is applicable to all businesses that hold and process data collected in the EU, regardless if the company is located outside the Union, and it applies to both customers and employees.
Noncompliance with GDPR can be costly. Companies could face regulatory fines as high as four percent of their global annual turnover or €20 million, whichever is higher.
GDPR is a complex regulation. What do CISOs need to consider relative to GDPR?
1. Know what data you hold and where it resides.
Companies will need to perform a Data Protection Impact Assessment (DPIA). A DPIA identifies high risk data processing areas and includes monitoring individuals’ behavior. To do this, companies need to know what personal data it is collecting, where it is stored, what activity it is related for and how the data is processed. The DPIA must always be available for regulatory inspection.m
Companies need to ensure only those who have a legitimate business need should have access to data. Data retention and destruction policies will also need to be reviewed. Documentation of access needs and policies should be readily available for an audit.
2. Report a breach within 72 hours.
If your company experiences a data breach, you must notify the local Data Protection Authorities (DPA) in the member states of those affected within 72 hours of identifying or confirming a data breach has occurred. Companies need to prepare with a rehearsed incident response plan comprised of a cross-functional team including Public Relations, Legal, Compliance, IT, Privacy and Information Security.
3. Keep only the data required to do business.
The cost to store data is historically low and many companies keep data longer than is necessary to conduct business. GDPR specifically states that data that is not needed to run the daily operations should be destroyed or some type of encrypting, data mask or comparable technology to protect the data be used.
4. Processing of data requires consent or legitimate interest.
Under GDPR, the use of data must be via opt-in consent or meets the definition of legitimate interest. This is opposite many U.S. regulations where only providing opt-out is required. Consent must be documented, separate from other terms and conditions, cannot include pre-checked boxes, must specifically state the use case of the data being processed, list any third parties that will also rely on this consent and the user must be able to withdraw the consent.l
5. Don’t delay and start planning now!
GDPR significantly impacts how companies collect, store and transfer personal data. Ongoing compliance with GDPR should also be part of the planning exercises. Get started now on crafting a plan, securing resources and budget, and determine any assistance you will need from external legal counsel and consultants.
Want to learn more about Atlanta’s cybersecurity ecosystem? Join us October 2 – 6, 2017 for Atlanta Cyber Week. For more information on the events of Atlanta Cyber Week, visit www.atlcyberweek.com.
Jodi Daniels is founder of Red Clover Advisors, a privacy and data strategy consultancy firm.