Beginning in May, enterprises collecting or processing European citizens’ personal data will be subject to new rules under the European Union’s General Data Protection Regulation (GDPR). Intended to strengthen and unify protection of personal data for all EU citizens, GDPR carries stiff penalties for non-compliance. Violations can result in a written warning from the EU commission, the loss of certifications and or a mandatory data protection audit.
For more serious infringements, like a security breach or loss of records, enterprises face fines of 4 percent of annual worldwide turnover or approximately $22 million, whichever is greater. To put that into perspective, for a major company like Apple, violating GDPR could result in a fine of $9.3 billion based on their annual revenue.
With the GDPR deadline of May 25, 2018 rapidly approaching, businesses need to start preparing for stricter data regulations. Due to the complexity of existing infrastructures and the abundance of data collected over time, enterprises will need to invest time and resources to avoid heavy fines once new privacy regulations are implemented. Adequate preparation begins with an understanding of who is covered under GDPR, what type of data it regulates and available solutions to help organizations comply with GDPR standards.
Determining who is covered under GDPR and what type of data is protected
Although the name suggests GDPR regulations only apply to businesses operating in Europe, it actually applies to all enterprises that process and collect any personal data from European citizens. This means even businesses based in the United States must be capable of handling privacy-related requests from EU citizens. Specifically, GDPR applies to businesses that operate as one or both of the following categories:
- Controllers that collect data: Businesses that control and are responsible for the keeping and use of personal data are considered controllers under GDPR. These entities, like pharmacists or tax authorities, collect personal data such as names, email addresses and the location of European citizens.
- Processors that process data on behalf of controllers: Working on behalf of controllers, processors are responsible for processing the personal data of citizens. A payroll company or cloud service provider, for example, that is contracted to provide a particular data service is considered a processor.
Under GDPR, “personal data” refers to anything that can be used directly or indirectly to identify an individual, such as social media posts, IP addresses and medical records. Since “personal data” covers a variety of information, businesses should start reviewing what information they currently collect and store to avoid costly penalties.
Enterprises need to strengthen data security and prioritize the customer’s right to privacy
Once businesses determine the role they play in data collection and processing, the next step is to evaluate their overall readiness, and then identify and mitigate security risks. Public enterprises, for example, will need to appoint a data protection officer (DPO) to educate companies on important compliance requirements and conducting routine audits.
Both controllers and processors should expect to see more data subjects exercising their rights under GDPR, including the right to data erasure and the right to be informed when their information is used and by whom.
Establishing privacy principles that meet the standards of GDPR starts with understanding and organizing sensitive information to meet the guidelines for data management. With the May deadline looming, here are several steps businesses can take to ensure their organizations are ready to comply with GDPR:
- Audit internal applications and devices. The GDPR definition of personal data can be anything from a name, a photo, or an email address, to social networking websites, medical information, or IP address. Therefore, an audit of internal applications and devices will help ensure enterprise-wide compliance and protection of personal data. Companies should begin by assessing third-party vendors where data may be passed through or stored, internal applications, and departmental resources like workstations and phones.
- Be ready to act when a breach does occur. In the event that malicious third-party hackers gain access to sensitive information, enterprises are legally obligated to notify data subjects within 72 hours of the breach. Under new regulations, controllers must also alert supervisory authorities and prepare for investigations to prove they took the necessary measures to protect personal data. Enterprises will be expected to demonstrate adherence to data protection guidelines, and should have the necessary documents and proof on hand for review by compliance authorities
- Enforce privacy by design. With a heavy emphasis on consumer privacy, GDPR will soon mandate all enterprise systems be built out with data privacy top of mind. No more bolting on additional security measures to existing products and services — under GDPR, companies are expected to infuse the highest degree of privacy into every process. To further strengthen security, enterprises should also manage and minimize access to confidential information, and anonymize and encrypt any personal data collected and processed.
GDPR is a complex regulation with serious consequences for enterprises. As we approach the May 25 deadline, enterprises should prioritize GDPR compliance. Ultimately, compliance with GDPR is about more than avoiding hefty fines for non-compliance. It’s also an opportunity for businesses to strengthen their overall security and demonstrate their willingness to commit to a higher level of data privacy.