After four years of preparation and debate, the General Data Protection Regulation (GDPR) was approved by the EU Parliament on April 14, 2016. It will enter in force 20 days after its publication in the EU Official Journal and will have direct application to all member states (and any companies outside the EU who do business with or store EU-citizen client data related to companies within those member states) two years after this date. Official enforcement begins May 25, 2018 – at which time those organizations is not in total GDPR compliance will face heavy fines.
The General Data Protection Regulation is in the news these days — for good reason. This sweeping new law applies to all companies that collect and process data belonging to European Union (EU) citizens, even if this is done outside of the EU. This includes companies with operations in the EU and/or a website or app that collects and processes EU citizen data.
Key areas of the legislation cover privacy rights, data security, data control, and governance. The good news is the GDPR compliance law will be pretty much identical in all 28 EU member states, meaning they will only have to comply with one standard.
However, the bar is set high and wide — forcing most companies to invest considerable resources in becoming compliant through what will be in some cases significant technology overhauls.
Failure to be in GDPR compliance could result in a hefty fine. If a company is found guilty of a breach that compromises an EU citizen’s data, the penalty could be up to 20 million euros or four percent of an enterprise’s worldwide revenue, whichever is larger! Putting that in perspective: a large enterprise could be fined hundreds of millions of euros for a single breach.
In addition, two pain points are conspicuous: a requirement to notify EU authorities within 72 hours of a security breach, and another to prove your company’s security approach is state-of-the-art.
What’s mandated by GDPR
Since not all GDPR compliance requirements have been finalized, some organizations have adopted a ‘wait-and-see’ approach. Let’s consider the new obligations being introduced by this regulation in the following areas:
To preserve EU subjects’ privacy, organizations must:
- Only process data for authorized purposes
- Ensure data accuracy and integrity
- Minimize the exposure of subject identities, and
- Implement workable data security measures.
Data security goes hand-in-hand with data control. GDPR puts security at the service of privacy. To preserve subjects’ privacy, organizations must implement:
- Safeguards to keep data for additional processing
- Data protection measures, by default
- Security as a contractual requirement, based on risk assessment, and encryption.
Right to erasure
Subject data cannot be kept indefinitely. GDPR compliance requires organizations to completely erase data from all repositories when:
- Data subjects revoke their consent
- A partner organization requests data deletion, or
- A service or agreement comes to an end.
It is worth noting, however, that subjects do not enjoy a carte blanche right for their data to be erased. If there are legal reasons — specified in the regulation — an organization can retain and process a subject’s data. Exceptions are few, however.
Risk mitigation and due diligence
Organizations must assess the risks to privacy and security, and demonstrate that they’re mitigating them. This requires they:
- Conduct a full risk assessment
- Implement measures to ensure and demonstrate compliance
- Proactively help third-party customers and partners to comply, and
- Prove full data control.
When a security breach threatens the rights and privacy of a data subject or subjects, organizations under GDPR compliance must:
- Notify authorities within 72 hours
- Describe the consequences of the breach, and
- Communicate the breach directly to all affected subjects
6 steps to GDPR compliance
To prepare for GDPR enforcement, organizations can use this six-step process to remain in GDPR compliance:
- Understand the law
Know your obligations under GDPR as it relates to collecting, processing, and storing data, including the legislation’s many special categories.
- Create a roadmap
Perform data discovery and document everything — research, findings, decisions, actions and the risks to data.
- Know which data is regulated
First, determine if data falls under a GDPR special category. Then, classify who has access to different types of data, who shares the data, and what applications process that data.
- Begin with critical data and procedures
Assess the risks to all private data, and review policies and procedures. Apply security measures to production data containing core assets, and then extend those measures to back-ups and other repositories.
- Assess and document other risks
Investigate any other risks to data not included in previous assessments.
- Revise and repeat
Repeat steps four to six, and adjust findings where necessary.
For CSOs, GDPR provides a good opportunity to upgrade the organization’s security capabilities to both meet the regulation’s requirements and improve overall security vis-a-vis data confidentiality and privacy.
Our Managed Security Goes Well Beyond Normal Compliance Measures
Most emphasis in emerging businesses is on gaining regulatory compliance. This is necessary for winning customers and satisfying gatekeepers and provides a baseline of necessary practices. However, compliance is NOT ENOUGH to keep your business secure. “Compliant” businesses are compromised all the time. Compliance is a periodic snapshot. Requirements move slowly. Cyber-criminals move much faster, and always will.
Managed security services from KalioTek, however, will fill the gap. We can blend these services in our IT+Security Managed Services or provide them separately as Managed Security Services, working with your internal IT team.
In-house operational IT teams do not manage security well. IT is all about providing capability and fixing functional problems, quickly and efficiently. This focus is the enemy of security practices. A different set of eyes with different skills and clear security priorities is needed. We are those eyes. Separation of duties is required, just like in Financial Services.
Did you know…
- 84% of cyber attacks could be prevented by five security controls, and that these are not typically handled by IT staff?
- 80% of breaches involve stolen or weak credentials?
- Small and emerging businesses are most at risk, incurring 2/3 of the attacks?
Let us show you how you can easily have affordable and consistent IT security that guarantees compliance with a wide range of regulations.
Doing Business with EU Citizens or Companies? Get and Stay in Complete GDPR Compliance Now.
We deliver the managed security services that companies across Silicon Valley and San Francisco Bay Area rely on every day. Partner with KalioTek now for total GDPR compliance and complete data security confidence and freedom from worry – contact us at email@example.com or +1 (408) 550-8000 for more information or to get started right away.