The term “business as usual” takes on a whole new meaning May 25, when the European Union’s General Data Protection Regulation (GDPR) goes into effect. This complex, game-changing law will mandate new ways of doing business in virtually every area of operations, from human resources to marketing, to technology and cybersecurity.
Is your enterprise ready?
The first-ever global privacy and security law, GDPR outlines new rules—99 of them– for protecting EU citizen data. These provisions:
- Broaden the scope of the term “personal data”;
- Grant EU citizens absolute rights over their personal data, including the “right to be forgotten”;
- Set stringent requirements for how entities process, store, and share citizen data;
- Establish rules for securing EU citizen data, including privacy protections;
- Set timelines and guidelines for responding to and reporting data breaches;
- Restrict the collection and processing of specific types of data, including that of minors;
- Require accountability for security breaches and data theft;
- Require that privacy protections be designed into business operations, and
- Impose strict penalties for noncompliance, including up to €20 million or 4% of the company’s global annual revenues.
Why is GDPR needed?
In the information age, data defines us—increasingly so as the world becomes ever more connected. The European Commission adopted the GDPR in 2016 to address growing concerns about citizens’ control of their data, to protect Europeans from the potentially devastating consequences of data and identity theft, and to harmonize the various directives and laws across the EU’s 28 member states.
In this way, GDPR is intended to make it easier for enterprises to do business with EU companies and individuals.
Under the 95/46/EC EU Data Protection Directive, businesses struggled to comply with different sets of requirements for clients and customers in different EU member states. The GDPR, however, provides a single, overarching regulatory framework that, once met for a single EU entity, will apply to all.
Does GDPR apply to me?
Most every organization and individual doing business with citizens of the EU, even if they have no presence inside the EU, must show compliance with the GDPR by May 25th. If your business collects, processes, or stores personal information about EU citizens living in the EU, the GDPR almost certainly applies to you.
Organizations who employ or contract with EU citizens must meet GDPR requirements, as well.
If you collect, process, store, or share EU citizen personal data—defined as any information that can be used to identify someone, including, now, “pseudonymous” data processed under a false name—the GDPR applies to you.
“Personal data,” according to the regulation, includes a person’s name, address, date of birth, address, identification numbers, email address, and phone number.
Certain types of personal data—“special categories,” under the framework–have even more restrictions. The GDPR expanded the definition of personal data to include genetic, biometric, health, and criminal data as well as information about race, gender, religious beliefs, union membership, sexual orientation and political affiliation.
“Anonymized” data, or that which is permanently encrypted or made anonymous so that its owner cannot be identified, is not governed by the GDPR.
Because the GDPR’s primary objective is protecting people and their privacy, everyone who uses EU citizen data for any business purpose is subject to its requirements—and its severe penalties for non-compliance or a breach. This includes personal information collected, processed and stored manually—written by hand and kept in a filing cabinet, for instance—as long as you organize it in an intentional way, such as in alphabetical order.
Power to the people
Once you’ve taken possession of EU citizen’s data, you will want to handle it with the utmost care. Under GDPR, EU citizens have individual rights related to the use of their personal information that could make compliance difficult unless you are processing, tagging, and tracking it properly.
Citizens’ rights begin with your asking for their name. Before collecting any information about them, you must tell them exactly how you will use it, and why. They must “opt in” and grant consent; otherwise, you can’t collect, process, or store any data they provide.
Your business issues a privacy notice to customers, you say? Chances are, it isn’t good enough. The GDPR requires that privacy notices be clear, concise, simple to read and understand. If you’re offering the long, jargon-filled document so commonly presented today—which most people notoriously do not read—you’ll have to revise it to comply.
The framework also calls on businesses to be diligent and vigilant: always on your game, where data is concerned.
For instance, if you come up with a new use for any EU citizen data you have, or you want to share it with anyone else, you must notify the individuals associated with that data and gain their consent. Under the GDPR, individuals own their data, always; businesses merely borrow it, and must handle it with care and return it whenever asked.
It is the EU citizen’s prerogative to change their mind, always. Even after they have consented to your using, storing, or sharing their data, they can revoke their permission.
The “data portability” provision lets them ask for their data to be returned to them.
The “right to erasure” provision states that, if they ask you to erase their information from your databases, you must do so “without undue delay.”
This provision, also known as the “right to be forgotten,” could pose problems for those who lack a data tracking system.
How can you erase data if you don’t know where it is? How can you tell those you’ve shared it with to remove it from their database if you haven’t recorded where it has gone?
Simply not knowing the answers to these questions could put you at risk of noncompliance.
The GDPR requires data “controllers,” or those collecting and using the information, and processors to know where EU citizen personal data is located, who can access, and the purpose that it is being used.
When asked, you must be able to prove that you comply, and if you are processing large amounts of data you will need to have a designated Data Protection Officer (DPO) overseeing compliance. Ideally, you want someone that has a good understanding of the operational components of your business, data protection, compliance, infrastructure, and security.
Can you do this now?
Keeping it safe
Information security goes hand-in-hand with privacy, and the GDPR has very specific requirements for securing EU citizen data and what your enterprise must do in case of a breach.
Paying a hefty fine may be one of them. If your database is hacked, EU citizen data may be compromised. There are harsh penalties for data breaches that could lead to additional fines for non-compliance.
Under GDPR security and privacy design are required. They must be embedded into operational processes and your technology systems so that it occurs automatically.
It starts with protecting EU citizen’s Personal Identifiable Information (PII) whenever it is collected, processed or stored. Furthermore, data controllers and processors can pseudonymise and encrypt personal data as a means of protection. However, both controllers and processors must have a process in place to verify the identities of those who access that data.
In addition, enterprises must:
- Continually ensure that all systems used to process EU citizen data are secure and resilient, and readily accessible in case of a breach;
- Train their employees on privacy, security awareness;
- Regularly test and evaluate information security measures;
- Work to help third-party contractors secure their data, and
- Be able to demonstrate that they comply.
If your enterprise is breached and unprotected data is exposed, the GDPR requires you to alert authorities and notify all affected consumers within 72 hours. If you have done your due diligence and securely encrypted your data, you may escape this obligation.
The ‘Zen’ mind of readiness
Clearly, for many organizations implementing GDPR will require a significant amount of time, effort, and resources. However, to continue doing business with EU citizens and to avoid steep fines; regardless to whether you have a EU presence or not, you will have to demonstrate that you comply with this lengthy, complex regulation by May 25th.
For many, meeting this deadline is an intimidating prospect.
According to one report, two-thirds of businesses expect they will need to change their global business strategies to comply with the GDPR.
More than half say they expect to incur fines for non-compliance.
Your business doesn’t have to be among them. Reciprocity’s ZenGRC governance, risk, and compliance software can evaluate your systems and networks to pinpoint gaps in your GDPR compliance, freeing you from uncertainty, stress, and spreadsheets.
Our powerful tool can generate user-friendly dashboards and checklists to help you meet all 99 GDPR provisions with clarity and calm serenity.
If you act now ZenGRC’s simple, fast deployment can help you get there before May 25th. Isn’t it time you entered the Zen ‘mind of readiness’ for the GDPR? Schedule a demo today.