When it comes to organizations incorporated and operating out of the United States, General Data Protection Regulation (GDPR) compliance can be confusing.
Many people struggle to understand what exactly is the GDPR and whether it applies to all organizations.
On May 25, 2018, the European Union (EU) via the European Parliament, signed into law the GDPR, to an enhance Directive 95/46/EC. GDPR mandates the protection of personal information data and privacy for citizens in the European Union and the European Economic Area (EEA).
Does this mean that a company outside the EU/EEA shouldn’t have to worry about GDPR or that it doesn’t apply? Not quite.
Should your organization do business with citizens or the EU/EEA, you need to comply with GDPR. That said, how exactly does an organization in the United States comply with GDPR?
. During the assessment, you should ask questions like, “What personal data does your organization collect, process or store?” and, “Does any of it belong to EU citizens?”
If you find that your organization does collect, process or store data of EU citizens, GDPR applies to you. If your organization answered “No” to all of the above questions, congratulations, you could stop reading as you are not subject to GDPR compliance laws.
Notify your customers why you are processing their data
The GDPR granted EU citizens eight fundamental rights, one of which is the right to be forgotten also known as the right to erasure. One of the ways that organizations can adhere to GDPR compliance requirements is to obtain consent before you collect, process or store personal information on any EU citizen. Additionally, you should ensure that the data you collect, store or process is done for a specific business purpose and that it meets the guidelines of lawful basis for processing (for more information see Article6(1), Article 6(2) and Recital 40).
Assess your data processing activities to improve protection
To improve data privacy and protection, a Data Protection Impact Assessment should be conducted. The impact assessment will help an organization better understand risk, deficiencies related to data security and privacy. The impact assessment results will help an organization implement the right data security tools, policies and practices like data encryption, data classification, and sensitive data discovery. Organizations need to consider security in the initial architecture, how data is stored as well as how it is processed and with whom data is shared.
Secure and update a data processing agreements with your vendors
Many data breaches in recent memory were caused in part by third parties. Target was breached by excessive access granted to an HVAC vendor and Capital One by an AWS/WAF vulnerability. Regardless, as a data processor, your organization will be held partially responsible if a third party vendor your organization depends on violates GDPR compliance. Make sure your organization has a data processing agreement with each of your vendors (including cloud and subcontractors that are handling the processing of personal data) that outlines security, rights and responsibilities for each party.
Champion the need for a Data Protection Officer
A Data Protection Officer (DPO) is not required to sit on the board or be an executive. Plenty of organizations have appointed a DPO in a manager or director role, but the individual must be technical, understand the business, and know when to seek legal advice. The DPO has six primary responsibilities:
- Correspond with data subjects related to the processing of their personal data
- Become the voice of GDPR in their organization
- Monitor GDPR compliance, train staff and perform audits
- Conduct data privacy impact assessments
- Work with EU data protection authorities regarding oversight, guidance, and protection
- Execute data protection activities based on the EU Supervisory Authority mandates
Designate a representative in the EU
Article 27 of GDPR outlines which non-EU organizations need to appoint a representative based in the EU and outlines where the representative needs to reside. The representative will need written authorization to act on your organization’s behalf in matters related to GDPR and will be subject to legal action in the event of non-compliance.
Know what do if there is a data breach
It’s not if your organization will be breached, but when.
Given this prophecy, what will your organization do if they are breached and under GDPR mandates? A good first step before or after a breach is to implement several cybersecurity control mechanisms to lessen the impact of a breach:
- Adopt strong authentication to data access—Adaptive authentication needs to be leveraged to protect access to data better. Adaptive authentication includes something you know, something you have, something you are, what device you are accessing from, and your location.
- Data Encryption—Encrypting data is one of the best breach prevention mechanisms. Leaked encrypted data is useless as it needs a key to decrypt it.
- Digital Rights Management (DRM)—Similar to data encryption, DRM enforces strong controls and encryption on data and is only accessible once a user has been authenticated, typically leveraging adaptive authentication.
The use of the above three preventative measures greatly decreases the amount of a fine your organization would otherwise have received, should a breach occur. GDPR regulations call for immediate notification to your customers, especially if customer data was impacted.
Comply with cross-border transfer laws
The EU is very strict when it comes to EU citizens’ personal data being transferred to non-EU countries. There are hard requirements for any organization that is looking to move data in such a way. Organizations are required to comply with an additional component known as a Privacy Shield Framework (PSF). The PSF was designed jointly by the U.S. Department of Commerce and the European Commission.
Should your organization fail to comply with GDPR requirements, there are stiff penalties to consider. Large scale GDPR fines range from 4% of annual global revenue with a maximum of 20 million Euros, meaning whichever one is greater is the fine you will incur.
The right to be forgotten is a liberating freedom granted to EU citizens. The right to have personal data deleted from processors and controllers alike is sending waves through other countries resulting in changes to data protection mandates. It is important to follow the steps outlined in this blog to understand if GDPR applies to your organization and if it does, how you go about complying with the mandate.
Remember, when it comes to GDPR compliance, time is of the essence. There are specific rights that EU citizens have, and the time frame is very important. Breach notification, as well as notification of erasure, must be done in a 72-hour timeframe. Your organization must also prove that you did what you said you were going to do. Following these straight forward GDPR tips will ensure your continued compliance.