What you need to know now about the EU’s General Data Protection Regulation (GDPR).
CISSP, CISA, QSA, PA-QSA
This post is the first of a three-part series in which we will cover basics and requirements of the GDPR. This series is based on our recent “GDPR 101” Webinar. You can watch and listen here.
Who does the EU GDPR apply to?
The EU GDPR applies to any organization that handles the Personally Identifiable Information (PII) of European Union (EU) citizens. Whether an organization is in America, Europe, or somewhere else in the world—the GDPR may apply if it handles the PII of EU citizens.
SEE ALSO: Complying with the GDPR: What You Should Know
What is GDPR?
The GDPR replaces the 1995 EU Data Protection Directive. The new GDPR legislation is meant to unite and harmonize privacy laws across the EU. Before the GDPR, different businesses throughout the EU did slightly different things for data protection.
After four years of preparation and debate, the GDPR was approved by EU parliament on April 14, 2016. It went into effect 20 days after being approved and will be directly applicable for all member states two years later on May 25, 2018. After this date, organizations that are not following the GDPR could potentially face severe fines.
At this time, no one can guarantee how severe fines will be, or what types of businesses may be examined for non-compliance first, but after May 25th GDPR becomes enforceable.
Some aspects of the GDPR are easy to interpret. For example, the GDPR says that data owners are required to have an opt-in choice presented to them before a company can begin storing, processing or transmitting their personal information. This requirement is clear, and one could easily determine whether or not that requirement has been met.
However, other aspects are more difficult to interpret. The GDPR states, “protect your data by design and default.” It’s difficult to know if you are perfectly compliant or meeting a specific GDPR requirement according to this statement.
Even though GDPR compliance isn’t currently as well-defined as Payment Card Industry Data Security Standard (PCI DSS) compliance, it’s important to be aware, be concerned, and be reasonable. It’s impossible to say with absolute clarity that an entity is 100% compliant with GDPR, because associated testing procedures are not specifically defined. Perhaps this will come later; various supervisory authorities are working on checklists and similar guidance, which indicates that there will likely be more specific audit protocols as time goes on.
For the time being, you can actively and carefully address GDPR regulations, document your efforts, collect your results, and show risk analysis/assessment results.
Why Should I Care about GDPR?
GDPR guidelines state that an entity can face fines of up to 20 million Euros or 4% of their Global Annual Turnover (AKA “revenue” in the U.S.), whichever is greater. Note that this is the maximum fine amount, and there doesn’t appear to be additional guidance to describe specific fine structure for various types of data compromise or general lack of preparation, other than the regulation stating that a fine could be less than 4%, (e.g., 2% of revenue or 10 million Euros).
We want to reiterate that we’re not saying the sky is falling. But, you should be aware of these regulations and make plans for any necessary changes.
Part 2 of this blog series will go into more depth on terms and definitions, but it’s important to understand the difference between Data Processors and Data Controllers and know that the GDPR rules and requirements apply to both of them:
- Data Controller: Entities or individuals that need to process personal data in order to do business. They determine the purposes for which and the manner in which the personal data is processed.
- Data Processors: Processors take and/or process personal data on behalf of the Controller.
You have until May 25, 2018 to start complying with GDPR regulations. Right now, we don’t know what types of organizations the governing bodies will go after, or how aggressively. All we know is that after May 25 of this year, they can.
If your company has poor security practices that endanger personal information, it makes sense that you could get in trouble according to these EU laws and regulations. On the other hand, if your company takes data security seriously and is actively moving towards alignment with the GDPR or other data security standards, you will naturally fair better.
Remember, May 25, 2018 is not the end of the world. We all tend to fear the worst when a line is drawn in the sand, but someone has to draw one to get us all moving.
As security professionals, it’s our job to help companies clear up security issues. Our experience shows that addressing security and compliance problems may take time. The community has known about this regulation for two years now, so ignoring these regulations will not make them go away. Get started soon and you will see real progress.
Showing real progress in securing PII is important because this demonstrates you’re working towards compliance. If you were to experience a data breach but couldn’t show any proactive work towards security, enforcement of the regulation could be stricter.
If you’re looking to learn more about the GDPR, the Information Commissioner’s Office (ICO) is a UK organization that was set up to uphold information rights for UK citizens.
SEE ALSO: PIIscan: Find and Secure Unencrypted Personal Data
Part 2 of The GDPR 101 Blog Series
Watch for part 2 of our GDPR 101 blog series, which will cover specific terms, requirements, and details of the GDPR.
Gary Glover (CISSP, CISA, QSA, PA-QSA) is Senior VP of Security Assessments at SecurityMetrics with over 10 years of PCI audit experience and 25 years of Star Wars quoting skills. May the Force be with you as you visit his other blog posts.