Our most common questions about the General Data Protection Regulation. 

Ben Christensen
If you’re like most business owners, you’re probably wondering if and how the new EU General Data Protection Regulation (GDPR) applies to you. We’ve received many questions about this new security mandate, and here are answers to our most frequently asked GDPR questions.

What is GDPR?

GDPR stands for General Data Protection Regulation. It was designed to harmonize data privacy laws across Europe, protect and empower all EU citizens with data privacy, and to reshape the way organizations across the region approach data privacy. This mandate replaces the 1995 EU Data Protection Directive and was finally approved by EU parliament on April 14, 2016 after four years of preparation and debate. It went into effect 20 days after its publication in the EU Official Journal—in May of 2016—and will be directly applicable in all member states two years after this date (i.e., May 25, 2018).

When will GDPR come into effect?

The effective date for the EU GDPR is May 25, 2018.

Who does the GDPR apply to? Does it apply worldwide or just to the EU community?

The GDPR applies to any organization (operating in or out of the EU) that processes any personal data, also called personally identifiable information (PII), of EU citizens—whether that organization is a cloud-storage service, university, hospital, merchant, etc.

Does the GDPR apply to organizations outside of the EU that have EU citizens inputting data into their database or website?

Yes. Even if the data subject from the EU inputs their own information, the GDPR requirements still apply.

Are payment card details (such as cardholder names and addresses) protected under GDPR?

Yes. Personal data includes things like name, address, email, IP address, etc.—data that can directly or indirectly identify a person. Even the magnetic card stripe (also known as track data) contains the cardholder’s name.

SEE ALSO: GDPR 101 Part 1: Should I Be Worried?

If I’m already PCI compliant, does that cover GDPR?

No, but there are data security controls that will cross over. The GDPR scope will likely be much larger than PCI DSS requirements, as it includes all personal data, not just payment card details.

How does the GDPR impact small businesses? Especially for those with minimal credit card transactions.

There may be some requirements of the GDPR--for instance keeping “records of processing activities” (Article 30)--that will not apply to organizations with less than 250 employees. However, there are stipulations to rules like these, and to be safe, you should consult a data security and compliance expert.

What are the possible penalties for noncompliance with GDPR requirements?

Organizations can be fined up to 4% of annual global turnover (aka revenue) or €20 Million—whichever is greater—for violation of GDPR. These are the maximum fines that can be imposed for the most serious infringements, like insufficient customer consent to process data or violation of the core “Privacy by Design” concepts.

According to article 28, there is a tiered approach to fines. A company can be fined 2% of annual global turnover for not having their records in order, 2% for not notifying the supervising authority and data subject about a breach, and 2% for not conducting an impact assessment.

It is important to note that these fines apply to both controllers and processors, and data 'clouds' will not be exempt from GDPR enforcement.

As a result of Brexit, does the UK (and its citizens) still have to follow the GDPR? If the UK doesn't have to follow the GDPR, how will UK-based organizations be impacted by the GDPR?

Since the GDPR applies to the personal data of all EU citizens, businesses in the UK who process EU citizen data post-Brexit would still need to follow its mandates whether or not the UK retains GDPR after Brexit is complete. UK Prime Minister Theresa May announced that the process for the UK to leave the EU would begin on March 29, 2017 and is expected to take at least two years. The effective data for GDPR is May 25, 2018, which means there will be an overlapping window of time when the UK is a member of the EU and the GDPR is in force.

What is the “Right to Erasure” and how will it impact organizations that are required to keep information for a certain amount of time (e.g., HIPAA requirements)?

The “Right to Erasure” is one of the individual rights named in the GDPR. It states that data subjects can request that their personal data be deleted. There are legal and legitimate reasons that organizations could be allowed to keep data beyond retention periods—even if a data subject exercises their right to erasure. For example, an organization may be required to hold records for the IRS, HIPAA requirements, PCI requirements, or legal cases. In these cases, the organization would obviously need a legal basis for keeping such data. It’s best to consult with legal counsel to understand your business’s unique position.

What other individuals’ rights are set forth in the GDPR?

SEE ALSO: GDPR Articles 12-23

How long does a controller have to notify their supervisory authority about a data breach?

Supervisory authorities must be told within 72 hours of when the controller becomes aware of a data breach—where feasible, and unless the controller can demonstrate that the breach is unlikely to result in risk to the rights of the data subject. Controllers may also give reasons for delay, if applicable.

How do we retrospectively gain consent from customers that we already market to on our existing database? 

Conditions for consent to use data are strengthened overall by the GDPR, and personal data used for marketing purposes must be approved beforehand by the customer in the form of an “opt-in” program. While each business and its operations are different, some may be wondering about old contacts, business cards, or mailing lists with data obtained before GDPR. Depending on your business model, there could be a few ways you might be able to address this problem, however remember that you will need to clear any solutions with legal counsel:

  • If you have active customers that put data into a system you control (such as a web-based system) and they visit that system regularly, it seems reasonable to place some sort of consent-flag in a database that could then be set the next time they login to the system. But the concept of collecting consent of active visitors after the fact could work.

  • If you own and store a large database/collection of personal data (collected pre-GDPR), this could be more difficult to deal with. You may want to consult a legal expert in that case.  

Please explain how you advise a US merchant to comply with both SAQ-D and the GDPR standards, specifically the logging requirements of SAQ-D that seem to contradict the “Right to Erasure.”

PCI DSS explicitly requires logging—which is a good thing when it comes to maintaining security, detecting attacks, etc. If you’re in the PCI realm, you should continue to use logging and thorough log management. The “right to erasure” may be a tricky GDPR requirement and tone we feel will need more legal definition and precedence to be established. However, if you foresee this being an issue for your company, you should seek corporate legal counsel.

Does SecurityMetrics offer help with GDPR for small-to-medium businesses?

Yes. SecurityMetrics GDPR Defense is a new product designed to help small-to-medium businesses secure personal data and get on the path to GDPR compliance.

GDPR Defense contains the following tools to help fulfill certain GDPR requirements while also providing a central location to track, maintain, train, and report on those efforts:

  • SecurityMetrics PIIscan: Scans systems and devices for unencrypted PII. Provides file path so users can easily locate, and then delete or encrypt, sensitive data.
  • GDPR Checklist: Defines and breaks down individual GDPR requirements into simple “how to implement” steps. Checklist tracks completion dates of items and then displays that information on the GDPR Implementation Report.
  • Secure Cloud Storage: Provides secure central location for policies and procedures as well as internal data mapping documents. GDPR requires organizations to maintain policies and procedures about encryption, data retention, and data breach response. It also requires knowledge of sensitive data locations.
  • GDPR Implementation Report: Shows evidence of efforts to reach compliance in the event of an audit or data breach. Report displays percentage of implementation completed as well as progress over time.

What can large organizations do to comply with GDPR?

If you’re part of a large organization and need help with GDPR, learn more about our consulting here. 

If you have more questions about GDPR, or would like a PCI audit or HIPAA audit, please contact us.

Ben Christensen (CISA, QSA) has worked in the IT sector for over 19 years. He currently performs security assessments for merchants and service providers looking to become PCI compliant. He is also leading SecurityMetrics' GDPR efforts in developing product offerings and documentation.