What You Need to Know About GDPR
What Exactly Is GDPR?
General Data Protection Regulation (“GDPR”) was instituted by the European Union to protect the data privacy of its citizens, allow individuals to regain control over their personal data, and level the playing field for businesses. GDPR became effective May 25, 2018. As of that date, all organizations that process EU citizens’ general data—regardless of the location of operation—are required to comply with the new regulation. General data includes any information that is related to a living individual (specifically in the EU) and affects any organization that processes general data of EU residents. Examples of personal data type identified on the European Commission website include name, home address, email address (as long as it is not anonymous in nature) and location data. Examples of personal data processing include collection, recording, storage, use, dissemination or otherwise making it available, erasure or destruction.
Path to Compliance
What should your organization do to become GDPR compliant? First and foremost, implement and strengthen appropriate organizational controls to ensure that employee, customer, and third-party data is appropriately secured. Proper implementation of controls surrounding data minimization, data encryption and data retention are all imperative to the security of personal data. If your organization is not currently performing tasks such as backing up data, collecting and reviewing logs, and reviewing access and activity for key systems containing this information, you run the risk of a data breach.
Next, evaluate these controls to confirm they were designed properly and are operating effectively. Finally, create and implement remediation plans for controls with design and/or operating issues.
What should you do in the event of a data breach? The organization must notify the proper Data Protection Authorities within 72 hours of a breach. In addition, if the breach is significant in its size or impact on individuals, the organization must also notify those individuals directly.
There are consequences for failing to take the appropriate action. At minimum, these may include a warning to your organization, a temporary or permanent ban on processing, and/or fines of up to 4% of the organization’s revenue. Your organization may also be liable for compensating individuals involved in the breach.
Not only should you put the proper controls in place to efficiently mitigate a breach, but you need to thoroughly prepare and train employees to handle any data breaches.