For any businesses that handle data for customers in Europe, taking the General Data Protection Regulation (GDPR) lightly would be a big mistake.
GDPR is a set of rules created by the European Parliament, European Council and European Commission, and it is designed to bolster data protection for citizens who reside within the European Union (EU). The rules also address the export of personal data outside the EU.
After four years of preparation, GDPR was approved by the EU Parliament in April 2016. The regulation replaces the Data Protection Directive 95/46/EC, and is designed to harmonize data privacy laws across Europe, to protect the data privacy of all EU citizens and transform the way organizations in the region handle data privacy.
Although GDPR doesn’t officially take effect until May 2018, following a two-year transition period, companies need to begin planning for compliance now—if they haven’t already. That includes any managed service providers (MSPs) that handle data for corporate and individual customers in Europe.
The articles that make up GDPR cover an array of cyber security requirements. For example, they require companies to implement reasonable data protection measures to protect consumers’ personal data and privacy against loss or exposure; have in place notification mechanisms for data breaches; and perform data protection impact assessments to identify risks to consumer data and data protection compliance reviews to ensure those risks are addressed.
Some companies will be required to appoint data protection officers. Specifically, any business that processes data revealing a subject’s genetic data, health, racial or ethnic origin, religious beliefs, etc. must designate a data protection officer. These officers will advise companies about compliance with the regulation.
The risks of non compliance with GDPR include potentially steep fines. According to the regulation, penalties for non-compliance can total up to 4% of a violating company’s global annual revenue, depending on the nature of the security offence.
In addition to direct monetary impact, organizations can expect to experience the negative publicity that would result from non-compliance with the rules and the impact that would have on the organization’s reputation.
While the regulations will likely have the biggest impact on European companies, it will affect any global organization that touches the data of European citizens. A survey of 200 U.S.-based IT, security and business executives conducted by consulting firm PwC in December 2016 showed that 54% said GDPR readiness is the highest priority on their data-privacy and security agenda.
Another 38% of the survey respondents said GDPR is one of several top priorities, while only 7% said it is not a top priority. Compliance is no small financial matter for these companies. About three quarters (77%) said their organization plans to spend $1 million or more on GDPR compliance efforts. Nine percent expect to spend more than $10 million to address GDPR obligations.
Among the 23% of survey respondents that haven’t begun preparing for GDPR, the top priorities are data discovery, information security enhancement, third-party risk management and GDPR gap assessment. Among the 71% that have begun GDPR preparation, the most-cited initiatives underway are information security, privacy policies, GDPR gap assessment and data discovery.
And of the 6% that have completed GDPR preparations, the most- cited projects are information security, GDPR gap assessment, data discovery, and third-party risk management.
Research firm Gartner Inc. predicts that by the end of 2018 more than half of companies impacted by GDPR will not be in full compliance with the requirements.
Gartner recommends that companies focus on five high-priority areas in order to be ready to meet GDPR requirements.
First, they should determine their role under the GDPR. As mentioned, the regulation applies not only to businesses in the EU but to organizations outside the region that process personal data for the offering of goods and services to the EU.
Second, appoint a data protection officer. In fact, many organizations are required to appoint such an officer, a step that’s especially important if the organization is a public body, processes operations that require regular monitoring, or has large-scale processing activities, Gartner said.
Third, demonstrate accountability in all processing activities. Data quality and relevance should be decided upon when starting a new processing activity, Gartner said. This will help companies to maintain compliance in future personal data processing activities.
Fourth, check cross-border data flows. Data transfers to any of the 28 EU member states are still allowed, as are transfers to other countries the European Commission (EC) has deemed to have an "adequate" level of protection, Gartner noted. Outside of these areas, appropriate safeguards should be used.
Finally, prepare for data subjects exercising their rights. Data subjects have extended rights under the regulation, Gartner said, including the right to be forgotten, to data portability and to be informed of data breaches. If a company is not prepared for subjects exercising their rights, this is the time to begin implementing needed controls.