The 2018 General Data Protection Regulation (GDPR) Compliance OverviewRequirements, Guidelines, Penalties, and Resources By: Secureworks
GDPR, General Data Protection Regulation, is the most comprehensive overhaul of European data protection rules in over twenty years and perhaps the most significant regulatory framework to hit organizations since Sarbanes-Oxley in 2002.
The GDPR deadline is fast approaching, and if your company operates under the new legislation, compliance is a must (unless you want to be hit with some serious fines and penalties). The policies will replace regulations enacted more than two decades ago, so for many organizations, meeting the new standards will require some serious adjustments to internal operations.
To help prepare your team for the new regulations, Secureworks will provide a clear path to achieve GDPR compliance. Learn the best data management practices to follow so your company will be ready before the May 2018 deadline. We'll review key concepts, explain the requirements of the regulation, and provide the resources you'll need to follow the new legislation.
What is Personal Data?
Personal data is any piece of digital information associated with a unique individual that can directly or indirectly identify a person, including names, addresses, photos, email addresses, medical information, and more.
Sensitive personal data goes a step further and relates to information associated with a person's sexual orientation, religion, political views, and other delicate details about an individual. The new GDPR regulations protect both categories of private data.
What is GDPR?
GDPR stands for General Data Protection Regulation. The European Union developed this strict legislation to protect citizens from the newest ways companies can mishandle personal and private data. The new regulations will replace the previous legislation, including the Data Protection Act of 1998 and the 1995 Data Protection Regulation, helping to address current issues in personal data protection.
Why Do GDPR Regulations Exist?
The amount of personal data collected by organizations has significantly increased in the past couple of decades. The new GDPR legislation will hold organizations handling personal data more accountable through security regulations and strict standards of internal policy. Once implemented, businesses must comply with the new regulations or face serious financial and legal repercussions.
Companies and private sector organizations will have to change how they handle the information of their customers and how they use their personal data. The regulations will assure the data collected from private citizens will have a specific level of protection and not be exposed without their knowledge or consent.
What Companies or Organizations are Subject to GDPR Compliance?
Companies or organizations that offer services controlling or processing personal data of all individuals in the European Union must follow GDPR compliance. Controllers include companies, charities, or government organizations overseeing the purposes and conditions of personal-data processing. Data processors, on the other hand, obtain, hold, or record information on behalf of a data controller.
The legislation applies to controllers and processors in the European Union but also organizations located outside Europe handling EU data subjects, including American institutions. The Information Commissioner's Office (ICO) stated that if your organization is currently under the Data Protection Act (DPA), it will most likely have to follow GDPR policies. Most companies will have to adjust their data security strategies to comply with the new regulations.
Who is Responsible for Meeting the GDPR Checklist?
Within data-service organizations, the internal groups of data processors and data controllers must appoint a Data Protection Officer (DPO) to oversee GDPR compliance. The DPO will oversee the data security strategies that process and control EU citizen data in a responsible and transparent way, such as storage of personal data, and will define how personal data will be responsibly processed. Controllers must supervise how outside contractors process data along with internal data processors.
GDPR Compliance Policies and Requirements
The GDPR legislation includes 11 chapters and 99 articles. Each chapter addresses how organizations must process and control personal data, the independent supervisory authorities, penalties, provisions, and more. It's best to prepare early, so find out the Do's and Don'ts of GDPR Data Security. We'll address some of the most important aspects of GDPR compliance below:
- Data Control and Security
Under GDPR regulation, subjects will have more control over their personal data and companies will have to be transparent on how they use sensitive information. Organizations must reduce unnecessary and disingenuous exposure of sensitive material and meet strict security protocol. Companies must implement safeguards and various data protection measures to protect private data from loss or exposure.
Furthermore, organizations are required to execute Data Protection Impact Assessments to pinpoint potential risks to consumer data and promptly address any immediate concerns. If there is a security breach, controllers must notify data subjects and contact security associations of the risky activity. GDPR notification requirements will be one of the most thoroughly inspected aspects examined by Supervising Authorities (SAs). So, make sure to learn about and prepare for the new policies in advance.
- Right of Access, Withdrawal of Consent, and Right to Erasure
- Appointment of Data Protection Officers
EU citizens have the right to access their personal data. Upon request, data controllers must provide an overview of how a person's data is processed and the reasons behind the actions. Data subjects must consent to how and why their data is processed by companies. Individuals must authorize how their data is processed and can withdraw their consent if they so choose. Also, subject data cannot be kept after a service or agreement has ended or a partner organization requests deletion.
Most companies must appoint a data protection officer (DPO). The purpose of the role is to inform controllers of important regulations and mitigate concerns and requests from SAs. Some businesses may share a DPO if they represent a group of companies, share a location, or are part of a similar industry.
Under the GDPR, you must appoint a DPO if:
- You are a public authority (except for courts acting in their judicial capacity)
- Your company systematically monitors the behavior or activities of users on a large scale
- Your organization processes judicial data relating to criminal convictions and offenses or other special categories of data
GDPR Fines and Penalties for Non-Compliance
SAs will also have more authority to investigate organizations under GDPR and may hold investigative audits and enact corrective measures for applicable activity. Data controllers and processors must adhere to the supervising authorities' powers or face steep penalties. GDPR enforcement is much stricter than the former Data Protection Act, including costly fines up to €20 million or 4 percent of global annual turnover for non-compliance.
Oliver Wyman predicts that many European and American companies may not comply with the new legislation in time, resulting in an estimated $6 billion in GDPR fines and penalties for the EU.
What is the Average Cost to Prepare for GDPR Compliance?
A recent PwC Pulse Survey predicts 77 percent of large American multinational companies plan to spend $1 million or more to meet GDPR standards. Nine percent of companies may spend more than $10 million to comply with the new regulations.
When Does My Company Need to be in Compliance with GDPR Security Requirements?
All organizations under the new GDPR legislation must comply with requirements by: May 25, 2018
How to Pass GDPR Compliance Regulations
Follow our four-phase approach to GDPR preparation.
Phase 1: Know your data
- Information — Identify types of information in scope of GDPR handled by the organization
- Governance — Identify Information Governance (who owns the data and who is responsible for the data)
- Third Parties — Identify third party data processors
- Data Flow — Carry out data flows of the information across the lifecycle (from collection to destruction)
Phase 2: Assess your Current Strategy
- Maturity — Maturity Assessment against the GDPR requirements
- Privacy — Privacy Impact Assessment
- Vendors — Third Party Vendor Management Assessments
- Output — Define improvement program to address gaps indentified
Phase 3: Build the Program
- Policies — Extend existing Privacy Information Management System or build the system (policies, procedures, roles and responsibilities, privacy by design methodology)
- Management — Data Protection Officer in place and responsible for program
- Controls — Implement technical controls for
- Data management and security
- Monitoring & detection
- Response and remediation
Phase 4: Test, Operate & Manage
- Testing — Penetration testing activities
- Detection — Data breach detection and response capability
- Response — Incident Response and remediation capabilities
The Information Commissioner's Office (ICO) provides this GDPR Checklist for data controllers and processors. The ICO also provides this PDF guide on Preparing for the General Data Protection Regulation (GDPR): 12 steps to take now.
As our own checklist, this white paper walks you through the GDPR 4-Step Plan to make sure your company is well prepared for GDPR regulations.