In effort to quickly bring companies up to speed on the looming General Data Protection Regulation (GDPR), as recent press has suggested that only 2% of organizations are ready for the change, we have created this blog series. Backed by unique stats from our own study, it will delve into the regulation and what modern businesses need to know, as well as what it means for data in the cloud and what organizations need to take responsibility for, especially when using third party service providers to process data. Finally, we’ll give practical suggestions for moving forward on the road to compliance.
What is GDPR?
After four years of work by the EU, on 25 May 2018, the General Data Protection Regulation (GDPR) will come in to force with the focal aim to protect the private and sensitive data of EU citizens. GDPR will supersede the 1995 EU Data Protection Directive, by introducing tougher fines for non-compliance and breaches as well as giving people more control over what organizations can do with their data. With the introduction of GDPR, there will now be one standardized rule throughout the EU which will apply to all organizations — even outside the EU — who process and store personal data from EU citizens.
Who does GDPR apply to and who should be concerned?
Organizations that control or process Personally Identifiable Information (PII) will all need to abide by the law set by GDPR. Under the regulation, those that create and collect PII are referred to as “data controllers” and they must appoint a data protection officer within the organization. Data controllers must also state why and how personal data is being processed, whereas the actual processing of the data is handled by data processor – such as cloud services or Software as a Service (SaaS) providers. This means any organization who stores customer or personnel data is a data controller, while a data processor could be a third-party IT firm or cloud service provider processing and storing data on behalf of their customers.
So, who is responsible to ensure the company is GDPR compliant?
While 40% of professionals surveyed by eperi believe the responsibility of GDPR compliance lies with IT security, every department handling sensitive data must now be vigilant about sensitive information. IT departments can assist data protection officers to monitor third party services and cloud providers when processing and storing data alongside to guarantee the data is adequately protected. Data controllers hold the responsibility of ensuring that the data processors are abiding by the data protection laws, while the data processors themselves must follow processing rules when maintaining records and activities. If a data breach occurred involving a data processor, they are more liable now under GDPR than before under the Data Protection Act.
GDPR does not, however, only apply to organizations in the EU. Enterprises globally must understand that even if they are not based in the EU, if they are handling data belonging to EU residents, they must adhere to the rules of GDPR.
There are strict protocols to follow when handling data to ensure there is no misconduct. Once GDPR comes into effect in May 2018, any data processed should be done so lawfully, transparently and for a specific purpose. When the data is no longer needed, it must be erased. If not, serious penalties can be applied.
Under GDPR, it has been made mandatory to inform the data protection authority of any data breach that puts the personal information of citizens at risk within 72 hours of the organization becoming aware of the attack. The short deadline may not give the organization time to fully understand every detail of the breach, but knowing the nature of the data targeted and how many people have been impacted should be a main priority. Failure to meet the 72-hour deadline could result in a penalty of up to 2% of the annual global revenue or 10 million euros. If organizations don’t adhere to the basic principles for processing data which could be failure to gain consent, ignore individuals’ rights over their data, or distribute data to another country, fines could be even more damaging and rise to 20 million euros or 4% of the company’s global annual turnover, depending on which is greater.
Check back with us next week when we continue to explore the current state of cloud security and how organizations can move forward confidently to make IT decisions that positively impact the scope of GDPR and help meet strict new standards in data protection.
EU GDPR: The Essential Facts at a Glance - Series:
Part 1: What is GDPR?