GDPR: Ignore It at Your Own Risk

Tuesday, May 09, 2017

Tomáš Honzák

21a45a9d0545830392fdf2b51c4d8c54

If your company does business in the European Union, you are likely to face a major overhaul of the way you handle your customer data. That’s because in 2016, the European Parliament passed the EU General Data Protection Regulation (GDPR), a sweeping change that will affect all companies doing business with EU residents, regardless of where the companies are based.

To understand the GDPR, it helps to understand the European view of privacy. In Europe, unlike in the United States, personal privacy is seen as a fundamental human right rather than just a consumer protection issue. In the interest of protecting this right to privacy, the EU is mandating that as of 25 May 2018, all companies doing business with its residents must

  • Have a valid reason for collecting and using all forms of personal data
  • Obtain consent for any use of data outside of certain pre-approved conditions
  • Present requests for consent to use personal data “in an intelligible and easily accessible form”
  • Notify authorities within 72 hours of any breaches that could compromise personal data
  • Be able to fulfil all privacy rights, including data erasure
  • Nominate a Data Protection Officer (DPO) (only required for companies monitoring data on a large scale or handling special categories of data such as criminal records)

As you may imagine, this regulation will be a game changer for thousands of companies around the world. The upside is that we still have a year to get ready. The challenge is that it will take time, effort, and yes, money to comply with this regulation that many businesses still don’t know about … and still fewer understand. Let’s look at the answers to a few of the most common questions arising from the business community about GDPR.

Which Businesses Will Be Affected?

Regardless of where your company is based, if you handle personal data of EU residents (not just citizens), you will be required to comply with GDPR. The EU defines personal data very broadly as any information that can be used to identify the individual, directly or indirectly, from innocuous information like names, email addresses, and physical addresses to social media posts and online presence footprints to highly sensitive medical and financial information.

How (and When) Will the GDPR Be Enforced?

All requirements of the GDPR will go into effect on 25 May 2018. For the moment, officials are expecting that, as with HIPAA in the United States, most compliance checks will be done via supply chain management. If you work with third parties who process data on your behalf, the GDPR expects that you will assess those companies’ compliance with its requirements.

Apart from defining the fines, the EU has told us little about how it plans to enforce the regulation. Personally, I expect that shortly after the enforcement date, officials will begin performing audits, and I believe they will begin with small-to-medium size businesses. Large companies with sprawling compliance departments and dozens of lawyers will be tricky to go after, whereas targeting a business without a large back office makes it easier to set a precedent and demonstrate that the EU is serious.

What Are the Penalties for Noncompliance?

The maximum fine for the most serious infringements will be up to 4 percent of global revenues or €20 Million, whichever is greater. Lesser infractions will be subject to smaller penalties; for example, a company’s fine for not having its records in order will be 2 percent of global revenue.

How Can We Prepare, and How Much Will It Cost?

The first step in preparation is to fully understand the regulation’s requirements and how they will affect your business. For starters, visiting eugdpr.org will give you some solid insights into the regulation as well as into its background and controversies.

Once you have a clear picture of how your business will be affected, I recommend the following steps:

  1. Appoint a cross-functional GDPR task force, reporting to the executive team.
  2. Make a map of how you collect and use personal information from EU residents.
  3. Use the map to assess compliance with GDPR requirements, and make a plan to fill any gaps by May 2018.
  4. Assess all vendors who handle personal data on your behalf, and work with them as needed to ensure compliance by May 2018.

The cost of all this will depend on the size and scope of your company, the nature and sensitivity of the data you handle, your current level of compliance, the number of vendor relationships that will be affected, and so on. Once you’ve determined what needs to be done, you’ll want to assess the costs and work them into your budget.

So, what will the global business environment look like after 25 May 2018? I believe that for large enterprises, apart from additional paperwork, little will change: Many have large compliance teams and have already implemented similar measures as part of their standard practices. Startups, on the other hand, will face a serious burden as they will have to comply from Day One of their existence, and I can see this causing the EU to fall behind United States when it comes to business innovation. One thing we can all be certain of is that the GDPR will change business as we know it, and the best we can do is make sure we’re prepared.

About the author: Tomáš Honzák serves as the head of security, privacy and compliance at GoodData, where he built an Information Security Management System compliant with security and privacy management standards and regulations such as SOC 2, HIPAA and U.S.-EU Privacy Shield, enabling the company to help Fortune 500 companies distribute customized analytics to their business ecosystem.

Possibly Related Articles:
33126
Enterprise Security Policy
Privacy Regulation GDPR privacy rights
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.