In recent years, data breaches involving personally-identifiable information (PII) scaled to unprecedented numbers. The Equifax case alone affected more than 145.5 million people, exposing information including names, birthdates, street addresses, credit card numbers and Social Security numbers.
While cybercriminals never stop trying to find a new vulnerability to exploit, they can’t take the blame alone, as the same companies trusted with valuable PII often make a hacker’s job much easier. Companies assume a lax cybersecurity posture, fail to implement basic security controls such as patch management, and drop the ball on employee awareness.
Unfortunately, cybercriminals and breaches are not the only threats to private information, as proven by the way Facebook misused customers’ data in the Cambridge Analytica case. This culminated in greater pressure for updated laws that made sure people’s personal information was adequately handled and protected. While many countries are still in the process of updating and approving new privacy rules, the European Union (EU) is ahead of the curve with their General Data Protection Regulation (GDPR).
What is the GDPR and How Am I Affected by It?
The GDPR is EU’s most important change in data privacy regulation in 20 years, but its impact is not limited to the Old World. In fact, its application is not limited to organizations located within the EU at all; indeed, it’s mandatory for any organization (including the ones located outside of the EU) that offers goods or services to, or monitors the behavior of, EU data subjects.
To summarize: after the two-year transition period that ended in May 2018, the GDPR applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.
So what happens if a company fails to comply with the GDPR? Well, aside from a great deal of bad press, it can result in a hefty fine of 20 million euros or 4% of the company’s global revenue — whichever is larger.
GDPR Compliance in 6 Steps
Achieving GDPR compliance can seem daunting at first and, yes, while most concepts were also a part of the Data Protection Act (DPA) of 1998, there are several new aspects and more rigorous standards that every company that falls within the GRPR’s reach must now follow.
The good news is that this new regulation is pretty straightforward, mostly based on two key principles:
- As a company, you should only collect personal data with clearly-defined purpose and never use the information for something else
- Never collect more data than you need
Here are a few simple steps that should help your GDPR compliance efforts:
Step 1 – Hire a Data Protection Officer (DPO)
The DPO is the person responsible for making sure your company is GDPR-compliant, so it makes perfect sense this should be one of your first steps.
Please keep in mind that not every company needs to appoint a DPO; it is only mandatory for public authorities and/or companies larger than 10 to 15 employees which process personal data. However, even if your company is not required to have a formally-appointed Data Protection Officer, it’s still a good idea to have someone defined as responsible for the protection of personal data.
GDPR Article 39 is quite clear on DPO tasks: he or she works as an adviser on all matters related to data protection but is also responsible for monitoring compliance and functions as a central contact point with the supervisory authority.
It is important to know that the data protection officer may fulfil other tasks and duties in the company, as long as it does not result in a conflict of interests.
Step 2 – Check for Processed/Stored Personal Data
According to the GDPR, companies should only collect personal data with clearly-defined purpose, and never use it for anything else.
Based on this premise, a top priority for your newly-appointed DPO is confirming every case where your company collects, stores or processes personal data, checking to see if there is a legal basis for the purpose for which it is done.
For example, if your company’s core business is simply transporting/delivering goods to customers, the most basic personal information you need to complete the job is the customer’s full name, a complete address for delivery, and a contact number or email for notifications and emergencies. In this case, there is no legal ground for requesting personal information such as a customer’s birthdate, gender or marital status — unless, for example, you are doing so in order to send them notice about special offers or advertisements, in which case you should first request their consent (more on that later!).
To put it simply, if you are collecting, processing or storing more personal information than you really need, the best solution in this case is stop doing so. An intelligent approach for full transparency and compliance is preparing a document explaining what personal data your company holds and for what reasons. This should include:
- The purpose of the data collecting, storing or processing
- The types of personal data collected, stored or processed
- The storage periods
- Technical and organizational security controls employed to protect personal data
- Whether personal data is transferred to recipients outside of the EU
Step 3 – Get Customer Consent
Consent is one of the legal grounds for processing personal data, and according to the GDPR, it is absolutely necessary to receive it before processing or storing customer data.
A key point for compliance is understanding that getting consent should be done using clear and plain language. Customers need to know who your company is, when their data is requested/collected, why it is being processed, how long it will be stored and who receives it.
While in the past silence from the customer side was sufficient for consent, the GDPR requires proof that a company received positive confirmation from a customer before using their information. Also, if there are any changes (e.g. using personal information for a reason that was not explained before) a new request for consent is necessary.
Step 4 – Keep Data Only for as Long as Necessary
This step is quite simple: your company should not store or process personal information indefinitely. If the original purpose for collecting, storing or processing personal information has been fulfilled, this data should be securely disposed of.
For example, in the case of employees, personal data should be kept just as long as the employment relationship and related legal obligations last, and the same goes for customers; keep their data just as long as the customer relationship and any related legal obligations last.
For some businesses, the value of personal data can be quite high, making it one of the company’s top strategic assets. So the fact that many companies are not willing to easily part with it is perfectly understandable.
For this reason, if your company desires to keep valuable data which could otherwise be deleted, make sure there is consent. Explain to your customers/employees the reasons why you wish to retain their data, and make sure there is positive confirmation from their side.
Step 5 – Secure All Personal Data
Per the GDPR, personal data should only be processed in a manner that ensures an appropriate level of security and confidentiality, including controls for preventing unauthorized access to or use of personal data and the equipment used for its processing.
It is important to remember that it does not matter if personal data is stored electronically, as part of an application or in physical/hard copy. Your company is still fully responsible for its security. Extra attention should be given to sensitive information, including health, race, sexual orientation, religion and political beliefs. It’s quite clear that your DPO should have a close relationship with your security team.
Another good approach for compliance is following an established security standard, such as ISO 27001. In cases where you need to be more thorough, regular perform vulnerability assessments, or even a complete penetration test.
Step 6 – Respect Customer Rights
It should be quite obvious that GDPR’s main focus is making sure companies respect their customer’s rights with regards to the processing and movement of personal data.
These rights include:
- The aforementioned mandatory consent before collecting, storing and processing personal information
- Access and portability of personal data (i.e. allowing customers to access their data and give it to another company)
- Sending formal notifications within 72 hours of discovery in the event of a data breach
- Allowing customers the right to be forgotten (i.e. erasing personal data when requested as long as it does not compromise freedom of expression or the ability to research)
- Informing customers if their personal data is being used for profiling
- Giving customers a chance to opt out of direct marketing that uses their data
- Getting parental consent before collecting data from their children
- Making sure the necessary arrangements have been made before transferring personal data to countries outside the EU
This list may sound endless, but keep in mind that denying any of these rights will result in a direct GDPR compliance violation and, as mentioned before, fines up to 20 million Euros or 4% of the company’s global revenue.
Complying with the GDPR should not be a project purely focused on avoiding bad press or the financial impact of a major fine. This new regulation is all about respecting individual rights regarding personal information, something every company should do — especially when personal data is used on a daily basis as a central pillar of their business.
In most cases, the road to compliance will result in a significant corporate culture change, affecting business of any size or geographic location which handles personal information and wishes to continue doing business with the EU. In the end, this should not feel like a struggle; instead, it should be thought of as a necessary journey to a safer world in the information age.
EU GDPR Information Portal, EUGDPR