The focus is growing for the European Union’s forthcoming “General Data Protection Regulation,” or GDPR. As its May 25, 2018 implementation date draws nearer, organizations are starting to understand the magnitude of change this major regulation will drive.
It is not only EU-based organizations that are subject to the GDPR’s requirements. If your company stores or handles any personally identifiable information about EU residents – things as simple as names and email addresses – then you are obligated to be in compliance, and risk penalties if you’re not.
And those penalties for noncompliance? Let’s just say you wouldn’t want to be one of the organizations feeling the pain for being judged in violation. The GDPR authorizes fines ranging up to €20 million, or 4% of a company’s total worldwide sales, whichever is greater. Those are business-impacting numbers, not to mention the reputational damage suffered if you break this highly-visible new law.
You will definitely want to be in compliance, but that will be neither simple nor cheap. The driving principle behind the GDPR is that any data that specifically relates to a person, belongs to that person – not to the organization creating, holding, or processing it. So, in effect, you become the custodian of every user’s data, with all of the responsibilities you’d expect from someone holding something valuable of yours.
For organizations, this means gaining explicit permission to hold someone’s personal information; limiting its use to the context in which that permission was granted; letting the data owner review it, correct it, or even export and delete it, any time they want; and making sure it’s kept safe and protected from misuse – by your employees or by third parties.
In practical terms, the GDPR requires a complete re-thinking of your data handling processes. This review involves locating every place personal data is collected and stored, and the processes involved. You will need to design a system such that all future business processes will comply with the GDPR’s requirement for privacy by design.
As you can see, these activities will touch virtually every part of the organization, consuming a lot of attention and resources as the May 2018 deadline approaches. There is another, equally critical, component of the GDPR that must also be addressed: the data protection requirement.
It’s notable that data protection – not data privacy – is what the “DP” in GDPR stands for. This is because, no matter how well implemented your processes are for handling personal information, if it’s lost in a breach, nothing else matters. The writers of the GDPR understand this, and framed the requirements accordingly.
The biggest change, in terms of data protection, is a new data breach disclosure requirement. Most companies will be required to appoint a Data Protection Officer (DPO), whose role will be to oversee the implementation of data handling processes, but also to interface with the EU regulatory regime. One new requirement: in the case of a data breach, the DPO must formally report within 72 hours of discovery, or have a very good explanation why not.
The harshest penalties are reserved for repeat violations, or in instances where there’s inadequate or insufficient protection of user data. Maximum penalties for first offenders are typically half of the GDPR maximum (up to €10 million vs €20 million, or 2% vs. 4% of revenue), but the EU is being clear that failure to use “appropriate technical and organisational measures” will bring the hammer down.
In light of these requirements, and their attending risks, organizations should use this time to review their strategy and tools for threat detection and response. While it’s always good business to protect against the increasing sophistication and impact of the evolving threat landscape, the GDPR changes the risk equation significantly.
RSA can help you meet your data protection responsibilities under the GDPR. RSA NetWitness® Suite is a set of state of the art threat detection and response tools, while our RSA® Incident Response and RSA® Advanced Cyber Defense Practices deliver world-class planning and implementation services. As you prepare for the GDPR, a world-class data protection process is the foundation.