The EU General Data Protection Regulation

By Randy Rose, Director of Cybersecurity, Tasman Global

By Randy Rose, Director of Cybersecurity, Tasman Global

The European Union General Data Protection Regulation (GDPR) took effect last Friday, and it has been a long time coming. Many organizations in Europe (and beyond) feel ill-prepared to meet the requirements which, 2 years after approval1, is now officially enforced.

We’ve prepared a quick snapshot of the basic facts you need to know to be “smart” on GDPR.

What is GDPR?

GDPR is a new comprehensive data protection law that requires businesses (not just healthcare providers2) to protect the personal data and privacy of citizens for transactions that occur within EU member states. Personal data, in the context of GDPR, is any information relating to an identifiable person3 who can be directly or indirectly identified by reference to an identifier. An individual is referred to as a data subject within the construct of the regulation.

What was the impetus for GDPRs creation?

The aim of the GDPR is to protect all EU citizens from privacy and data breaches in an increasingly data-driven world. Historically (at least, in the context of the last few decades), European governments have been much more concerned over the privacy rights of individuals than their American counterparts. Europe has had more stringent rules over the use of personal data by governments and private companies compared to economies elsewhere in the world. GDPR updates the EU’s Data Protection Directive which went into effect in 1995 which, as you are aware, was before widespread use of the Internet and, therefore, does not address many of the ways in which customer data is collected, stored, transmitted, used, and shared today.

Does GDPR only apply to EU member states?

No; GDPR applies to all organizations that sell goods or services, or monitor the behavior of, EU data subjects. This means U.K., U.S., and other non-EU companies that partner with and/or provide services for organizations within EU member states where there is any data sharing is likely required to comply with GDPR. Many healthcare and technology companies fall into this category. GDPR applies to all companies processing, transmitting, and holding personal data related to any data subjects residing in the European Union, regardless of the company’s location.

What are the key concepts of GDPR?

GDPR applies to privacy data that includes standard personally identifiable data such as name, address, and national ID numbers, as well as web data (location, IP address, web cookies, RFID tags), health data, genetic data, biometric data, sexual identity data, and even political affiliations.

Companies required to comply are those that have a presence in an EU country OR process personal data of EU citizens despite not being located in the EU. Additionally, companies with 250 employees must comply. Companies with fewer than 250 employees that process specific types of personal data or that perform data processing on data subjects on more than an occasional basis must also comply.

GDPR defines several roles responsible for ensuring compliance:

  • Data controller—defines how personal data will be or is processed within an organization and the purposes for which it is processed

  • Data processor—groups that maintain and process personal data records (which can include outsourced firms, such as cloud service providers)

  • Data protection Officer—designated by the DC and the DP to oversee GDPR compliance

Of note, GDPR holds data processors responsible for breaches as well as for non-compliance concerns.

What are the Penalties associated with non-compliance?

Your organization may face fines as high as the greater of 4% of annual global turnover or 20 Million Euros. Granted, this steep of a fine is reserved for the most egregious infringements, which includes violations of customer consent to process data and violating the core of Privacy by Design4 concepts. GDPR favors a tiered approach to fines; an organization can be fined for violations across a wide range of actions, including direct violations of data subject data and problems with notification as well as policy and records management violations.

What else do I need to know?

 

Many have raised concerns with the vagueness of the new regulations, including language that requires organizations to provide a “reasonable” level of protection without defining what constitutes “reasonable.”

One of the more interesting components of GDPR is the Data Subject’s Right to be Forgotten. Captured in the law as Data Erasure, this provides data subjects with the right to request, under certain conditions5, that the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data, of which the data controller must comply or face penalties.

Others have raised concerns with the costs believed to be required to comply with the law. Many companies believe it will cost them between $1M and $10M USD to get their organization into compliance. Approximately 9% of US-based companies surveyed by the firm PriceWaterhouseCoopers claimed it would cost them more than $10M USD.

The numbers can be scary and that’s where we can help.

Tasman Cybersecurity can keep you well within GDPR requirements all while providing the best possible security mechanisms at the lowest cost to your organization. We use a unique risk buy-down approach to help you eliminate the most risk using the least resources so you can provide the services that best meet your unique mission and vision.

For more information on GDPR, visit https://www.eugdpr.org/


Contact us for more information about how Tasman can help you.

1 - GDPR was formally approved by EU Parliament on 14 April 2016

2 - GDPR extends to any and all organizations that opperate in Europe

3 - Sometimes described as a “natural person”

4 - Privacy by design requires the inclusion of data protection from the earliest stages of the systems design lifecycle, rather than being added later. 

5 - The conditions are outlined in article 17 and include the data no longer being relevant to original purposes for processing as well as a withdrawal of consent by the data subject.