Prepare Your Business for the Impending GDPR Mandate
The countdown begins as organizations across the world are gearing up for the European Union’s latest privacy legislation. This will affect every business in control of EU residents’ personal data. It isn’t too late for you to start aligning your company, but start preparing your business for GDPR compliance immediately. If you don’t, you risk facing heavy fines that could have a serious negative impact on your company.
What is the GDPR?
On May 25, 2018, a European privacy law is due to take effect that sets a new global bar for privacy rights, security, and compliance. The General Data Protection Regulation (GDPR) will impose new rules on organizations that offer goods and services to people in the European Union (EU). It also applies to those that collect and analyze data tied to EU residents. It won’t matter where your organization is located, you could be within the EU or anywhere else around the world. The GDPR aims to harmonize data privacy laws, protect and empower individual’s data privacy, and reshape how organizations approach data privacy.
The GDPR actually became law in April 2016, but a two-year transition period was included. Organizations should not expect any grace period from regulators beyond May 25, 2018. Some EU member state regulators have gone on record to say there will be no enforcement holiday for organizations that fail to comply. This means there is no time for you to waste to start preparing your company to comply with these obligations.
Unsure about how to align your organization with GDPR compliance? Find out how Microsoft suggests preparing
How is data protection changing with GDPR?
The GDPR is the European Union’s newest data protection law. It is replacing the Data Protection Directive which has been in effect since 1995. While the GDPR preserves many of the principles established in the Directive, it is a much more ambitious law. Among its most notable changes, the GDPR gives individuals greater control over their personal data. The GDPR also imposes new obligations on organizations that collect, handle, or analyze personal data. Also, note the GDPR gives national regulators new powers to impose significant fines on organizations that breach the law.
The GDPR includes detailed rules about what you must tell individuals about your processing of personal data. This includes, among other things:
- Information about why the personal data is being processed.
- How long the data will be stored (or, if that is not possible, the criteria used to determine that period).
- With whom the personal data will be shared.
- Whether the personal data will be transferred outside the European Economic Area.
This information must be presented in a way that is clear and easily accessible. You should review your disclosures against the GDPR’s requirements carefully.
What are the main requirements of the GDPR to be aware of?
The GDPR imposes a wide range of requirements on organizations that collect or process personal data, including a requirement to comply with six key principles:
1- Transparency, fairness, and lawfulness in the handling and use of personal data.
You will need to be clear with individuals about how you are using personal data and will also need a “lawful basis” to process that data.
2- Limiting the processing of personal data to specified, explicit, and legitimate purposes.
You will not be able to re-use or disclose personal data for purposes that are not “compatible” with the purpose for which the data was originally collected.
3-Minimizing the collection and storage of personal data
You will need to minimize to that which is adequate and relevant for the intended purpose.
4-Ensuring the accuracy of personal data and enabling it to be erased or rectified.
You will need to take steps to ensure that the personal data you hold is accurate and can be corrected if errors occur.
5-Limiting the storage of personal data.
You will need to ensure that you retain personal data only for as long as necessary to achieve the purposes for which the data was collected.
6-Ensuring security, integrity, and confidentiality of personal data.
Your organization must take steps to keep personal data secure through technical and organizational security measures.
Do the GDPR regulations impact your organization?
Why should you care if you operate in a non-European country, such as the US? The GDPR applies more broadly than might be apparent to you at first glance. The GDPR is applicable to organizations of all sizes and industries across the globe. Specifically, the GDPR applies to you if:
- You are processing anyone’s personal data, if the processing is done in the context of the activities of an organization established in the EU, regardless of where the processing takes place;
- You are processing personal data of individuals who reside in the EU by an organization established outside the EU, where that processing relates to the offering of goods or services to those individuals or to the monitoring of their behavior.
This means that even if your company only has one customer that resides in the EU, you will be held accountable.
It’s also important for you to note that the EU is often viewed as a role model on privacy issues internationally. So, we also expect to see concepts in the GDPR adopted in other parts of the world over time. Not only is it becoming a global mandate, it’s becoming a global standard.
What if your organization is only processing data on behalf of others. Do you still need to comply with the GDPR?
The GDPR applies to organizations that collect and process data for their own purposes, known as controllers. It also applies to organizations that process data on behalf of others, called processors. This is a shift from the existing Data Directive from 1995, which applies primarily to controllers.
The GDPR requires controllers to only use processors that guarantee they will “implement appropriate technical and organizational measures”. This guarantees that the rights of data subjects are protected and the processing requirements of the GDPR are satisfied.
What risks does an organization face if it does not comply with GDPR?
For the last several decades, European privacy laws have generally not included significant fines for breaches. That will change dramatically under the GDPR, in order to hold companies liable for the data they control. The maximum fine your company will face for serious infringements will be the greater of €20 million or four percent of your annual global revenue. Furthermore, the GDPR empowers consumers to bring civil litigation against organizations that breach the GDPR. In other words, this is not something that your organization should take lightly or procrastinate in preparation.
The GDPR defines a personal data breach as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.” In the event of a personal data breach, the GDPR requires you to notify regulators within 72 hours of detecting the breach. You may also need to notify affected individuals if there is a significant risk of harm due to the breach.
Further Your Knowledge on Preparing for GDPR Compliance
It’s important to take note that these are not the only regulations being imposed by the GDPR. We’ll be posting more information about the GDPR, like how you can align your company with compliance standards and how you can benefit from these regulations, through our Security and Compliance Information Series. You can fully prepare your organization for this mandate by taking GDPR Learning Path in our online courses at cybertraining365.com/m365.
CyberTraining 365 is an online academy that offers nearly 1,000 hours of relevant and cutting edge cyber security training. Our training provides the most in demand industry certification prep courses including EC-Council, CompTIA, (ISC)2 and Cisco; all taught by leading cyber security experts. All of our offerings are aligned with the national initiative for cyber security education (NICE) and ensure the most up-to-date information for this constantly shifting field. With engaging content in a scenario-based format, CyberTraining 365 uses bite-sized micro-learning methodology ensures learners are not overwhelmed with information. On Demand LMS platform has white-label capabilities ideal for internal training purposes.