On May 25, 2018, the most comprehensive modification to data protection in over two decades becomes effective: the European General Data Protection Regulation (EU GDPR). The GDPR consists of 11 chapters and 91 articles that outline the specific requirements and regulations organizations must comply with pertaining to the rights of individuals and their personal data.
While there are clear benefits to GDPR, not only for individuals but for enterprises as well, the change is nonetheless a major one, and many companies may be struggling to determine exactly what changes they’ll need to make to ensure compliance. We’ve put together this comprehensive guide to help you make sense of the new regulations and understand the steps you’ll need to take to bring your company into compliance.
For an easy-to-use, step-by-step checklist, download our interactive GDPR Compliance Checklist.
In this guide, we’ll discuss:
- Objectives and Benefits of the GDPR
- Is Your Company Affected by GDPR?
- Compliance Requirements
- Valid Consent
- Data Access
- Data Governance
- Important GDPR Articles You Should Know
- Due Diligence Requirements
- GDPR’s Impact on U.S.-Based Companies
- Fines and Penalties
- Best Practices for Employee Training
- Additional Resources on GDPR Compliance
Objectives and Benefits of GDPR
The primary objective of the GDPR is to improve data and privacy protection for EU residents, while also simplifying regulations for global enterprises. The GDPR states that organizations are required to provide a “reasonable” layer of protection over personal data, with personal data being defined as ANY data that can be used to identify an individual. This broader definition is one of the major shifts under GDPR, with things like genetic and mental information, as well as cultural, economic, and social information now falling under the definition of personal data.
Individuals residing in the EU benefit from enhanced privacy thanks to GDPR, as well as greater transparency into any potential risks resulting from data breaches, as companies are now required to notify all affected individuals in the event of a breach. Companies are now required to be more transparent about obtaining consent from individuals to collect and use their personal data, using simple language when asking for consent and being clear about how the information will be used.
Companies that already comply with the Data Protection Act (DPA) may find many of GDPR’s main principles familiar. These organizations can use their DPA approach as a starting point.
The EU GDPR is now a regulation that applies to each member state of the EU, so it actually works to eliminate many inconsistencies associated with local laws. It’s also a benefit to international enterprises, as they no longer have to navigate and comply with several data privacy and protection laws for individual states in the EU; instead, all such regulations will now exist as a part of the broader GDPR. Additionally, GDPR is a comprehensive regulation that provides a more straightforward approach related to personal data processing for companies entering the EU market.
Is Your Company Affected by GDPR?
Any company that does business in the EU or handles the personal data of EU citizens must comply, even if the company does not have a physical office location in the EU. This includes:
- Organizations based in the EU
- Organizations located outside the EU that offer goods or services to EU data subjects
- Organizations that monitor the behavior of EU data subjects
- All companies processing and holding personal data of residents of the EU, regardless of the company’s location
Note that this umbrella now includes companies that, under the previous Data Protection Directive (DPD), were able to skirt around compliance requirements by maintaining their data processing outside the EU, a practice that was commonly used by service or app providers. While this was a grey area even under the DPD, the GDPR now makes it clear that these organizations must comply.
There are some exceptions, however. While GDPR requires compliance from small-to-medium sized enterprises (SMEs) and major enterprises alike, there is an exception for companies with 250 or fewer employees, as smaller companies are likely to pose a smaller privacy risk to data subjects. According to GDPR Article 30, organizations with less than 250 employees are not required to maintain a record of processing activities under its responsibility, “unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as referred to in Article 9 or personal data relating to criminal convictions and offences referred to in Article 10.”
GDPR Compliance Requirements
GDPR is a comprehensive set of rules and regulations, and there are several important steps organizations must carry out in order to comply, such as:
- Map and classify all personal data
- Perform risk assessments
- Hire dedicated data protection officers
- Monitor compliance
- Document every activity around data
- Document everything you need to do to ensure legal compliance
New policies will have to be formed around how organizations engage with people, permissions processes, and how they communicate around what activities are involved with personal data. Then, if a security breach does occur, companies must notify the regulators and in some scenarios, the individuals who have been affected by the breach.
Individuals have important rights under GDPR including:
- Right of data portability – Individuals have the right to demand a copy of their private data maintained by a company. The individual’s private data must be provided in a commonly used format, and if the data subject requests, transfer that private data to another controller.
- Right to be forgotten – Individuals have the right to request that companies remove their personal information from corporate databases in a timely fashion. If for any reason their personal information cannot be removed, the individual has the right to be informed of the reason why it cannot be removed. If a controller has publicized an individual’s data and the individual requests that it be deleted, other controllers must also comply with the request.
- Right to receive notice of processing activities – Individuals have the right to be notified of any processing activities involving their personal data, have access to the information being processed, and they also have the right to object to processing at any time. Companies must comply with these requests unless they have a legitimate reason that the processing must continue (and inform the data subject of those reasons).
To avoid fines and other penalties for non-compliance, CISOs will need to have an in-depth understanding of where personally identifiable information is stored and processed throughout the organization. Should an individual request that their personal data be deleted, organizations must be able to find and destroy all copies of this data in a timely fashion.
In some cases, organizations may want or need to maintain personal data about an individual who requests deletion. CISOs should have a clear plan and process in place for identifying and responding to those cases. For individuals requesting that their data not be processed, companies should have procedures in place to temporarily remove that person’s data to avoid further processing and flag the data to make it clear that processing is restricted.
These processes are not an insignificant task. According to a report in Computer Business Review, “Analysts estimate the cost of enabling customers to request Fortune 500 companies to find and delete data held on them could hit $7.8bn, the FT reports. This amounts to a rough average of $16m outlay per organisation.”
Within the GDPR, three of the 91 articles deal with breaches. According to the GDPR, a “personal data breach” is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.” The Information Commissioner’s Office (ICO) explains that a personal data breach, therefore, does not refer only to the actual loss of personal data. “A hospital could be responsible for a personal data breach if a patient’s health record is inappropriately accessed due to a lack of appropriate internal controls,” the ICO explains.
Most of the GDPR revolves around how companies collect data, how they inform their clients of their data storage practices, how they store personal data and who is allowed to access the personal data. Within the legislation, it also identifies two types of data-handlers: processors and controllers. Article 4 of the GDPR defines each of these types of data handlers as follows:
- Processors are defined as “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.”
- Controllers are defined as “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.”
In general, a controller decides how personal data is processed, while a processor, as the term suggests, carries out the actual processing of data based on direction from the controller. Controllers are responsible for ensuring that any and all processors they do business with are in compliance with GDPR, although both processors and controllers can be liable if they’re responsible for a breach.
Other major points of the GDPR legislation include:
- Precise requirements for getting consent and for the collection of personal data.
- Age of consent for collecting data goes up from 13 to 16 years old.
- Non-compliance finds are up to $20 million or four percent of a company’s global revenue.
- One single, national office will handle any GDPR-related issues or complaints.
- Companies must delete data if an individual revokes their consent.
- Businesses have 72 hours to notify the EU government of a data breach.
- Organizations with large amounts of personal data must assign a data protection officer.
Based on the GDPR, all companies amassing personal data must prove they have clear consent to process the data. This may be one of the biggest challenges many organizations will face. Silence or non-responsiveness in response to requests for consent will no longer constitute consent – in other words, consent must be clear and affirmative, and companies should be prepared to prove that clear and affirmative consent was obtained. Otherwise, authorities can put an end to personal data processing activities.
Currently, Subject Access Request (SAR) allows EU-based businesses to charge £10 for personal data requests. That will change in May 2018. The GDPR now stipulates that when someone requests their personal data, companies must hand it over within one month, free of charge. Moreover, every data subject will have the right to know if a company has information on them, as well as other supplementary information. This gives data subjects much more control over their information.
While there are a few exceptions, data subjects must also receive information if a decision has been made about them. This also means that companies must be able to provide all personal data stored about an individual in a readable, commonly used format, in the event that a data subject requests that information – and they must be able to do so promptly.
“The GDPR regulation is very clear on what needs to be done to protect the Data Citizen’s rights, but the open question most companies are facing is how to comply with the regulation and/or go beyond the minimum and make GDPR work for them,” says Collibra. The answer to this question, according to Collibra, lies in a robust data governance program, one that takes both a top-down and bottom-up approach.
In the top-down approach, the GDPR team aims to gain an in-depth understanding of all business processes that involve personal data in any way. For every process involving personal data, a number of factors must be understood, including, but not limited to:
- Whether consent has been obtained for the specific process
- The type of data being collected
- The business purpose for collecting the data
- The identities of the controller and processor
- The Data Protection Officer responsible for the data and process oversight
- How long the data will be retained
Top-down data governance will be an ongoing process by necessity. After all data processes are identified and categorized, they will require ongoing maintenance as the company’s processes and infrastructure evolve over time.
The bottom-up approach, on the other hand, is more technical in nature. Companies that have already established metadata management tools are at a slight advantage. As Collibra points out, metadata solutions can be used “to identify personally identifiable information (PII) and attempt to categorize these data elements and assign the relevant attributes for GDPR.” However, bottlenecks can result as the same data is often used for multiple business purposes, making classification difficult.
A risk-based approach is required, meaning companies will need risk metrics in order to distinguish the high-risk processes and data elements from those with lower risk. For high-risk processes and data elements, a Data Protection Impact Assessment is in order, and mitigation (such as pseudonymization and anonymization) is required to lower the risk.
Important GDPR Articles You Should Know
The GDPR is a lengthy text, and it’s imperative that organizations that must comply with the regulations are familiar with all the requirements. The following articles are particularly relevant for companies that are implementing processes and procedures to ensure compliance.
Article 25(1). Organizations must implement principles such as data minimization to protect the rights of individuals, or “data subjects.” These rights include, but are not limited to the following:
- Civil rights
- Rights to freedom
- Privacy rights
- Rights to be forgotten
Companies must use both organizational and technical methods for compliance, with the goal of ensuring that only the personal data necessary for the specific purpose is processed. “That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons.”
Article 32.This article states that companies must find, implement, and update current security measures in order to ensure a level of security that’s appropriate for the risk (thus the need for companies to have the ability to classify data and processes according to the level of risk), including:
- The pseudonymisation and encryption of personal data
- Ensuring the ongoing confidentiality, integrity, availability, and resilience of processing systems and services
- Having the ability to restore the availability and access to personal data promptly following physical or technical incidents
- Implementing processes for ongoing, regular testing, assessment, and evaluation of the effectiveness of security measures
Article 5(2). This article pertains to the principles relating to the processing of personal data, including the requirement that personal data is processed “lawfully, fairly and in a transparent manner in relation to the data subject,” that personal data is collected for legitimate, specified purposes and not further processed for any reason that’s incompatible with those purposes, and that only the data that is relevant and necessary for that purpose is processed. Article 5(2) further clarifies that data found to be inaccurate should be erased or corrected without delay, that data is only kept in a form that can be used to identify subjects for as long as necessary, and that data must be processed in a way that ensures appropriate security. Finally, controllers must be able to demonstrate compliance with these requirements.
Article 30. Also related to data processing, Article 30 states that controllers and processors are required to maintain a record of all processing activities under the controller’s responsibility. The Article specifies the information that must be maintained in this record for controllers and processors, respectively, including information such as the name and contact information for the controller or processor, categories of data subjects and data, the purpose of the processing, categories of recipients of the data, and other specifics.
Article 17. Article 17 covers the right of individuals to request that their personal data be erased. When an individual requests erasure, the controller is obligated to delete the data when:
- The data is no longer necessary for the purpose it was collected or processed
- The data subject withdraws their consent for the processing of their data, when there is no other legal ground to continue processing the data
- The data subject objects to the processing of their data, when no other legal ground for the processing exists
- The individual’s data has been unlawfully processed
- The data must be erased in order to comply with a legal obligation under a Union or Member State law that the controller is subject to
If a controller has made the data public, they must make a reasonable effort to inform any other controllers processing the individual’s data of the erasure request. Article 17 further outlines the legal grounds that may negate a controller’s obligation to comply with an individual’s request for the deletion of their personal data.
Article 18. Article 18 covers the individual’s “right to restricted processing.” What this means is that data subjects have the right to request that the processing of their personal data is restricted under the following conditions:
- The data subject is contesting the accuracy of the data being processed
- The processing of the individual’s data is unlawful, but the individual prefers a restriction of processing rather than erasure
- The controller no longer needs to maintain the data, but the data subject needs the data for “the establishment, exercise or defence of legal claims”
- The data subject objects to processing, but the controller may have legal grounds to override the objection, so data processing is restricted until the controller’s grounds are verified
In cases when the processing of an individual’s data is restricted, the controller must notify the subject prior to lifting that restriction.
Article 33. Article 33 relates to the notifications controllers are required to make when a breach has occurred. Specifically, Article 33 requires controllers to notify the supervisory authority of a breach within 72 hours after they become aware of it. If the breach is unlikely to result in “a risk to the rights and freedoms of natural persons,” notification is not required. If the notification is taking place more than 72 hours after the controller becomes aware of the breach, they must also provide an explanation for the delay. When processors become aware of a breach, they must notify the controller without delay.
Notifications must include specific information about the breach, including:
- The nature of the breach
- The number and categories of data subjects and personal data records impacted by the breach
- The data protection officer’s contact information
- The likely consequences of the breach
- How the controller intends to address the breach
Article 34. Like Article 33, Article 34 outlines the notification requirements following a personal data breach, but this article focuses on the notifications controllers must make to affected data subjects. Notification to data subjects is required only “is likely to result in a high risk to the rights and freedoms of natural persons.” When that’s the case, controllers must notify affected individuals without delay, in clear and plain language, including information about the nature of the breach, as well as much of the information required in notifications to supervisory authorities (found in Article 33). Article 34 also outlines several exceptions to this notification requirement, such as when the data is encrypted and indecipherable to anyone without authorization to access it.
Article 31. Article 31 states that controllers are required to cooperate with supervisory authorities.
Article 32. Article 32 relates to the “security of processing,” outlining the requirements for controllers to take technical and organizational measures “to ensure a level of security appropriate to the risk” in processing personal data, based on the nature of the data and the processing, as well as the likelihood and severity of the risks.
Article 45. This article relates to the obligation of international companies that collect and process the personal data of EU citizens to comply with GDPR requirements. Specifically, Article 45 explains the process of the Commission in determining whether an international organization ensures an adequate level of protection to allow the transfer of data to those entities.
The GDPR makes it clear that companies must demonstrate they are taking relevant measures to keep personal data secure, such as:
- Demonstrating full data control
- Conducting comprehensive risk assessments
- Assisting partners and customers with compliance
- Implementing policies and practices that ensure compliance.
These requirements do not go away when a business works with a third-party service or a partner. All contracts must ensure continued compliance in terms of mitigating potential risks.
Note that the GDPR doesn’t offer a prescriptive approach to dictate precisely how organizations should achieve these goals. Instead, GDPR outlines the requirements, and organizations are then tasked with conducting their own risk assessments and implementing the appropriate organizational and technical safeguards to minimize risks to data subjects.
GDPR also expands the responsibility, making processors liable as well as controllers for the adequate protection of data. That means that controllers will need to be increasingly diligent in ensuring that processors and business associates have appropriate safeguards in place. Additionally, processors are no longer permitted to enlist other data processors without the explicit consent of the controller. Processors and controllers are now required to have contracts in place that describe the data involved in processing and the security measures that are in place to protect it.
GDPR’s Impact on U.S.-Based Companies
Based on a PwC survey, 68 percent of U.S.-based companies expect to spend between $1 million and $10 million to ensure GDPR compliance. In addition, nine percent expect to spend over $10 million. Only 24 percent of respondents plan to spend under $1 million.
PwC also identified several trends related to the way that U.S. companies plan to respond to GDPR, including:
- 64% of executives report that they intend to centralize their data centers in Europe in order to reduce GDPR exposure
- 54% of respondents say they intend to de-identify personal data of EU residents to reduce exposure
- 32% intend to reduce their presence in Europe
- 26% say they plan to exit the EU market entirely
The survey also found that binding corporate rules are gaining popularity in response to GDPR. When asked about the cross-border data-transfer mechanism they intend to use to process EU data outside of Europe:
- 58% of respondents report that model contractual clauses will be a part of their strategy
- 75% plan to pursue binding corporate rules
- 77% intend to self-certify to the EU-US Privacy Shield agreement
PwC suggests that in order to minimize their risks as much as possible, many companies may opt to implement two or more of the above strategies.
Fines and Penalties
Supervisory authorities have the right to impose fines for non-compliance, in varying amounts based on:
- The number of individuals affected and the severity of the impact, as well as the duration of the infringement
- Whether the infringement was negligent or intentional
- What steps (if any) the controller or processor took to mitigate the risk and/or damage
- Any prior infringements
- How cooperative the controller or processor is with the regulator
- The type(s) of personal data involved in the breach
- How the regulator discovered the infringement
If non-compliance is determined to be related to technical measures (e.g., impact assessments, breach notifications, etc.), the fine imposed may be up to €10 million or 2% of global annual turnover (from the prior year), whichever is greater.
If the fine is imposed as a result of non-compliance with key provisions of the GDPR, such as transferring data to processors that don’t have adequate data protection measures in place, fines imposed may be up to €20 million or 4% of global annual turnover for the prior year, whichever is greater.
What happens if an organization has infringed on multiple provisions of the GDPR? It’s not all bad news: Rather than being fined separately for each provision, organizations will be fined based on the gravest infringement. Fines may be imposed for any infringement on any provision of the GDPR, including infringements on:
- Data subjects’ rights
- Conditions for consent
- Conditions for lawful, international data transfers
For example, a company may be subject to fines for the following:
- Failure to have adequate data protection measures in place
- Failure to notify the supervisory authority and/or affected data subjects when required following a breach
- Inability to demonstrate compliance with all provisions of the GDPR
- Failure to delete an individual’s personal data or restrict processing when requested (and when overriding legal grounds for maintaining the data or failing to restrict processing do not exist)
While these fines are substantial, supervisory authorities have the discretion to issue warnings, orders, and reprimands rather than immediately imposing fines. Because the fines are prohibitive, any company doing business in or handling the personal data of EU data subjects should take immediate steps to ensure complete compliance to mitigate the financial risk of non-compliance. Additionally, investing in cyber insurance is an option that many companies may choose to exercise to protect their financial interests in the event of inadvertent infringements; however, cyber insurance typically covers only the costs involved in investigating and addressing the breach itself, but not indirect consequences such as regulatory fines and penalties.
For many organizations, GDPR compliance means a significant change to their information security policies and procedures, meaning that staff training is imperative. Every employee needs to have a thorough understanding of their individual responsibilities.
Since data breaches can cost companies millions of dollars in losses – not just from the breach itself, but also from the negative publicity – then, prevention is the best medicine. Unfortunately, many data breaches occur as the result of human error – often, employee error. To minimize the risk of non-compliance, there are a few best practices for employee training, including:
- Everyone should understand the GDPR. If you haven’t already, it is time to have a meeting with every employee – or, have every first-line manager lead a meeting with their department to explain and discuss the GDPR. It is important to place an emphasis on risks, such as fines and reputation damage, that the company will incur for non-compliance.
- Create a team dedicated to the GDPR transition. Ideally, this team will include representatives from each business unit. These team members can then serve as a department liaison for all questions and updates on GDPR compliance or issues as they arise.
- Audit all of your business processes to determine how they could be more secure. A third-party audit or risk assessment may be the better choice for some companies, while others will have in-house resources capable of handling this task. The outcome of an audit should include recommendations and actionable steps that mitigate risks and improve compliance.
- Make it specific. Not every employee will handle personal data, but they should still have an understanding of GDPR. For staff that handles personal data regularly, their training needs to be more relevant and specific to their job duties. The objective is to ensure employees can relate the GDPR regulations to their daily roles.
- Foster two-way, ongoing conversation. Naturally, staff will have questions about how a major regulatory change will impact their work. As GDPR is the most sweeping data privacy regulation in decades, you can be certain there will be dialogue around the topic. Allowing a free-flowing dialogue to occur between employees and managers helps to ensure that everyone is on the same page.
- Ensure that employees can identify breaches. Since the GDPR requires a 72-hour reporting time frame for breaches, employees should be knowledgeable about how to identify suspicious activity that may indicate a breach has occurred, as well as the processes for notifying the Data Protection Officer immediately. This gives the company some time to verify if a breach has taken place and issue the appropriate notifications to the Information Commissioner’s Office, as well as the affected individuals.
- Provide continuing training and education. The GDPR affects every company that handles any form of personal data from EU residents, and those companies must be fully compliant by or before May 2018. However, sweeping regulatory change requires more than a once-and-done training session. Continuous training should occur for both existing and new employees.
Additional Resources on GDPR Compliance
For more information on GDPR requirements and what your company needs to do to ensure compliance, visit the following resources:
- Brace for Change: Preparing for GDPR in an Age of Cybercrime
- Preparing for Compliance with the General Data Protection Regulation (GDPR) A Technology Guide for Security Practitioners
- Businesses and GDPR: What they need to do to be compliant?
- GDPR Is Coming: Why U.S. Companies Must Start Planning for GDPR Now
- GDPR Overview
- Preparing for the General Data Protection Regulation (GDPR)
- Preparing for GDPR compliance: Where you need to be now and how to get there
- AI does not provide a shortcut to GDPR compliance
- A 9-step guide to prepare for GDPR compliance
- Tackling GDPR compliance before time runs out
The GDPR greatly improves the privacy of individuals residing in the EU through regulations that give them increased rights related to how their data is used and processed as well as greater transparency into when and why their data is being used. For some organizations, compliance may be an uphill, ongoing battle, but non-compliance is a costly risk no organization wants to take. Understanding the key provisions of the GDPR and the steps your company should take immediately to ensure compliance is a must for any organization that controls or processes the personal data of EU subjects, followed by ongoing auditing, improvements, and due diligence. When you’re ready to get started, get a comprehensive list of action steps you need to take to ensure compliance by downloading our interactive GDPR Compliance Checklist.