After about 4 years of contentious debate, on 8 April 2016, the EU data protection framework was finally adopted. As of today, it’s the law, – the General Data Protection Regulation (GDPR). It’s a law that’s sure to significantly overhaul Europe’s cornerstone data protection legislation at a time when technology-led information systems and digital businesses are creeping into every aspect of human life. The new EU GDPR replaces the existing Data Protection Directive 95/46/EC as of 25 May, 2018. The European Union aims to harmonize data privacy laws across Europe to empower its citizens and protect their data privacy. In addition to that, it also wants all organizations dealing with the personal data of EU citizens to change their perspective and approach towards data privacy.
Adopting the GDPR marks a major milestone in EU’s data protection laws.
Why the GDPR?
The rising concern of people and Governments regarding data privacy motivated the existence of GDPR. Europe, in general, has always been an aggressive protector of its citizens data. The Data Protection Directive that went into effect in 1995 controlled the way companies were using personal data of their users. Over the last two decades, Internet adoption has increased dramatically transforming the World Wide Web into a major business hub. It quickly became clear that the old directive was not enough to address the many challenges existing in the way businesses collect, store, and transfer data today.
The reality is that public concern over data privacy has grown significantly. As per the RSA Data Privacy and Security Report, 80% of consumers felt that lost banking and financial data was their top concern. However, loss of security and identity information like passwords or passports was a close second and was an area of concern for 76% of surveyed participants.
62% of all respondents said that they would blame the company and not the hacker if their personal data was breached – an alarming update for companies dealing with consumer data. The report concludes:
As modern consumers are better informed they expect more transparency and responsiveness from the stewards of their data.
One point in RSA’s report that directly relates to the existence of GDPR is particularly interesting. It demonstrates how consumers figured out their own countermeasures to deal with a company handling user data inappropriately. According to the report, about 41% of people intentionally falsify information while signing up for an online service. Lack of trust, security threats, a desire to avoid unwanted marketing emails and avoiding the possibility of having their data resold are the major concerns behind these countermeasures.
Modern consumer mentality has evolved to where at they’ are in no mood to forgive a company for failing to prevent a data breach that exposes their personal data. In the U.S., about 72% respondents firmly stated that they will no longer visit or deal with a company that fails to protect their data. Conversely, about 50% of respondents say they are more likely to shop at a company that is serious about how it protects user privacy and safeguards their data.
With increased digital transformation, businesses make increasing use of digital assets, services, and big data. Additionally, consumers are sharing their personal information with a multitude of online platforms using different touch points. Therefore, it has become a key business imperative for a company to stay accountable, responsible, and transparent when it comes to protecting consumer data on a daily basis.
Who is Affected?
The GDPR is in effect from today (May 25, 2018). The sweeping new set of changes will affect every company from technology to advertising and from medicine to banking. The biggest impact will be on companies holding and processing large amounts of consumer data: technology firms, marketers and the data brokers connecting with them. Additionally, companies whose business models are based on acquiring and exploiting consumer data at large scale are also expected to bear the largest burden.
If your company stores or processes information on EU citizens, then you are required to comply with the new GDPR, even if you do not have any business presence in EU.
The GDPR is applicable to your business or company if your business has
- A presence in an EU country,
- No presence in the EU but your business possesses data of EU citizens,
- More than 250 employees,
- Fewer than 250 employees but your data processing impacts the rights and freedom of data subjects, not occasional, or includes a certain type of sensitive personal data.
According to a PwC survey, over 90% of U.S. companies with more than 500 employees have taken GDPR compliance seriously.
Recently Propeller Insights conducted a survey sponsored by Netsparker to find out the companies that are expected to be most affected by the GDPR. 53% feel that the technology sector will be severely affected. Online retailers clocked in at 45%, software companies at 44%, SaaS software companies at 37% and companies dealing in retail/consumer packaged goods came in at 33%. The bottom line is: the EU is big and most companies deal with EU citizens either as employees, customers or partners and will be affected by the GDPR.
Effect of GDPR on Third-Party and Customer Contracts
In the new GDPR guidelines, equal liability is placed on data controllers and data processors. If you do business with a third party data processor, which is not in compliance with the GDPR, it means that your business has failed to comply with the GDPR. Besides, the new regulation has mandated strict rules for reporting data breaches that everyone in the data processing chain must abide by.
As a result of the GDPR, the contracts your business has with third parties like Cloud (IaaS) providers, SaaS vendors, or other support service providers and customers; must spell out the shared data protection responsibilities. Moreover, these revised contracts will have to define logical processes that will be used to manage and protect data along with the mechanisms that will be used to report data breaches.
Client contracts also need revision to, ensure these contracts adhere to the new GDPR changes. Business managers, I.T., and security team must understand and agree upon a compliant reporting process.
Ten Steps to Take TODAY
- Top Management needs to trigger a sense of urgency: The top management in the company responsible for risk management must prioritize compliance with global data hygiene standards and infuse the entire organization with a sense of urgency.
- Motivate Stakeholders to get involved: Your I.T. department alone is not responsible for preparing the entire organization to be GDPR compliant. Involve marketing, finance, sales, operations and other departments that collect, analyze or use consumer data. Their inputs and suggestions to handle and protect data will help the technical team to implement procedural changes effectively and speedily.
- Hire a Data Processing Officer: Under new GDPR, it is not clear whether a DPO is a discrete position or not. You can either appoint someone within the company who has worked in a similar kind of role, who could ensure data protection with no conflict of interest or hire a new individual. You also have the option to work with a virtual DPO who could work as a consultant for your company.
- Perform Risk Assessment: Assessing risks involved in collecting, processing and or managing EU citizen’s’ data is a major step towards GDPR compliance. Once a risk assessment has been performed, your business will understand the options available for mitigating these risks.
- Mobile Security is a Must: In the modern I.T. environment, more than 68% employees access employee, customer, and partner data on mobile devices, which is a major threat to data protection leading to non-compliance with the GDPR. Employees download third-party applications on their work devices jeopardizing the security of consumer data. Implementing a mobile security framework to protect against unauthorized access to data on the mobile device is a critical component of GDPR compliance.
- Create a concrete Data Protection Plan: In a perfect world, you already have a solid data protection plan in place. If not, you need to create one right away. If you already have a plan, kudos to you but you should review and update the plan for GDPR compliance.
- Bring Together a System to Report Progress in GDPR Compliance: Article 30 of the GDPR regulation mandates companies to maintain a record of processing activities under its responsibility. To ensure your company is keeping accurate records you need to establish a team that can monitor places where personal data is being processed, who is processing it, and how it is being processed.
- Implement Systems to Alleviate Risks: After identifying risks, you need to determine measures that will mitigate them, even if it means revising existing risk mitigating systems. Spotting and investigating the risks associated with data processing and regulating the needed level of security required to protect data becomes easier for the GDPR once you have taken an inventory of risky applications and understood how data is being processed in your organization (Step 7 above).
- Setup and Test an Incident Response Plan: Under the GDPR, companies need to provide a detailed report regarding any breach of personal data to their local data authority ‘without undue delay’ (within 72 hours of becoming aware of the breach). Don’t wait for an actual data breach to occur – setup a response team and perform drills to make sure it works as planned.
- Comply with GDPR by eyeing Business Benefit: Undoubtedly, complying with the GDPR will provide a competitive edge to your business. Compliance will not only enhance ROI but will also help in boosting consumer confidence. Moreover, the technical and process changes you will bring about to comply with the GDPR will enhance your organizations’ efficiency to manage and secure data.
The GDPR is here. Compliance is a daunting task; it’s difficult to understand where to start; especially when every facet of the business from staff training to data security audits are involved. This blog will definitely help you to understand GDPR better and implement measures that will make your organization GDPR compliant.
After hours of brainstorming sessions, poring over documents, legal reviews and many gallons of coffee, we are proud to announce that, effective May 25, 2018, frevvo complies with the GDPR.
You can learn more and obtain a Data Protection Addendum (DPA) by visiting our GDPR site.