GDPR Requirements: The Essential Five
With the EU General Data Protection Regulation (GDPR) coming into effect on 25 May 2018, the clock is ticking for companies to implement its requirements and to ensure compliance is reached before the looming deadline. Designed to replace the Data Protection Directive 95/46/EC, the GDPR aims to standardize data privacy laws across Europe, to protect EU citizens’ data privacy and give them power over what happens to their data.
The GDPR puts the ball firmly in EU citizens’ court, creating a new set of priorities for companies with personal data privacy at its apex, essentially reshaping the way organizations approach data privacy and security. But what does that mean exactly, in practical terms? While the regulation is couched in many cases in general terms, there are a few requirements that are explicitly stated within it. Here are the most important five:
1. Data Protection by Design and by Default
The GDPR introduces the principle of data protection by design and by default in article 25. Through it, the GDPR fundamentally changes the status of data protection from a secondary concern to an obligation on the part of all organizations processing EU citizens’ data. One that, if ignored could make companies liable to steep fines of up to €20 million or 4% of global annual turnover for the preceding financial year, whichever is greater.
What data protection by design means is that organizations and their IT teams need to now take data protection into consideration whenever a new business process or service using personal data is being developed. Companies must be able to prove that data protection was a priority at the process development stage and GDPR compliance was taken into account.
Data protection by default, on the other hand, refers to the privacy settings services and applications are set to. It means that the strictest must now be automatically applied once a customer acquires a new product or service. Users should not have to make manual changes to the privacy settings and information should not be kept for any longer than it is needed to provide the product or service.
Under the GDPR, in case of breaches, companies must be able to prove that they considered a reasonable level of data protection from the first development stages of a product or risk running foul of European Data Protection Authorities and paying a hefty price for it.
2. Appoint a Data Protection Officer(DPO)
The appointment of a Data Protection Officer(DPO) is mandatory under article 37 of the GDPR for:
- Public Authorities
- Data controllers and processors whose core activities require regular and systematic processing of data subjects on a large scale
- Data controllers and processors whose core activities require processing on large scale of sensitive data or data relating to criminal convictions/offences.
These points were further clarified by the Article 29 Working Party in their Guidelines on Data Protection Officers published on 16th December 2016. In it, core activities are defined as key operations that form an inextricable part of the controller’s or processor’s activity. Supporting activities such as payroll or IT help desks do not fall into this category.
To determine whether their activities take place on a large scale, companies are encouraged to look at the number of data subjects concerned, the volume of data or range of data items, the duration of the processing or the geographical extent of the processing.
Regular and systematic monitoring refers to processing that includes all forms of tracking and profiling on the internet, including for the purposes of behavioral advertising. Regular in this case means ongoing or recurring periodically at fixed times. Systematic meanwhile is defined as taking place as part of a general plan for data collection or carried out as part of a strategy.
It is worth noting that, should you choose to appoint a DPO voluntarily even if your organization is not required to do so, the same requirements that need to be met by mandatory DPOs will then apply.
3. Track sensitive data and report any breaches
Under the GDPR, it is essential that companies monitor their sensitive data. This helps organizations keep track of where their data is and where it is going and gives them the possibility to block its transfer or access to it by unauthorized personnel.
By building data awareness, organizations safeguard themselves against potential data breaches going unnoticed. Nowadays, sometimes months go by before companies realize that they’ve suffered a major data breach. Once the GDPR comes into force, this situation will automatically result in fines for the company. The quicker a breach is noticed, the likelier it is that the impact will be reduced and damages mitigated.
The GDPR requires companies to report major data breaches within 72 hours of becoming aware of them. A full investigation is not expected to be presented within such a short time frame, but information can be submitted in phases. In case of serious breaches, the public must be notified without undue delay.
Data loss prevention solutions such as Endpoint Protector can be used for not only tracking purposes, but also to control data movement and access, reducing the chances of breaches occurring.
4. Extended individual rights
The GDPR’s main focus is the protection of EU citizens’ data and their empowerment when it comes to their own data. This implies more rights for users and a need for companies to meet them. The GDPR grants users the right to access their data and erase it, have data inaccuracies corrected and prevent direct marketing, automated decision-making and profiling as well as the right to data portability, meaning the possibility to access, save and reuse data given to a company. Data must be provided free of charge, in a commonly used structure and in machine-readable form. Requests must be completed within a month.
To satisfy user demands, in this case, tools that will allow for thorough searches of networks and endpoints for the sensitive data whose deletion or modification is being requested, are needed to ensure GDPR compliance and confirm complete data removal or changes.
5. Cross-border data transfers
The Data Protection Directive 95/46/EC already restricted cross-border data transfers outside the EU by stating that they were only allowed if the country to which data is being transfer offered an adequate level of data protection. The adequacy of a country is assessed by the European Commission and a current list of adequate countries already exists.
The GDPR brings new regulations concerning adequacy, implementing a mandatory review of it every four years and the possibility that decisions concerning it can be repealed, amended or suspended. Experts fear that this might mean that, in the near future, the much-contested EU-US Privacy Shield might fail an adequacy review by the European Commission.
If an adequacy decision does not exist, companies can still transfer data if they use appropriate safeguards. Among these, there are the Binding Corporate Rules (BCRs) and Standard Contractual Clauses (SCCs). The development of codes of conduct was also encouraged. While the GDPR acknowledges the use of codes of conduct and introduces certification mechanisms, BCRs and SCCs as defined under the Data Protection Directive 95/46/EC are still valid until they are repealed, amended or suspended in accordance with the new regulation.
There is still a list of exceptions that can be applied to cross-border data transfers even if an adequacy decision and safeguards are not in place, the most notable of these being that transfers are allowed if the data subject has explicitly consented to the proposed transfer, after having been duly informed of it and the possible risks involved.
In conclusion, under the GDPR companies need to gain a new level of awareness of how they process data, where it is stored and how and by whom it is being used. Data loss prevention, monitoring and classification tools can be useful in this endeavor, but GDPR compliance also implies a change in operational policies, with an emphasis on the education of employees and the need for specialized internal or external personnel to ensure compliance obligations are met.
You might also find interesting our: GDPR Infographic – Checklist and essentials
Download our free ebook on
A comprehensive guide for all businesses on how to ensure GDPR compliance and how Endpoint Protector DLP can help in the process.