GDPR Compliance: The Most In-Depth Guide
Requirements, guidelines, operational tactics, all you need to know to become GDPR-ready.
Avoid Breaches & Expensive Penalties
The road to
The EU General Data Protection Regulation (GDPR) is a regulation issued by the European Commission, the European Parliament and the Council of Ministers of the European Union with the purpose of strengthening and unifying data protection for individuals within the European Union. It is the most important change in data privacy regulation in 20 years. It took four years of preparation and debate until it was finally approved by the EU Parliament on 14 April 2016.
The GDPR makes a big statement about individuals’ private data and their right to request data controllers and processors to delete, correct, and forward their data. In consequence, GDPR brings significant changes to its predecessor, the Data Protection Directive 95/46/EC that will require operational changes in organizations and impose major fines in case of failure to protect EU data subjects.
Organizations have started to feel a mounting pressure as the day when the new regulation will come into effect fast approaches. Many of them are far from being close to GDPR compliance and the changes they have to apply require a great effort on all business levels. In fact, at the end of 2016, a survey conducted by AvePoint on 223 respondents from multinational organizations revealed that only 26 percent of them keep records of data processing and transfers, only 33 percent classify data and only 10 percent of those use automatic data classification. The percentages are concerning as all of these are essential requirements of the GDPR. The study also showed that companies are in different stages of preparation for the upcoming regulation, with slow progress. For example, some have appointed a DPO, while others are still assessing the impact of GDPR on their operations.
The guide's purpose is to help take some of the pressure off organizations, by offering guidelines on operational tactics for the preparation for GDPR.
The GDPR clearly defines territorial applicability, stating that it applies to all organizations collecting and processing personal data of individuals residing in the EU, regardless of the company location, so it doesn’t matter if the processing takes place in the European Union or not. For example, a company with the HQ in the USA, offering goods or services to EU data subjects, falls under the GDPR's jurisdiction.
No more evasive consent notices. All organizations will be obliged to obtain individuals’ consent to store and use their data and they must explain how it is used. At any time after the regulation comes into effect, data collectors must be able to prove that consent has been obtained. For individuals, it will be easier to withdraw their approval.
Mandatory breach notification
Companies are obligated to notify the supervisory authority within 72 hours of discovering the breach unless the breach is unlikely to “result in a risk to the rights and freedom of individuals.” The notification has to include specific information about the nature of the data breach, the number, and type of breached records, the name of the Data Protection Officer, the measures taken to mitigate the risks, and other details.
Data Protection Officers
Both data controllers and data processors are required to appoint a Data Protection Officer. Who can take the role of the DPO and what he/she is responsible for are detailed in Articles 37 to 39 of the GDPR. In short, the DPO can be a member of the organization’s staff or can be contracted for services.
NOT all companies are obligated to have a DPO, but only those “controllers and processors whose core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale or of special categories of data or data relating to criminal convictions and offenses". The DPO’s main responsibilities are to ensure the application of the GDPR, to keep a register of the processing operations involving private data, to provide advice and inform data collectors and processors of their obligations as listed in the GDPR.
Right to access
This article is a great foundation towards transparency, giving individuals the right to request information from organizations about what personal data concerning them they are processing, where it is stored, and for what purpose. Companies must be able to provide a copy of people’s private records in electronic format.
Right to be forgotten
Also called ‘right to erasure’, this article empowers EU data subjects to request the controller to delete their personal data and, further than this, to stop sharing it with third parties, which are also obligated to stop processing it. Article 17 of the GDPR includes a list of situations when the right to be forgotten applies: personal data is no longer necessary in relation to the purposes for which it was collected or processed, the individual withdraws consent, the data has been unlawfully processed, and others.
In case an individual wants to transmit his/her data from one data controller to another, this article of the GDPR gives him/her the right and the framework to do so. Therefore, organizations must be able to provide personal data in a ‘commonly used and machine-readable format’ if requested by individuals.
Privacy by design
Just like ‘security by design’, privacy by design refers to including information security in all processes, systems, products or services from the start, resulting in strong, consistent data protection implementation that helps avoid loopholes caused by security features added on further down the line. The key here is that privacy by design is a legal requirement of the GDPR, not just a recommendation.
Depending on the nature, gravity, duration of the infringement, the number of data subjects affected and the level of damaged and several other factors, penalties are:
• Up to 10 000 000 EUR, or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher
• Up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher
To be able to apply the enhanced, stricter rules, organizations should perform an audit of their current data security solutions and processes implementation and build upon it. The audit should reveal what data is collected from individuals, if there are proper consent procedures, where private details are stored, who has access to them, how is the integrity of private data ensured, etc. Based on the discovered information, a solid plan for upgrading to the new regulation can be outlined and shared with all involved parties.
Let’s see how the game plan would look like in order to maximize your chances of getting to the finish line without spending too many resources.
The strategy is worth nothing without a disciplined execution. Knowing what data security and management solutions have to be selected and implemented to ensure compliance and security are not as easy as it might seem. There are numerous factors that weigh in and the human factor is the most complex. A simple example would be the Data Protection Officer that has to be appointed. Companies have a tough decision to make, considering the level of responsibility assigned to a DPO. The officer has to make sure that data protection compliance is met, so his/her role is crucial and difficult, having to deal with employees on one side and department managers on the other.
Also difficult to execute is the article referring to the cross-borders transfers which extend farther than the physical borders where the headquarter or branches of a company are. A company operating in Germany can have customers in France, USA or any other country. This comes with a big responsibility concerning individuals’ data security. The GDPR will apply to the processing of personal data of individuals residing in the EU, even if the data controller or processor is not located in the EU. So, if your business is not in the European Union, you can still be subject to the regulation.
Chief Security Officers, IT Managers, CEOs, business unit managers, etc. have to be informed of the legal changes the GDPR implies and should make sure they translate them into plain, simple measures to apply in order to respect the regulation.
The clearer the objectives are, the sooner everyone will understand what their role is and act accordingly. All department managers, top managers, and other decision-makers should carefully read the GDPR, or get advice from a lawyer regarding the obligations stated in the regulation.
The terminology used in this type of regulation is often difficult to understand, so asking for a lawyer’s advice is recommended, if not mandatory. Having full awareness of a company’s obligations concerning private data protection represents a solid foundation for the next steps.
Treat GDPR compliance as a project, where the initiation and planning phase is defining.
Get advice from a lawyer.
Your assignment is to identify what data you store and process for European data subjects, its location, its path from point A to B, by what systems it is processed, etc. Doing that, you can further realize if you have the required tools to protect private data, or what tools you may need to help you achieve GDPR compliance.
A real game-changer will be the ‘data protection by design and by default’ principle. This will require services or products to include privacy and security features from the very beginning of concept and development. This will be of interest especially for mobile app developers and the IoT sector.
The new regulation will be a great motivator for vendors to align data security with innovation and build not only ingenious products but also secure products.
The General Data Protection Regulation can cause serious headaches until full compliance is achieved, but after that milestone, organizations will be able to see how the benefits outweigh the efforts. Entering new markets in Europe will be easier for businesses because the data protection regulation will be the same as in their home country. The European Commission exemplifies in a press release how companies can cut costs thanks to the reform.
A chain of shops has its head office in France and franchised shops in 14 other EU countries. Each shop collects data relating to clients and transfers it to the head office in France for further processing.With the current rules:
France’s data protection laws would apply to the processing done by the head office, but individual shops would still have to report to their national data protection authority, to confirm they were processing data in accordance with national laws in the country where they were located. This means the company’s head office would have to consult local lawyers for all its branches to ensure compliance with the law. The total costs arising from reporting requirements in all countries would be over €12,000.With the GDPR:
The data protection law across all 14 EU countries will be the same – one European Union – one law. This will eliminate the need to consult with local lawyers to ensure local compliance for the franchised shops. The result is direct cost savings and legal certainty.
The GDPR is causing a lot of noise among businesses, especially European ones. Many are not yet sure in what position they are, if they are a data controller or data processor. Many companies are delaying the start of compliance procedures because they feel overwhelmed by the necessary changes and others are simply not aware of the implications.
Regardless of what position you find yourself in, on 25 May 2018 everything has to be in place and starting with that moment, you have to be able to prove at any time you are compliant and that you securely conduct your activity without endangering the privacy of your employees, customers, partners, and other stakeholders.
If you haven’t started working on GDPR compliance, awareness across business units is the first thing to achieve, followed by a sound audit and a great execution.
Choose carefully the software that can help you at each stage of the process and always take into consideration the particularities of your organization, the legal framework and the human factor when implementing software.
Alright, so how can Endpoint Protector help you reach GDPR Compliance?
In more detail:
In the initial phases of the process of becoming GDPR compliant, you can use Endpoint Protector DLP and Device Control (USB and other removable devices) with policies set on report-only, so data that is being transferred outside the company is being tracked and reported. Get valuable insights about which users are transferring sensitive data, like Personally Identifiable Information, Credit Card Numbers, Social Security Numbers, and other confidential information.
Data movement restrictions
Once the audit is finalized, you have to strengthen security and address the vulnerabilities. Endpoint Protector monitoring policies can be converted into restrictive policies, blocking unwanted file transfers, unauthorized data copied/pasted, screen captures, etc. and all of this depending on the various transfer channels and the users, computers, groups that are part of the organizational structure. Since protecting individuals’ private data is so crucial according to the new regulation, it can be secured against leakages and theft with the content filtering and USB control capabilities available in Endpoint Protector DLP.
Protection for cross-platform networks
The GDPR states that data privacy should be ensured, with no specifics about the platform, if it is Windows, macOS or Linux, iOS, Android, Windows Phone, etc. or the exit channels – email, cloud file sharing, removable devices, etc. It is not important, after all. The essential part is that data must be secured no matter what. Therefore, for any data security tool, you choose to implement, make sure it covers your entire infrastructure, all endpoints, mobile devices and exit points.
Talk to an expert
Get your latest dose of
News and Insights aboutGDPR
News and Insights about