Are you ready for May 25, 2018?
A little less than a year from now, the European Union will implement the General Data Protection Regulation (GDPR) on May 25th, 2018. This regulation outlines how organizations — both commercial and non-commercial — can control and process EU residents’ personal data. WannaCry and other recent ransomware attacks have created chaos across the globe. WannaCry was bad enough. Soon, the fallout from such a cyber attacks will be even worse as organizations subject to the GDPR will also face severe financial penalties for compromising end users’ data.
With regulations like the GDPR, enterprises essentially have to pay double for data breaches if they violate compliance rules. If an enterprise doesn’t have proper security systems deployed to generate incident reports after a data breach, they have to pay hefty penalties for compliance violations. Further, they also have to compensate their customers for the loss of confidential data. And things get even worse if hackers tamper with financial data or transactions.
Before we look into the repercussions of this regulation on security attacks, let’s see what the GDPR actually calls for. Comprising 11 chapters and 99 articles, the EU GDPR is going to become one of the world’s most stringent compliance mandates, completely redefining what personal data, data processes, and unlawful processing mean.
Take a closer look at the compliance requirements, and you’ll see that GDPR addresses two major concerns:
- The ways and rules to collect personal data
- The lawful processing of personal data
In my upcoming blog series, I will be writing in detail about specific technical and organizational measures that enterprises have to adopt to comply with this new mandate. Below, we’ll look at some of the top FAQs pertaining to the GDPR requirements.
1. Who must comply with the GDPR?
The GDPR is borderless. If you process EU citizens’ data, regardless of whether your organization is physically in the EU, you need to comply with the GDPR.
Now that leads us to another question. Do you have to comply with the GDPR if you establish an enterprise within the EU, but you don’t process any personal data within the EU? The answer is yes!
Compliance with the GDPR is required for any enterprise that:
- Collects and processes the personal data of EU citizens, regardless of where their company is located.
- Is established in the EU, regardless of where they process their customers’ personal data.
2. What’s considered personal data?
Personal data includes any data related to the citizens of the EU, including:
- Their name.
- Social identification number.
- Location information.
- Unique biological identifiers (e.g. biometric information, facial images, or fingerprints).
- Credit card or other banking information.
- Health information (including physical, genetic, and mental health information).
- Data related to their economic condition.
- Their opinions with regards to politics, culture, and religion.
The GDPR has extended the scope of personal data to online identifiers as well, which includes IP addresses, radio-frequency identification (RFID) tags, and cookies.
3. What does data processing mean?
Data processing includes the recording, sorting, structuring, storing, modifying, using, and transmitting of personal data. The GDPR also gives special importance to data collection, a subset of data processing.
4. What technical and organizational measures should I take to comply with the GDPR?
- Audit your systems: Track activities happening in your network and look for deviations in data processing. Be sure to audit:
- Activities on the systems in which personal data is stored
- Accesses to storage systems and personal data
- Critical changes to personal data
- Deploy proper security systems to prevent, combat, contain, and instantly report data breaches happening in your network.
- Establish systems to conduct forensic analysis to quickly assess the impact of data breaches, if any.
- Ensure that you have proper risk assessment systems. If you are handling sensitive data, a data breach could devastate your business. The GDPR highly recommends implementing risk assessment systems in your environment to ensure everything is safe.
5. What is my organization supposed to do in the event of a data breach?
- If you are a processor and you encounter a data breach:
- Notify the controller as soon as possible (within 72 hours). If the data breach is not quickly reported to the supervisory authority, you are liable to provide a valid reason for the delay in reporting.
- In the notification report:
- Elaborate on the nature of the data breach, including the approximate number of individuals whose data was breached and the personal data records that were breached.
- List a contact person from your end.
- Describe the consequences of the data breach.
- Elaborate on the measures that you have taken (or you propose to take) in order to address the data breach.
- If you are a controller:
- Document the data breach event, its effects, and the remedial actions taken.
Follow our blog for more information on the technical and organizational measures you need to take care of to meet specific GDPR requirements.
Don’t forget to take a look at our GDPR handbook. Trust me, it’s an easy read.