The May 25th deadline for the European Union’s GDPR (General Data Protection Regulation) has come and gone. And like Y2K, for those of us who remember, the world hasn’t changed much—at least not yet.
Stronger rules for data protection mean people will have more control over their personal data. Europe is certainly leading the world in protecting its citizens’ private data, and others will follow—but it may still take some time. Organizations that process and control EU citizens’ personal data must ensure they have the proper security controls in place to protect that data. Applications that collect private data must be changed in order to allow EU citizens to opt out of any data collection or give consent to collect that data. This must be done using plain and simple language. For data transparency, the regulation allows the subject to request any personal data collected or obtained, in writing, and for what purpose. Further, the user has the “right to be forgotten,” which means they can request the erasure of any private data collected.
The GDPR regulation has 11 Chapters and 99 articles, from Consent and Data Protection to Privacy and Breach Notification. The organizations that collect personal data (as described in Article 4, Para 1.1) must implement technical and organizational measures to protect personal data. This falls mostly on the responsibility of the Controller, who must implement controls and be able to demonstrate that data processing is in accordance with the regulation.
Organizations need to understand the requirements of the GDPR regulation. Review your existing security infrastructure. Do you know what systems collect and store personal data? Do you understand how data traverses your network and what systems process or store data? Do you manage stored cookies that may collect personal data? Have you made any provisions to applications that allow the user to opt out of the ability for the application to collect personal data or other direct marketing changes that relate to GDPR? These initiatives may be new to many, but you should be able to achieve compliance with some tweaking of existing security controls.
Be prepared. Fines for noncompliance are steep—up to 20M Euros or 4% of a company’s annual revenue. But there are lower tier fines for noncompliance as well, as laid out in Article 83(4), (6). The Data Protection Authority (DPA), working with the Data Protection Supervisor (DPS) and European Data Protection Board (EDPB), will determine any administrative fines. Under GDPR, organizations must show evidence that a prudent level of protection is in place to protect private data. The Information Commissioner’s Office (ICO) can make recommendations on remediation—fines are a last resort.
There is no shortage of companies that are offering GDPR assessments in order to help organizations comply with this new regulation. Many of them are offering free GDPR assessment tools online. Even Microsoft’s Trust Center is offering guidelines on how to protect data for GDPR. Although the GDPR regulation does not specifically name any particular technology, it’s likely your organization already has the technology needed to comply with many of the 99 articles, but again, you may need to adjust some settings.
Another place to start is with a GDPR workshop. This will help prepare your infrastructure to meet the requirements in the GDPR regulation. Then move toward a risk assessment. GDPR Article 24, Recital 76, states, “Risk should be evaluated on the basis of an objective assessment, by which it is established whether data processing operations involve a risk or a high risk.” Once you know where you’re at risk, you can begin remediation.