How to comply with the GDPR in 2019?
It’s been a little over a year since the General Data Protection Regulation (GDPR) went into effect and like all one-year-olds, the first year can be a challenge. Let’s review what the GDPR is, walk through the results from the first year, and ensure you know the proper data security precautions for your business in order to comply.
What is the GDPR?
The GDPR is a European Union Regulation which at its core protects the privacy of European Union residents. European law has a long history of privacy protections which date back to the atrocities and aftermath of World War II. During this period, European citizens’ private information was used in horrible ways to target them.
With this as a backdrop, it becomes clear why many European nations and citizens view their privacy as a fundamental right. Based on this principle various laws and regulations have been created and promulgated over the past 70+ years. The GDPR is the latest of these laws, which is designed to mainly protect EU residents’ data in light of current and future technology and business practices.
First year GDPR enforcement and stats
While there have not been significant signs of enforcement activity, the U.K.’s ICO recently announced it intends to fine British Airways for GDPR infringements last year. This example is one of the first major cases as European Data Protection Authorities (DPAs) continue to work through large quantities of data since the GDPR came into force May 2018. Below are additional highlights suggesting enforcement may be on the rise:
Do I need to comply with the GDPR?
Not only does the GDPR apply in Europe, but it also affects foreign companies that do business there. U.S. firms that have employees or customers in Europe—firms from Amazon to small app developers—are affected by the GDPR. In short Individuals, organizations, and companies that are either ‘controllers’ or ‘processors’ of personal data must comply with the GDPR.
Here are five data security precautions businesses need to consider when complying with the GDPR:
How do I comply with the GDPR?
The simplest answer—control access to and what is done with customer data. The longer answer is compliance with various provisions of the regulation:
– Allow customers to see and delete the data that concerns them
– Provide notice of data breaches in 72 hours
– Create data use policies (privacy policies) transparent and understandable to the lay person
– Hire a Chief Data Officer in some cases
– Follow “privacy by design” principles
Different types of data require different handling so it’s important to work through the nuances of the regulation. Using customer data requires a legal basis for processing such data. The legal basis can sometimes be obtained by consent of users, via contractual requirements or other means. While there can be various legal basis, it is important to work with competent legal counsel to review how your business processes such data to ensure it is compliant with the GDPR.
What happens if a company doesn’t comply?
Be prepared for some pretty steep financial penalties. The GDPR provides fines in a higher and lower tier. The higher tier fines, intended for more serious violations, are up to €20 million, or 4% of the worldwide annual revenue of the prior financial year, whichever is higher. The lower tier’s fines are up to €10 million, or 2% of the worldwide annual revenue of the prior financial year, whichever is higher. The seriousness of the penalties reflects a European approach to privacy that can be traced back again to the atrocities of WWII.
Conclusions
The GDPR provides an update to fundamental privacy laws protecting EU residents. Based on its penalties and fines, it is critical to understand whether the GDPR applies to your company. CMIT partners to provide GDPR assessments, data maps and practical guidance on how to protect your clients and employee’s data. If it does apply to your organization, talk to your trusted CMIT advisor to operationalize your data practices and align them with the requirements of the GDPR.
Written by: Chris Zambuto | Chief Information Security Officer @CMITBostonCambridge
