The General Data Protection Regulation (GDPR) is a set of European Union rules that will impact any organizations that operate in Europe. If your business uses customer data and you have a presence in an EU country, you need to meet these regulations. Here’s our guide to GDPR, how it could impact you, and what you need to do to be compliant.
An Overview of GDPR
What is the Main Purpose?
GDPR makes several significant changes to how businesses need to handle customer data. The regulation will:
- Strengthen data protection legislation and regulations.
- Introduce higher fines and stricter penalties for non-compliance and breaches.
- Give EU residents more control over what organizations can do with their data.
- Consolidate and rationalize data protection rules to the same framework across Europe.
The Scope of GDPR
What Countries are Impacted by GDPR?
Any nation that is part of the EU will need to comply with the new rules. This includes the UK, both during and after Brexit.
What Businesses are Impacted by GDPR?
There are two main types of organizations or businesses that will be affected by GDPR. They are:
- Businesses operating in any of the EU member states.
- Businesses handling information or personal data from EU citizens, no matter where that business is located.
Even if your organization is not located in the EU, if you store, manage, or use personal information on EU citizens (whatever the source of that data), you must meet GDPR regulations.
Who, Specifically, Does It Apply To?
There are two primary functions impacted by GDPR — Data Controllers and Data Processors.
- Data controllers state why and how personal data is processed, and could be any type of organization. For example, a business, non-profit, or government.
- Data processors are organizations that create, amend, manage, or store, personal data.
As noted elsewhere, it doesn’t matter if data controllers or processors are based outside the EU — if they deal with data from EU citizens, they must comply.
What Type of Data Does GDPR Impact?
GDPR regulations affect all personal information created by or about any EU citizens. This includes, but is not limited to:
- Identity, location, contact details, and individual demographics.
- IP addresses and individual internet and social media usage.
- Economic, financial and medical information.
So, GDPR broadly affects any information relating to an identified or identifiable person. Organizations should audit all the data they hold to identify what is likely to be affected by GDPR changes.
When do GDPR Rules Apply?
All parts of the EU agreed to the final text on 24 May 2016. The regulation is in effect for all EU countries from 25 May 2018.
Does GDPR Impact How Data Breaches are Reported?
Yes, you must report any data breach that exposes personal information within 72 hours of finding out about the breach. You must report breaches to your data protection authority and to any users who may be impacted by the breach.
Benefits and Penalties of GDPR
Are There Any Benefits, Besides Meeting Compliance Needs, for Businesses to Adopt It?
The main benefit to businesses will be to protect user data better, maintain consumer trust, and avoid penalties for non-compliance. The EU also believes it will give businesses a more precise, consolidated legal framework and environment, and estimates this will save businesses a combined €2.3 billion a year.
Can GDPR Help to Revolutionize How Businesses Handle Data?
Yes. It could be useful to think of GDPR as the “right way to control, process, handle, and manage data” wherever you’re based, or whoever’s data you’re using.
What are the Penalties for Failing to Report a Breach?
Any organization that fails to report a breach within 72 hours could face a fine of up to €10 million or 2% of their annual worldwide revenue, whichever is higher. Any fines must remain “proportionate” to the breach.
What are the Penalties for Capturing, Using or Processing Data Inappropriately?
These penalties can be severe and are typically the greater of up to €20 million or 4% of their annual worldwide revenue.
GDPR Roles and Responsibilities
What are the Responsibilities of Data Controllers and Processors?
Data controllers must ensure that data processors who are managing data on their behalf abide by GDPR regulations — we recommend writing this into contracts and vendor agreements. Processors must comply with GDPR rules and keep records of data processing work.
Controllers must make sure that personal information is handled in a lawful and transparent way and that it is used for a specific purpose. Additionally, once that data is no longer needed, it must be deleted.
Processors and controllers must clearly explain that they are collecting data, why and how they are collecting it, and what they will do with that data. Additionally, they should state why that data is being processed, how long it’s stored for, and who gets to see it.
Does It Impact How Data is Transferred Between Organizations?
Yes. All data must be stored electronically, in commonly used formats that can be exported or imported to allow data mobility. Any requests to transfer data must be met within one month.
GDPR and End Users
How Does GDPR Impact User Consent for Capturing and Processing Data?
Organizations that wish to capture or use personal data must seek active consent from users. This typically requires an action on the user’s behalf such as ticking a box or agreeing to specific terms and conditions. Consent must be an “opt in” process, not an “opt out” one. Controllers must record how and when consent was given for all data they collect.
Can Users Withdraw Consent?
Yes, they can. They can also require their data be deleted (the right to be forgotten.)
Can Users Access the Data Organizations Store About Them?
Yes, they can request access and controllers must respond to those requests, typically in a month or less. Ideally, citizens should be able to directly access any personal data that’s being held by an organization.
As you can see, if your organization handles data for EU citizens, you need to be fully aware and compliant with GDPR rules and regulations.
Jeff Carpenter is Director of Identity and Access Management solutions at Crossmatch. In this role, he is responsible for evangelizing Crossmatch’s DigitalPersona® solution. In his 10+ years in cybersecurity, Jeff has held positions with a number of top tier cybersecurity and technology companies, most recently he was with RSA, a Dell Technologies company. Jeff earned a Bachelor of Science degree in Business Administration from Creighton University in Omaha, Nebraska. He holds both a Certified Information Systems Security Professional (CISSP) and a Certified Cloud Security Professional (CCSP) designation.