What is the GDPR?
Companies that collect data on citizens in European Union (EU) countries will need to comply with strict new rules around protecting customer data by May 25. The General Data Protection Regulation (GDPR) is expected to set a new standard for consumer rights regarding their data, but companies will be challenged as they put systems and processes in place to comply.
Compliance will cause some concerns and new expectations of security teams. For example, the GDPR takes a wide view of what constitutes personal identification information. Companies will need the same level of protection for things like an individual’s IP address or cookie data as they do for name, address and Social Security number.
The GDPR leaves much to interpretation. It says that companies must provide a “reasonable” level of protection for personal data, for example, but does not define what constitutes “reasonable.” This gives the GDPR governing body a lot of leeway when it comes to assessing fines for data breaches and non-compliance.
Time is running out to meet the deadline, so CSO has compiled what any business needs to know about the GDPR, along with advice for meeting its requirements. Many of the requirements do not relate directly to information security, but the processes and system changes needed to comply could affect existing security systems and protocols.
The European Parliament adopted the GDPR in April 2016, replacing an outdated data protection directive from 1995. It carries provisions that require businesses to protect the personal data and privacy of EU citizens for transactions that occur within EU member states. The GDPR also regulates the exportation of personal data outside the EU.
The provisions are consistent across all 28 EU member states, which means that companies have just one standard to meet within the EU. However, that standard is quite high and will require most companies to make a large investment to meet and to administer.
According to an Ovum report, about two-thirds of U.S. companies believe that the GDPR will require them to rethink their strategy in Europe. Even more (85 percent) see the GDPR putting them at a competitive disadvantage with European companies.
The short answer to that question is public concern over privacy. Europe in general has long had more stringent rules around how companies use the personal data of its citizens. The GDPR replaces the EU’s Data Protection Directive, which went into effect in 1995. This was well before the internet became the online business hub that it is today. Consequently, the directive is outdated and does not address many ways in which data is stored, collected and transferred today.
How real is the public concern over privacy? It is significant and it grows with every new high-profile data breach. According to the RSA Data Privacy & Security Report, for which RSA surveyed 7,500 consumers in France, Germany, Italy, the UK and the U.S., 80 percent of consumers said lost banking and financial data is a top concern. Lost security information (e.g., passwords) and identity information (e.g., passports or driving license) was cited as a concern of 76 percent of the respondents.
An alarming statistic for companies that deal with consumer data is the 62 percent of the respondents to the RSA report who say they would blame the company for their lost data in the event of a breach, not the hacker. The report’s authors concluded that, “As consumers become better informed, they expect more transparency and responsiveness from the stewards of their data.”
Lack of trust in how companies treat their personal information has led some consumers to take their own countermeasures. According to the report, 41 percent of the respondents said they intentionally falsify data when signing up for services online. Security concerns, a wish to avoid unwanted marketing, or the risk of having their data resold were among their top concerns.
The report also shows that consumers will not easily forgive a company once a breach exposing their personal data occurs. Seventy-two percent of US respondents said they would boycott a company that appeared to disregard the protection of their data. Fifty percent of all respondents said they would be more likely to shop at a company that could prove it takes data protection seriously.
“As businesses continue their digital transformations, making greater use of digital assets, services, and big data, they must also be accountable for monitoring and protecting that data on a daily basis,” concluded the report.
Any company that stores or processes personal information about EU citizens within EU states must comply with the GDPR, even if they do not have a business presence within the EU. Specific criteria for companies required to comply are:
A new survey conducted by Propeller Insights and sponsored by Netsparker Ltd. asked executives which industries would be most affected by GDPR. Most (53 percent) saw the technology sector being most impacted followed by online retailers (45 percent), software companies (44 percent), financial services (37 percent), online services/SaaS (34 percent), and retail/consumer packaged goods (33 percent).
Companies must be able to show compliance by May 25, 2018.
The GDPR defines several roles that are responsible for ensuring compliance: data controller, data processor and the data protection officer (DPO). The data controller defines how personal data is processed and the purposes for which it is processed. The controller is also responsible for making sure that outside contractors comply.
Data processors may be the internal groups that maintain and process personal data records or any outsourcing firm that performs all or part of those activities. The GDPR holds processors liable for breaches or non-compliance. It’s possible, then, that both your company and processing partner such as a cloud provider will be liable for penalties even if the fault is entirely on the processing partner.
The GDPR requires the controller and the processor to designate a DPO to oversee data security strategy and GDPR compliance. Companies are required to have a DPO if they process or store large amounts of EU citizen data, process or store special personal data, regularly monitor data subjects, or are a publicauthority. Some public entities such as law enforcement may be exempt from the DPO requirement.
According to the Propeller Insights survey, 82 percent of responding companies say they already have a DPO on staff, although 77 percent plan to hire a new or replacement DPO prior to the May 25 deadline. That hiring doesn’t stop with the DPO. About 55 percent of the survey’s respondents reported that they had recruited at least six new employees to achieve GDPR compliance.
According to the PwC survey, 68 percent of U.S.-based companies expect to spend $1 million to $10 million to meet GDPR requirements. Another 9 percent expect to spend more than $10 million.
The PwC survey, which was conducted in December 2016, showed that 68 percent of U.S.-based companies expect to spend $1 million to $10 million to meet GDPR requirements. Another 9 percent expect to spend more than $10 million.
As we approach the May 25 deadline, those expectations might have been on the high side. The more recent Propeller Insights survey from March 2018 indicates that most companies will spend less than $1 million. In fact, 36 percent of the respondents said they would spend between $50,000 and $100,000, and 24 percent will spend between $100,000 and $1 million. Only about 10 percent expected to spend more than $1 million.
The GDPR places equal liability on data controllers (the organization that owns the data) and data processors (outside organizations that help manage that data). A third-party processor not in compliance means your organization is not in compliance. The new regulation also has strict rules for reporting breaches that everyone in the chain must be able to comply with. Organizations must also inform customers of their rights under GDPR.
What this means is that all existing contracts with processors (e.g., cloud providers, SaaS vendors, or payroll service providers) and customers need to spell out responsibilities. The revised contracts also need to define consistent processes for how data is managed and protected, and how breaches are reported.
“The largest exercise is on the procurement side of the house—your third-party vendors, your sourcing relationships that are processing data on your behalf,” says Mathew Lewis, global head of banking and regulatory practice at legal service provider Axiom. “There’s a whole grouping of vendors that have access to this personal data and GDPR lays out very clearly that you need to ensure that all of those third parties are adhering to GDPR and processing the data accordingly.”
Client contracts also need to reflect the regulatory changes, says Lewis. “Client contracts take a number of different forms, whether they are online click-throughs or formal agreements where you make commitments to how you view, access, and process data.”
Before those contracts can be revised, business leaders, IT, and security teams need to understand how the data is stored and processed and agree on a compliant process for reporting. “A pretty sizable exercise is required by the technology groups, the CISO, and data governance team to understand what data fits within the firm, where it’s being stored or processed, and where it’s being exported outside the company. Once you understand those data flows and the impact on the business, you can start to identify the vendors you need to be most focused on both from an information security perspective, how you manage those relationships going forward, and how you memorialize that in the contract itself,” says Lewis.
The GDPR might also change the mindset of business and security teams toward data. Most companies see their data and the processes they use to mine it as an asset, but that perception will change, says Lewis. “Given GDPR’s explicit consent and firms needing to be much more granular in their understanding of data and data flows, there’s a whole set of liabilities that now exist with the accumulation of data,” says Lewis. “That’s quite a different frame of mind both for legal and compliance, but maybe more important for the way the business thinks about the accumulation and usage of that data and for information security groups and how they think about managing that data.”
“Data is leaving the firm in all kinds of ways,” says Lewis. “While the CISO and the technology groups need to be able to track all of that, you also need to put protection in place.” Those protections need to be spelled out in the contract so the outside firms understand what they can and cannot do with the data.
Lewis notes that by going through the process of defining obligations and responsibilities, it prepares a company to handle GDPR compliance operationally. “If one of your vendors says, ‘You were hacked last night,’ did they know who to call and how to respond as part of meeting the regulatory requirements,” he says.
The 72-hour reporting window that the GDPR requires makes it especially important that vendors know how to properly report a breach. “If a vendor was hacked and you’re one of thousands of clients, do they notify your procurement department or an account person or someone in accounts receivables? It could come in all kinds of ways,” says Lewis.
You want a clearly defined path in the contract for the information to get to the person in your organization responsible for reporting the breach. “A regulator is not going to say you shouldn’t have had a breach. They are going to say you should have had the policies, procedures, and response structure in place to solve for that quickly,” says Lewis.