First, we should all applaud the organizations that have invested time and resources into understanding the full scope of the new EU General Data Protection Regulation (GDPR). For those out of you already assessing and adapting systems, processes, and cybersecurity to align with the new law, you deserve an even heartier hoorah.
Sadly, too few organizations out there deserve these accolades.
Here are a few sobering statistics that have come out this year:
- 71% of UK businesses were unaware of fines under the GDPR and a number of them fear they would go out of business if forced to pay the maximum fines. https://www.theregister.co.uk/2017/05/30/gdpr_biz_survey/
- Less than half of U.S. and European businesses are informed about GDPR’s impact https://community.spiceworks.com/research/gdpr-impact-on-it
It seems that despite the May 2018 go-live date, following a rather generous two-year get-ready phase, most organizations have shied away from the task of getting to grips with GDPR.
Here are a few top concerns, according to Spiceworks’ https://community.spiceworks.com/research/gdpr-impact-on-it research:
- Steps to comply with GDPR are not clear.
- Management does not understand the impact of GDPR.
- GDPR will increase complexity in the market.
So it seems that while most of us have heard the term GDPR, too few of us appreciate the actual magnitude, scope, and penalties of this soon-to-be legal requirement.
Let’s be honest here, GDPR is a doozy of a regulation, so it is not surprising that organizations are reluctant to dive in.
We get it, and we’re here to help.
GDPR and 5Ws
Let’s follow that old journalist and police trick, known as the 5Ws. This approach will help us isolate the top-level GDPR facts. Along with GFI’s brand new report “Understanding and Implementing GDPR Compliance Measures”, we can jump-start your GDPR assessment and help you answer that key question: does GDPR apply to my organization?
GDPR is the acronym for the EU General Data Protection Regulation (GDPR), also known as Regulation EU 2016/679. This new European data legislation supersedes the Data Protection Directive (Directive 95/46/EC), which has been the heart of European privacy laws since 1995.
“Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)”
GDPR is a comprehensive piece of legislation divided into 11 Chapters that cover all aspects of data protection, including the rights of the EU data subject, the requirements for data controllers and processors, not to mention the liabilities and penalties associated with compliance failure.
GDPR has been introduced to better safeguard the personal data of EU citizens, residents and even tourists (while they are in EU-governed jurisdictions), referred to in GDPR as ‘data subjects’.
For instance, GDPR stipulates that data subjects must provide consent to the collection and processing of personal data. The legal framework gives data subjects the:
– right to be forgotten;
– right to rectify inaccurate personal data; and
– right to transfer data to another controller.
GDPR also provides guidelines on the secure collection, storage and processing and transfer of personal data. If an organization that controls and processes personal data fails to comply with GDPR, they can face hefty fines, such as 4% of annual company revenue.
GDPR was passed into law on April 2016 with an agreed enforcement date of May 2018.
A two-year grace period was afforded to all organizations – giving them an opportunity to assess and revamp their consent forms, review their data collection and processing activities, and update their cybersecurity infrastructure and policies – all obviously prior to the enforcement date.
Any organization, regardless of company size of geographical location, that regularly collects or processes volumes of personal data from EU data subjects may be affected. An organization that falls into this category is urged to assess their GDPR compliance responsibilities immediately.
As an example, consider a company website that requires users to fill in forms in order to access services, the personal data collated (such as name, date of birth, gender, address, or email) of EU data subjects must follow strict GDPR collection, storage, transfer and tracking guidelines.
GDPR has a global impact. This legislation applies to any organization, including those based *outside* EU jurisdictions and those with only a small number of employees.
The key concern is this: if volumes of personal data belonging to EU data subjects are being collated or processed by your organization, then GDPR is very likely to apply to you.
Get the facts from the experts
GFI’s brand new report “Understanding and Implementing GDPR Compliance Measures” is now freely available.
It has been designed to provide clear, concise information and advice related to GDPR compliance. The report clarifies complex terminologies, outlines GDPR requirements, discusses implications to services like cloud storage, and defines key areas of focus to achieve compliance by the May 2018 deadline.
This new report also provides an implementation plan, touching upon all aspects of IT security, including data identification and classification, encryption, access management, network and email security, audit trails and reporting.