It seems as if we’ve been talking about, worrying about, and planning for the GDPR compliance deadline forever. Although the law was first proposed way back in 2012 and was adopted on April 27 of 2016, it contained a two-year “grace period” to give companies time to make the required changes to comply with the regulation. That brings us to May 25, 2018 – the deadline date – which is now less than a month away.
Preparation for the GDPR effective date has occupied the time and money of businesses all over the world that fall under its provisions, with one survey last November showing that most anticipated spending over $1 million and 40% planning to spend over $10 million on GDPR compliance. As of April 2, with only a couple of months left, Channel Partners Online reported that one out of three companies still were not ready.
But with the specter of hefty fines for non-compliance looming on the horizon, it’s time to get serious if you haven’t already. Let’s review twenty quick facts about the GDPR to help you get motivated and meet the compliance deadline.
- The territorial scope of the GDPR is greater than that of its predecessor, the Data Protection Directive of 1995. Even if your company has no physical presence in the EU, it is subject to the GDPR if it collects, processes or stores personal data of EU residents (who don’t have to be EU citizens). Still haven’t figured out whether the GDPR applies to you? If you market goods and services to people in the EU (such as through a website) or if you collect personal data or behavioral information (even though you aren’t selling them anything or taking their money) from people who are in EU countries, it probably does.
- The GDPR applies to both data controllers and data processors. Controllers determine why and how personal data is to be collected and processed. Processors perform the actual processing of the data on behalf of the controller. Both have specific obligations under the law, and controllers are responsible for choosing processors that comply with the regulation. There should be a written contract between the controller and processor that lays out the instructions for processing and storing personal data.
- You must have a lawful basis for processing personal data. One lawful basis is that the data subject gave consent to the processing. The consent must be given voluntarily and the language of a consent form must be clear, such that the data subject understands to what he/she is consenting. The data subject can withdraw consent at any time, and withdrawal must be as easy as giving consent. The GDPR provides requirements for consent to be valid.
- You need to train staff members who handle or have access to personal data in data protection awareness and the key issues involved in the GDPR. Data breaches and violations of compliance requirements are often a result of human error, and education reduces the likelihood of inadvertent non-compliance. Documentation of staff training will help you prove that you are taking the appropriate steps to prevent a data breach.
- Before you think about training lower level personnel, though, you need to ensure that key management personnel and decision-makers are familiar with GDPR requirements. The regulation specifies that both technical and organizational measures to safeguard the privacy of personal data must be demonstrated. It is impossible to implement the kinds of changes that most businesses must make to come into full compliance without the buy-in of top leadership.
- You might (or might not) need to appoint a Data Protection Officer (DPO). This is an area where there may be some confusion, because the GDPR dictates mandatory appointment of a DPO if you process or store “large amounts” of personal data or special categories of data as defined in the law (including data about racial/ethnic origin, political opinions, religious/philosophical beliefs, trade union membership, health, sex, biometric or genetic data). The DPO has the responsibility for overseeing the many activities involved in compliance, such as education and training, auditing and monitoring, advising, maintaining records, and interacting with GDPR supervisory authorities and with data subjects (those to whom the personal data pertains).
- You might (or might not) need to carry out a Data Protection Impact Assessment (DPIA). This is required when processing that uses new technologies is likely to result in a high risk to the rights and freedoms of natural persons. In such case, the DPIA is to be carried out before processing.
- The GDPR gives data subjects many rights regarding their personal data. These include transparency and clear, intelligible communication of information; access to the data itself and to information about where, how and why the data was collected; rectification of inaccurate or incomplete data; data erasure (the right to be forgotten); restriction of processing; notification; portability of data; and the right to object to processing of the personal data.
- The security of personal data is a key element of the GDPR and ensuring the confidentiality, integrity, availability, and resilience of the processing systems and services is a primary mandate for compliance. The regulation specifically names encryption and pseudonymization as measures to be taken to achieve the required level of security. For U.S. companies to develop successful GDPR compliance strategies, it may be helpful to understand the European mindset regarding security and privacy.
- Despite companies’ best efforts, data breaches happen. Under the GDPR, organizations are required to report data breaches that have the potential to create a risk to individuals’ rights and freedoms without undue delay. Data processors must report the breach to the data controller, and data controllers must report to the appropriate supervisory authority. The individuals affected must also be notified if the breach is deemed to present a high risk such as identity theft, financial loss, or damage to their reputation.
- If you transfer personal data of EU residents outside of the EU to other countries or international organizations, you are responsible for ensuring that an adequate level of protection will be maintained. If the country or organization is not one that the European Commission has already deemed to provide adequate protection under Article 45, you must provide specific safeguards as laid out in Article 46.
- Both controllers and processors must maintain written/electronic records of processing activities pertaining to personal data that falls under the GDPR, except that this requirement may not apply to your organization if it has fewer than 250 employees. However, organizations with fewer than 250 employees still must meet the requirement if they process personal data more than occasionally, or they process special categories of data or data relating to criminal offenses, or the processing of personal data that they do is likely to result in risk to the rights and freedoms of data subjects. The safest course is to go ahead and maintain the records regardless of the number of employees.
- The GDPR specifically recognizes as one way of demonstrating compliance certifications from approved, accredited certification bodies. Certification bodies must be accredited by the supervisory authority or the national accreditation body. Certification is not required but is encouraged. Certifications are valid for no more than three years and then must be renewed. There are a number of certifications that are applicable and certification bodies that are approved.
- Supervisory authorities are appointed by each EU member state for a term of no less than four years. They are mandated by the regulation to act completely independently in exercising their powers. Each is required to have qualifications, experience, and skills in the protection of personal data. Supervisory authorities are responsible for monitoring and enforcing the regulation within its territory and performing all the mandated tasks involved.
- The GDPR gives the supervisory authority the power to impose fines for non-compliance, up to €20 million or 4% of the company’s global annual turnover (revenues) – whichever is greater. This maximum is for violation of the GDPR’s core principles, such as infringement of the rights of data subjects, failure to adequately protect personal data when transferred to a third country or international organization, and so on. The maximum is lower (€10 million or 2% annual global turnover) if non-compliance is in the area of technical measures such as data breach notifications or DPIAs.
- In setting fines, the supervisory authority is to take factors involved in the individual case into consideration, including nature, gravity, and duration of the infringement, number of people affected, amount of damage they suffered, intent or negligence, mitigation steps taken, degree of responsibility, previous infringements, cooperation with the supervisory authority, categories of data affected, whether the controller/processor notified the supervisory authority, compliance with orders, adherence to codes of conduct, approved certifications, financial benefits and anything else that aggravates or mitigates the infringement.
- In addition to administrative fines that may be imposed for non-compliance with the regulation, the GDPR provides for the right to compensation from controllers and/or processors for material or non-material damages suffered by any person, through court proceedings.
- In addition to those provisions contained in the GDPR itself, Chapter 9 authorizes individual EU member states to create provisions related to specific processing situations, such as freedom of expression and freedom of information, public access to official documents, processing of national identification numbers, processing employee personal data, scientific or historical research, statistical purposes, obligations of professional secrecy, and existing data protection rules of religious organizations. Thus GDPR compliance also requires an understanding of those rules adopted by the member states.
- Although the U.K. voted to leave the European Union (Brexit), the British government is incorporating the GDPR into the country’s own law, although some changes to the framework may be made.
The good news is that GFI Software has the tools to aid in GDPR compliance. With GFI Unlimited, you can access a full library of business-proven, full-featured network security and communications solutions including GFI Archiver to help you in reporting and Kerio Connect to keep malware from affecting your business, so you are less likely to have a breach.
Share this Infographic On Your Site
This infographic is brought to you by GFI Software.