The General Data Protection Regulation (GDPR) deadline on May 25, 2018 has come and passed. There is still a lot of mystery surrounding international enforcement of these updated data privacy laws, but the consequences of non-compliance are manifesting themselves as a number of high profile cases continue to shake out. So what is GDPR, where did it come from, and what does it mean to be compliant? Let’s explore these questions and try to address how GDPR applies to your business.
What is GDPR aka the General Data Protection Regulation?
GDPR is a standard released by the European Union (EU) designed to update and consolidate privacy laws under a single umbrella. The bottom line of the regulation is to protect EU citizen’s data privacy. The standard was officially approved on April 14, 2016 by the EU Parliament as a replacement for an older data protection standard that was drafted in 1995. GDPR is slated to be fully enforced starting May 25, 2018.
Does GDPR Compliance Apply to My Organization?
Regardless of whether your company is located in any part of the EU or not, if you touch any EU citizen’s personal data you are required to be compliant. And the definition of personal data is incredibly broad, with the GDPR FAQs defining it as:
“Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.”
So basically anything. For most organization’s that do any business internationally, regardless of whether it’s a B2B or B2C model, you’ll be required to meet GDPR requirements. With the above definition of personal data, you’ll be protecting a tracking cookie or person’s name with similar security controls to what you’d traditionally see safeguarding a credit card number or social security number.
So we now have a (very) high-level understanding of what this thing is and what it’s designed to do. We’ve also noted that if you deal with EU citizens or their data, it probably applies to your business. To plan your next steps, it’s important to dive a little deeper into the standard and understand what it requires of you. For the most part, GDPR is incredibly broad throughout. Our expertise is obviously in information security so we want to focus in on those aspects of the regulation. Here’s some big ticket items:
- Is data protection designed in and turned on by default? (Article 25)
- Does your organization maintain a “reasonable” level of security around data processing? (Article 32)
- Is there a data breach response and notification process in place? (Article 33)
These are pretty simple questions, but there’s a lot to consider here. Developing a plan for your information security department to address these requirements is non-trivial. It requires an understanding of what constitutes “reasonable security” in comparison with peer-level businesses and an impartial assessment of your current security posture and where you need to go. While there isn’t a GDPR Certification you can go out and get, it’s important to get out in front of these compliance issues to show due diligence.
Hopefully this answers “What is GDPR?” for you and gives you a quick and dirty walkthrough of what you’re dealing with in these data protection regulations. There are a lot of ways to work towards compliance, and one way that we can help is by performing a thorough gap analysis of your security program. Have any other questions regarding GDPR you’d like to see answered, reach out and let us know.