Regardless of where your company is located, if you control, collect or share any personal data belonging to EU citizens, you need to be compliant with General Data Protection Regulation (GDPR).
GDPR goes into effect officially on 25 May, and any business found not in compliance after that date could find itself hit with big fines (up to €20m or 4% of an organization’s annual global turnover).
The idea behind GDPR is to protect EU citizens’ privacy by giving them greater control over how their personal data is obtained, processed, and shared, as well as visibility into how and where that data is used.
The regulation enforces real consequences for data gatherers that don’t take care of the data they obtain. It also builds in greater accountability for those organizations to ensure they’re conscious of the data they gather, how it is stored, and how it is protected.
For many organizations that handle data, this means a shift in their data collection processes from beginning to end, and a hard look at what kind of data they’re obtaining, how well it is being secured, and an honest assessment on whether or not that data needs to be obtained in the first place.
It’s no longer enough to just want to collect user data, GDPR requires organizations to only collect user data where there is a ‘lawful basis’ to do so, and that basis must be documented.
As Sophos CISO, Ross McKerchar, told Naked Security in October, GDPR shifts the balance of power by turning data from an asset into a potential liability. Ensuring that data is deleted as soon as it’s no longer necessary becomes “a defence in depth measure – the less you store the less you have to lose.”
Data handlers may need to implement more informed consent processes when obtaining customer or user data, so EU citizens are fully aware of what they are opting into when an organization is entrusted with their PII (Personally Identifiable Information).
EU citizens can request information on data held, via a subject access request – a written report that must be sent upon request that explains what data is held about them, why it is being used and who it has been shared with. Citizens can also request that any data held on them is deleted.
Another goal of GDPR is to make organizations much more proactive in disclosing a data breach, should one occur. This is why GDPR mandates that any person affected by a data breach be notified within 72 hours of the breach’s discovery.
GDPR implementation isn’t a technological box to check, it’s largely a matter of creating and formalizing processes to handle the new requirements that it introduces.
If GDPR is a concern for your business, it’s likely you’ve been getting your house in order for a while now. But with a month to go until the final deadline, it can’t hurt to check that your organization is on the path to readiness: Try out the Sophos GDPR compliance check for peace of mind – it’s only six questions!
10 comments on “One month to GDPR. Are you ready?”
Last year we very carefully reviewed the laws, our systems abilities (software), business operations, cost of meeting requirements. It wasn’t worth it. We have closed accounts with all EU customers. Problem solved. Spending millions to make much less than that, is a bad investment.
Problems ignored I would say, rather than solved ^^
Mahhn is right this is regulating some companies right out of EU. It won’t happen but it would be interesting to see someone like Facebook or another big company cut off all EU accounts over this. Also keen to see how this is enforceable if you company servers and assets are in a country that EU does not have access to.
That’s just the problem though isn’t it, you don’t need to spend millions. You just need to ensure you are have the right processes and policies in place. You can’t just stop doing business the way you have been doing it for years. It’s good that GDPR is highlighting things but much of it like a SAR is already in place under the current Data Protection Act. Security firms and Lawyers are rubbing their hands with glee.
GDPR is a good thing but don’t stress and let it cripple you, step through it, tidy up, delete rubbish, know your business and your suppliers/contractors business etc. Have the relevant policies in place to educate your users and deal with situations and you will be just fine!
Just to share some conflicting US vs EU law over this is (I know links are blocked so – they can be easily searched for. There are from the ffiec gov and gdpr-info eu both government regulations sites)
Art. 17 GDPR Right to erasure (requires ability to delete all user data upon request)
Bank Secrecy Act; APPENDIX P: BSA RECORD RETENTION REQUIREMENTS (requires retention of user data for 5 years)
It’s a Fine $$ mess they are putting people into.
“Right to erasure” doesn’t trump other statutory obligations. That’s not an unusual or alarming situation in law. Protections for free speech, for example, don’t liberate you from laws to do with slander.
It would be a challenge to see how VPN companies like Ivacy, Express, Nord, and others would respond to it. They are directly involved in safeguarding their user online data, so, I am especially interested in seeing that.
The GDPR is a very large piece of legislation – the quick comments above do not even com close to doing it justice. To greatly over simplfy the right to erasure (Article 17) applies where the lawful basis of processing in based on consent or where there is no longer any need to process the data and is some other specified siutations. It does not override the requirements of EU or member state law.
The key point is that data controllers need to have a look at what they are doing and make sure that it complies. The Information Commissioner’s website (the Supervisory Authority for the UK) has lots of good advice and guidance.
This is in fact an opportunity to get good data protection practices in place. In time there will be standard marks to confirm this that can be used on websites etc – meeting these standards will promote trust in customers – the opposite of what we are seeing with Facebook and others at the present time.
I’m amazed as to how GDPR’s applicability is always being simplified in any article or blog post about it. The GDPR does not clearly define who the EU’s data subjects are. These could be EU residents independent of citizenship or EU citizens independent of their place of residence.
A lot in GDPR will only be clear once a few cases have made it through the courts.
1.) Why am I, a US citizen, being governed by EU rules?
2.) I believe the main issue of “privacy” is not protecting your data, but protecting the companies by preventing you from seeking payment from their sale of your data. I understand fb made $40 B USD last year. How much did “Google make? How much did Microsoft make? I can’t help but think that most of that money came from selling your and my information. I want a fair cut of that money; after all my data contributed to their financial income. And I believe that this income, from the sale of my data, is much more than the costs of gathering it. That is:the hardware and distribution costs to achive their windfall profits. They are not paying me enough to use my data.