GDPR: The most substantial change in data privacy regulations in decades.
Updated: Sep 26, 2018
Are data privacy regulations an annoyance to your organisation? Set to be enforced May of 2018, GDPR is a single set of data privacy rules architected to ensure privacy in your organisation.
Are data privacy regulations an annoyance to your organisation? Or does your company have a well defined data privacy framework, one in which the whole organisation participates?
Over the last few years, more and more companies have been hit with data privacy violations: LifeLock: $12M; HP: $14.5M; ChoicePoint: $15M; Google: $22.5M; Apple: $32.5M. But no penalty compares to the perils of the unprepared in relation to the most substantial change in data privacy regulations: the GDPR.
Does your organisation store or process personal data regarding EU citizens? If so, the GDPR applies to you. Personal data pertains to identifiers such as names, identification numbers, location data, online identifiers, social identifiers, and many other indicators defined under Article 4 that must be protected under the GDPR in relation to data subjects.
The GDPR defines a single set of data privacy rules soon to be enforced in all European member states, also applying to all organisations that collect data from EU residents, including those abroad. For instance, for those in the United States storing or processing data about EU data subjects, the GDPR applies to you; for those in Canada, Australia, or elsewhere, the GDPR applies to you.
Penalties for violations are severe, including monetary fines reaching 4% of annual worldwide revenue or 20 million EUR, whichever is higher. When it comes to GDPR enforcement, the message is clear: don't mess with GDPR. Start immediately, and work towards compliance.
99 Articles of Regulations: Where to Start
As the GDPR enforcement date of May 2018 approaches, time is short; it's essential to prepare now for GDPR compliance. Our experts advise an organisation to start compliance efforts by performing a GDPR gap analysis. Of the 99 articles, which apply? Enumerating the requisites of each article enable one to measure gaps in policy, and gaps in practice that must be addressed across all offices and systems.
Part of the process requires conducting a privacy impact assessment to evaluate privacy activities, map data privacy workflows, determine risks, and mitigate risks. Depending on the entity, various articles (Article 35, 92, 93) require specific measures such as carrying out a data privacy impact assessment (discussed below).
GDPR and Brexit: Is the UK Exempt?
Shortly before 12:30 pm on 29 March 2017, Prime Minister Teresa May triggered Article 50 of the Treaty of Lisbon, setting into motion the two year clock to negotiate an exit deal for the United Kingdom to leave the European Union. So the question is, will GDPR be applicable to the UK in April 2019?
"GDPR introduces obligations for data controllers and data processors in several areas," says Matt Hancock, Minister of State told the House of Lords EU Home Affairs Sub-Committee on 1 February. "It strengthens the rules for obtaining consent. It strengthens the need for breach notifications and it emphasizes self-assessment in the management of data. We have said that the UK is going to implement GDPR in full."
So if some in the UK are hoping that Brexit may provide a way of escape, it's not true. UK entities must comply with GDPR in full; the UK is under the same obligations as all EU member states.
What is GDPR?
GDPR is the General Data Protection Regulation adopted by the European Parliament in April 2016 following four years of deliberation. The provisions of the regulation:
strengthen rules for obtaining specific consent to collect personal data, and accountability for the data being processed;
strengthen the requirements around breach notification of personal data;
accent the needs for self-assessments regarding data management;
requires the appointment of a data protection officer;
requires the appointment of an EU representative;
requires safely handling the transfer of data across borders; and more.
Overall, the GDPR mandates a new set of standards for any entity that handles the data of EU citizens, requiring them to better safeguard the processing and storage of personal data.
What is a Data Privacy Impact Assessment?
When new technologies are employed, a formalised Data Privacy Impact Assessment must be conducted for any data deemed high risk to the rights and freedoms of individuals and their data. Creating a risk assessment framework is necessary, and a blended implementation of ISO/IEC 27005 and ISO/IEC 31000 provides an enhanced approach for risk management within an organisation.
Does ISO/IEC 27001 Satisfy GDPR?
No, ISO/IEC 27001:2013 is an excellent framework and foundation, but more must be done. If an organization has already implemented this standard, it has an excellent start, a framework ready to apply additional controls towards ensuring the adequate protection of personal data. For cloud providers, ISO/IEC 27018 should be highly considered, at least consulted, as the requirements within these codes of practice satisfy many GDPR requirements.
Can the Head of IT Serve as the DPO?
No, as noted below, this is prohibited by the regulation. Under Article 37 of the GDPR, all public authorities and bodies are required to designate a Data Protection Officer (DPO) under national law. The Article 29 Working Party (WP29) published guidelines on the role of the DPO, clarifying the role. The WP29 notes the DPO is "the cornerstone" of the principle of "accountability". Further, the DPO is not personally responsible for compliance with GDPR, ensuring a standalone perspective that is protected from compliance influences.
Data Protection Officers can serve other roles, but according to WP29, the following roles are examples that conflict with the DPO's duties:
chief executive officer
chief operating officer
chief financial officer
chief medical officer
head of marketing
head of human resources
head of information technology
Often times, IT has led DPO efforts, but this is no longer permitted.
All Organisations Must Comply
Whether your business is small, medium, or large, it must be aware of GDPR requirements and it must be prepared to comply by May 2018. Remember, the GDPR not only applies to businesses within the EU, it applies to all businesses marketing or selling services and goods to EU citizens, and businesses storing and processing data for EU citizens.
Due to the complexities of GDPR, most organisations started the compliance process over a year before the GDPR becomes enforced. If you haven't yet started, begin by designating a data protection officer.
For more information about the many additional requirements of the GDPR, contact me at firstname.lastname@example.org.
About the Author
Rebekah Allendevaux is the founder and senior partner of Allendevaux & Company; she oversees the regulatory compliance practice for data privacy and information security. She also specializes in modeling and implementing compliance frameworks such as ISO 27001 with codes of practice such as NIST, ISO 27002, 27017 for cloud security, 27018 regarding securing PII in the cloud, and others. She may be contacted at email@example.com.