GRC & Chill: Kickstarting Your Risk Management with Quantification
In this episode of GRC & Me, Megan Phee talks to Netflix's Senior Information Security Risk Engineer, Tony…
The General Data Protection Regulation (GDPR) has had an enormous impact on multinational companies that do business in the EU. In the time since the law took effect in May 2018, we have seen the severe penalties of noncompliance as a handful of companies have been hit with finesse. Most recently, British Airways was hit with a historic GDPR fine of £187 million ($230 million) as a result of a data breach that compromised 500,000 travelers’ personal data.
Although the GDPR has been active for more than a year, there are still companies out there who are noncompliant.
In this article, we’ll break down the GDPR into its basic parts for easy understanding. We’ll also delve into the specific rights it grants EU citizens, its impact on multinational companies, and the penalty provisions it contains. Finally, we’ll wrap up with methods to make sure your own company is compliant.
What is the GDPR?
The GDPR is a European Union law that has had dramatic effects on multinational companies around the globe, including the United States. The law stipulates that companies must be held accountable for the personal data they retain concerning any citizen in the European Union—whether they are an employee, customer, or business partner. According to the Information Commissioner's Office (ICO), which is the “UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals,” there are eight rights the GDPR extends to all EU citizens. They are:
- The right to be informed about the collection and use of individual’s personal data
- The right of access to personal data that a company holds
- The right to rectification if an individual’s personal data in inaccurate or incomplete
- The right to erasure of private information when requested
- The right to restrict processing of personal data in certain circumstances
- The right to data portability allows individuals to obtain and reuse their data across different IT environments securely
- The right to object the processing and use of personal data for direct marketing
- Rights in relation to automated decision making and profiling. The law states automated decision-making can only be carried out if given the individual's explicit consent, if it is necessary during a contract process, or if it is authorized by an applicable Union or Member state law.
The full source of the rules can be found on the Official Journal of the European Union.
Defining Personal Data
In order to fully understand the vast scope of the GDPR, we should first define “personal data.” Under the GDPR, “personal data” includes any piece of information that could be used to identify anyone, including: IP address, HR records, location, contact details, and even pseudonymised or key-coded information.
Transparency
The purpose of the GDPR is to protect EU citizens from data breaches, increase consumer trust and safety, and create transparent accountability measures. Data must be provided in a clear, concise, transparent, and easily accessible language, and it must be provided at no cost. Under the GDPR, all EU citizens should (1) have access to their own data, (2) receive notification when their data is being processed, and (3) be permitted to take their data with them once their business with the company has ended.
Data Mapping
The GDPR requires a company to quickly and accurately answer these questions about a person’s data:
- Where that data is being stored
- Why the personal data is being processed
- How long will the data will be stored
- Where the company or controller collected the data
- Where the data goes when it leaves the organization
- What information is included
The GDPR is more restrictive than any other previous legislation in the European Union because it places the accountability on the company. It’s also the first data privacy regulation that has global relevance, making it one of the most significant laws about information security and privacy laws ever passed. It requires companies to show how they are in compliance, not just report that they are in compliance.
Consent
Under the GDPR, clear consent must be given in order for a company to begin processing someone’s data. Consent can no longer be assumed by silence, pre-selected boxes, or inactivity, and it must be separate from other terms and conditions.
Data Protection Officers
If your company meets the following requirements, you could be required to appoint a Data Protection Officer (DPO):
- You are a public authority (except for courts acting in their judicial capacity);
- You carry out large scale systematic monitoring of individuals (for example, online behavior tracking); or
- You carry out large scale processing of special categories of data or data relating to criminal convictions and offenses.
The DPO is responsible for ensuring the company is compliant with GDPR regulations. They must report to the highest management level in the organization, and should operate independently without threat of penalty for completing their assigned tasks.
Penalties and Sanctions for Non-compliance
As proven with the British Airways breach, the penalties for failing to comply with GDPR rules are steep. Sanctions differ depending on which articles of the law apply. Companies failing to comply with the following provisions can be imposed a fine of up to 10M EUR (or up to 2% of the total worldwide annual revenue of the preceding financial year):
- the obligations of the controller and the processor pursuant to Articles 8, 11, 25 to 39 and 42 and 43
- the obligations of the certification body pursuant to Articles 42 and 43
- the obligations of the monitoring body pursuant to Article 41(4)
Companies failing to comply with the following provisions can be imposed a fine of up to 20M EUR (up to 4% of the total worldwide annual revenue of the preceding financial year)
- the basic principles for processing, including conditions for consent, pursuant to Articles 5, 6, 7 and 9
- the data subjects' rights pursuant to Articles 12 to 22
- the transfers of personal data to a recipient in a third country or an international organization pursuant to Articles 44 to 49
- any obligations pursuant to Member State law adopted under Chapter IX
- non-compliance with an order or a temporary or definitive limitation on processing or the suspension of data flows by the supervisory authority pursuant to Article 58(2) or failure to provide access in violation of Article 58(1)
View the full list of conditions for imposing administrative fines.
Ensuring Compliance
The GDPR makes it plain that the EU no longer intends to let irresponsible companies slide by without consequence. Thus it’s imperative for any company that deals with the personal data of European Union citizens to put policies and processes in place to comply with the new regulations.
The wide-ranging requirements of the GDPR present challenges for organizations, especially since the requirements to become compliant vary for each individual business. LogicGate is helping companies meet GDPR compliance requirements by centralizing and automating all of the new processes as well as enhancing existing manual processes (such as third-party risk management) that now must incorporate privacy impact assessments.
For more on the GDPR, check out LogicGate's Webinar below on Managing Third-Party Risk in the Age of GDPR.
