Many thanks to our experts Wim Nauwelaerts, Hunton & Williams; Gary Robinson, Capgemini; and Clyde Williamson, Protegrity for taking part in our recent GDPR expert panel.
As part of the webinar we asked our audience how prepared for GDPR they are and not one organization responded, "We're set, bring it on.” The vast majority of attendees showed concerns around interpreting the regulations, understanding how they will affect business and which technology to use for compliance.
Here’s a short summary of the questions asked and answers given:
What is the General Data Protection Regulation (GDPR)?
GDPR is the new legal framework for privacy and data protection in Europe, directly applicable throughout the European Union in all member states for a harmonized legal framework, applicable to all industries and organizations that process the personal data of EU citizens. Effective in May 2018 there is a two-year window of opportunity for businesses as well as regulators to adapt their data protection practices accordingly for compliance.
How does GDPR impact business outside of the EU?
The GDPR applies to every company – even if they are established outside of EU – that offers products and services to individuals in the EU. As GDPR is considered by many to be the gold standard in data security, U.S. organizations in particular are considering how GDPR could be used outside the EU as well.
What is Personal Data or Personally Identifiable Information (PII)?
The definition of personal data from a European point of view is extremely broad, intended to cover any information relating to an identified or identifiable person. It can be anything from a name or an email address to, in an online or mobile world, unique identifiers such as device identifiers, IP addresses and even location data. In every industry, as big data projects and collection sources become increasingly complex, data gets merged together and something seemingly not sensitive certainly becomes so when other information is added to it. Every organization must be vigilant given these new regulations and the increase in data.
What are obligations for Data Processors?
Any company or service provider that holds and processes personal data on behalf of its customers, typically acts as a Data Processor on behalf of their customers. GDPR raises the bar for Data Processors, requiring records of data processing activities, appointment of Data Protection Officers (DPOs), privacy impact assessments, enhanced transparency in terms of privacy notices and consent forms and the rights to be forgotten and portability. In addition, GDPR introduces a breach notification requirement. Applicable to Data Processors and Controllers in all industries and areas, incidents must be reported within 72 hours. Notification of breach is not required if the data was kept securely.
What are the penalties?
Companies face fines of up to 4 percent of global revenues or 20 million Euros, whichever is highest, for noncompliance.
What use cases are affected by GDPR and how?
All use cases processing data pertaining to the privacy of EU citizens are affected by GDPR. Any organization collecting and receiving EU personal data should thoroughly assess their responsibilities and consider the complexities of transferring data across borders in global ecosystems, capturing, holding and sharing information and identifiers about European individuals and their habits into data stores accessed via multiple screens in different countries.
What is Privacy by Design?
Privacy by Design (PbD) is the GDPR requirement to embed privacy into products and services from the development stage and throughout processing. The GDPR identifies the need to implement appropriate technical and organizational measures to keep data protected from unlawful access but it is left to the companies to decide what that means in practice.
What is data-centric security and its role in GDPR compliance?
Data-centric security is the concept of protecting the data itself across the entire environment, enforced by a centralized policy which defines and controls by role, system and context, how data is protected and accessed so it is protected everywhere. It addresses core aspects the GDPR such as the breach notification rule by making data no longer identifiable to the person it pertains to – Privacy by Design.
The GDPR suggests encryption as one example among many methods for protecting data, but encryption requires a mathematical process which can be broken and users might experience some challenges because modifications to database and applications are required. An alternative is tokenization, a reversible process that substitutes sensitive data with non-sensitive random values with no mathematical association. Tokenization can maintain data type and data length while protecting it, allowing legacy architecture underneath to be maintained and enabling secure data processing and analytics of sensitive data.
What actionable steps should organizations be taking today?
While GDPR places a burden of responsibility on organizations to demonstrate deliberate, privacy impact assessed, risk based processes, it is designed to allow organizations to do the things that are appropriate for them. For most, the two-year transition period has started by evaluating existing privacy programs but early board-level awareness is essential to keeping compliance manageable. Organizations should:
Protegrity would be delighted to help you protect data itself on its GDPR journey. Get in touch now to find out more about how our data-centric security solutions can help your organization achieve compliance.