When the trilogue discussions ended in December, the EU General Data Protection Regulation (GDPR) reached its final form. But in the never ending GDPR saga, there was always still one more hurdle to be completed. Last month, the EU Parliament approved the final text worked out in the discussions.
So now the clock starts ticking, and companies have two years to get their data centers in order. The GDPR will not be enforced until May 2018.
Technically, the GDPR has been in close to final form for almost a year, as the key stakeholders worked out some important details. So those companies who’ve been paying attention have had even more of a head start.
As a reminder, we’ve written a very comprehensive blog post on the new regulation. And if you want even more background details on the GDPR and how it has evolved from the existing Data Protection Directive (DPD), then by all means download our white paper.
Out of all the many requirements and concepts in the GDPR, these six would make it to the top of my list in terms of their importance:
- Breach notification – A new requirement not in the existing DPD is that companies will have to notify data authorities within 72 hours after a breach of personal data has been discovered. Data subjects will also have to be notified but only if the data poses a “high risk to their rights and freedoms”.
- Data Protection Impact Assessments (DPIA) – When certain data associated with subjects is to be processed, companies will have to first analyze the risks to their privacy. This is another new requirement in the regulation.
- Privacy by Design – Privacy by Design (PbD) has always played a part in EU data regulations. But the new law, its principles of minimizing data collection and retention and gaining consent from consumers when processing data are more explicitly formalized.
- Extraterritoriality – The new principle of extraterritoriality in the GDPR says that even if a company doesn’t have a physical presence in the EU but collects data about EU data subjects — for example, through a web site—then all the requirements of GDPR are in effect. In other words, the new law will extend outside the EU. This will especially affect e-commerce companies and other cloud businesses.
- Right to Erasure and To Be Forgotten – There’s been a long standing requirement in the DPD allowing consumers to request that their data be deleted. The GDPR extends this right to include data published on the web. This is the still controversial right to stay out of the public view and “be forgotten”.
- Fines – The GDPR has a tiered penalty structure that will take a large bite out of offender’s funds. More serious infringements can merit a fine of up to 4% of a company’s global revenue. This can include violations of basic principles related to data security — especially PbD principles. A lesser fine of up to 2% of global revenue — still enormous — can be issued if company records are not in order or a supervising authority and data subjects are not notified after a breach. This makes breach notification oversights a serious and expensive offense.
This is a complex law, and the above list is not meant to be a complete run down of all the significant rules. In any case, most legal and compliance experts would agree that a sensible first step in getting into GDPR compliance is to do a complete data inventory – what data is stored, where it’s stored, who has access to it, and what are the current access rights.
Where have we heard this before?
Of course, we’ve been preaching data awareness for a while now at the Inside Out Security Blog. With the GDPR, though, it’s not a just great idea, but an important approach to help you avoid breaking this law.
Want to learn more about the GDPR?
Check out our free 6-part email course (and earn CPE credits!)