Ultimate Guide to GDPR Compliance and Regulations
Technology has changed substantially over the past couple of decades. Both hardware and software systems have advanced and evolved, and the Internet has become an integral part of daily life. The extensive use of social media and mobile applications has similarly gained traction, resulting in more connectivity than ever. With this connectivity, however, comes more security risks, especially for businesses.
So how does the business world combat these risks? In the EU, it’s through legislation. The EU Parliament’s Civil Liberties Committee recently approved a new data protection law to replace the Data Protection Directive, or “the Directive” that has been in place for over twenty years. This new law, Europe’s General Data Protection Regulation, also called the “GDPR” updates security regulations to more appropriately combat the challenges of modern technology.
Though the GDPR won’t officially start until mid-2018, businesses affected by the GDPR must start working to understand the regulation. To help, we’ve put together a guide to the General Data Protection Regulation, what it is about, what it means for your business and how a GDPR security management system can benefit your organization.
What is GDPR?
The General Data Protection Regulation, or the GDPR, is a regulation that was approved by the European Parliament, along with the Council of the European Union and the European Commission, and adopted on April 27, 2016. This regulation was developed as a replacement for the more limited Data Protection Directive put in place in 1995. As a substitute, the GDPR is intended to not only strengthen data protection measures across the European Union but also maintain data protection standards for years into the future.
The GDPR includes the following changes compared to the Data Protection Directive:
- Standardization: The Data Protection Directive’s biggest weakness was the fact that it was a directive, meaning that it could only set minimum legal standards for EU states. This meant that EU states had to create their data protection laws, and resulted in a wide variety of data protection laws across Europe with little standardization. GDPR is designed to solve this problem – as a regulation, GDPR imposes a uniform law on all EU member states without needing state legislation to pass. The result of this consistent rule is standardization across the EU, making the regulatory environment simpler for international businesses.
- Control: One of the primary goals of the GDPR is to give control of personal data back to citizens and residents of the EU. This is reflected by requirements that subjects give consent before data is processed, that collected data is anonymized and safely handled when transferred, and that breaches are handled with the utmost urgency and care. The regulation also applies strict rules to the export of personal data to entities outside of the EU and requires certain types of companies to appoint data protection officers for overseeing GDPR compliance within their organizations.
These GDPR requirements will take full effect in the Spring of 2018, on May 25th, so companies the regulation applies to must ensure that they’re compliant with the new requirements before that time. Any businesses that fail to comply with GDPR laws before that deadline will be prone to penalties and fines.
Who Does GDPR Apply To?
As an EU regulation, GDPR is designed to protect the personal data of data subjects residing in the EU. Specifically, Article 3 of the GDPR states that it applies to the processing of personal data of citizens and residents of the EU, even if the processor isn’t established in the EU. Practically, this Article of the GDPR means that these Regulations apply to any company marketing goods or services to EU residents and citizens. These include:
- EU States: Government entities that handle the personal data of citizens and residents of the EU are as much subject to GDPR rules as any company.
- EU Companies: EU companies, since they are both located within the EU and handle transactional and personal data of EU citizens and residents, are expected to comply with GDPR.
- Global Companies: Any company that markets goods and services to EU states and completes transactions with EU citizens and residents are also expected to maintain GDPR compliance, regardless of where the corporation is located. Even if they have no staff or equipment located in the EU, if their marketing efforts extend to the EU or they use personal data to track the behavior of EU citizens, they are subject to GDPR rules.
Because of the world’s increasingly global economy, more companies than ever are working in the EU, marketing and selling to EU citizens. From app developers to Internet-based businesses and multinational corporations, businesses worldwide work with EU citizens and residents. This means that the types of companies subject to GDPR laws are so varied and widespread that the implementation of GDPR will have a global effect on data protection requirements. This is yet another difference between the GDPR and the 1995 Directive, as the Directive was not nearly as expansive or far-reaching.
What Are the Penalties for Non-Compliance?
Article 79 is one of the GDPR provisions getting the most attention recently, as it introduces penalties and fines into data protection regulations. Specifically, the GDPR introduces:
- Increased SA Authority: SAs, or Supervisory Authorities, are independent organizations that investigate complaints about businesses and their compliance with GDPR rules. Under GDPR, these organizations have more authority than they did under the 1995 Directive, holding both investigative and corrective powers. SAs may perform audits to ensure compliance, issue warnings for non-compliance, set deadlines for compliance correction measures, and decide on the penalties and fines to be issued to specific companies for certain infractions. SAs can even order data to be erased and block organizations from transferring data between countries.
- Non-Compliance Fines: The GDPR allows SAs to issue larger fines than under the Data Protection Directive. In the former Data Protection Directive, penalties and fines were largely determined by the states and tended to be very low compared to industry standards. In the new GDPR rules, however, fines are set by the SA based on the circumstances surrounding the case. The SA may choose whether to impose fines, as well as the precise amount of the fine. Generally speaking, companies that fail to comply with significant regulations may face fines up to four percent of the company’s total worldwide annual turnover. While four percent may seem like a small amount, that can total in the millions and billions for larger corporations. Alternatively, smaller companies with lower annual turnover may face fines up to 20 million Euros.
By introducing a stricter fining procedure and giving more power to Supervisory Authorities, the GDPR encourages and enforces its rules much better than the 1995 Directive. Effectively, this emphasizes the importance of data protection for EU-affiliated organizations and ensures more widespread implementation.
Does My Company Need a DPO?
Data protection officers, or DPOs, are another essential part of the GDPR, required for certain companies. The function of a data protection officer, as defined under Article 37 of GDPR, is to monitor the compliance of the enterprise, provide advice about the Regulation and serve as a contact point for the company’s Supervisory Authority. Essentially, these data protection officers provide companies with the expert knowledge they need to manage and maintain their compliance with data protection laws and handle non-compliance issues.
Under Article 35, DPOs are mandatory for companies and organizations who fall into one of the following categories:
- Public Authorities: All public authorities, except courts acting in judicial capacities, are required to appoint a DPO to monitor their compliance with GDPR.
- Companies Handling Special Data: If the core activities of a company include regular large-scale monitoring and processing of special categories of data, they have to appoint a DPO. These special categories of data include data about an individual’s race, ethnicity, political affiliations, religion, philosophy, union membership, genetic data, biometric data, sexual orientation or health data. Often, such data is collected for human resource purposes.
Since DPOs are essential to maintaining compliance with GDPR, both in their appointment and in their function within an organization, DPOs must meet the following requirements:
- Appointment: DPOs must be appointed based on their professional qualities and expert knowledge about data protection law and practices. The appointee may either be a staff member or external service provider, provided that their status does not interfere with their duties.
- Resources: DPOs must be provided with the resources they need to carry out their tasks and maintain their knowledge. This includes putting them in contact with the company’s SA and allowing them to pursue continued education in the subject area.
- Responsibilities: DPOs are required to comply with GDPR requirements, and must report directly to both their company’s management and their local SA. They absolutely may not carry out tasks that could result in conflicts of interest.
How Do I Deal with Data Breaches?
Data breaches are handled with much more uniformity under the GDPR than under the 1995 Directive. Under the former directive, EU member states were able to adopt different data breach notification laws – this variation in legal requirements meant that companies suffering from data breaches had to research which laws they had to follow and how to meet the demands of those laws. Under the new GDPR regulation, however, all data breaches fall under the same requirements.
Articles 31 through 34 cover what to do in case of a data breach. Under the GDPR, the breached organization must:
- Notify the SA: Breached organizations must notify their SA within 72 hours of learning the breach. This notification must describe the violation in detail, describing the nature of the violation, the categories of data involved, the range and scope of data involved, the potential ramifications of the breach and the time of the incident. The report must also include the contact information for the organization’s data protection officer, along with measures the controller has taken or plans to take to mitigate the effects of the breach.
- Notify Breach Subjects: Under certain circumstances, detailed in Article 32, the organization must also notify the subjects involved in the data breach of the event. This is required if the data breach is likely to result in risk to the subjects’ rights and freedoms. If this is the case, subjects must be notified as soon as possible, and the notification must include contact information for the company’s data protection officer, potential consequences of the breach and any remediation efforts planned or taken to address the breach.
The second of these points is not always required. If the data in question was not personal and is unlikely to result in harm to the individual if revealed, subject notification is not necessary. Additionally, if the breached data was personal and harmful, individual notifications may not be required if the data was appropriately anonymized or if the scope of the breach is so large that individual notification would require a disproportionate effort. In the latter case, a public announcement may be more appropriate.
If a company experienced a breach and did not notify their SA within an appropriate time limit or did not notify affected subjects within a reasonable amount of time, they may be subject to substantial fines, depending on the assessment of the organization’s SA. Companies can avoid this by identifying breaches early with a GDPR compliant network monitoring system and following GDPR requirements closely.
What Is the Best BlackStratus Product for This?
Maintaining compliance with the new GDPR laws will take a great deal of work and development, especially if your company doesn’t already have extensive security and monitoring systems in place. Between the monitoring requirements and the staffing and contact needs involved in maintaining GDPR compliance, your company needs a system that will help balance it all. BlackStratus can help with a GDPR compliant Cloud SOC.
BlackStratus offers CYBERShark as your comprehensive cloud-based managed security for GDPR. This cost-effective solution for MSPs is designed to provide around the clock managed security for GDPR for small to mid-size businesses. By white-labeling the CYBERShark system, your company can benefit from a host of security and compliance managed services, as well as a system that is compatible with over 1,000 network devices, operating systems, servers and other appliances.
The CYBERShark security and compliance platform offers:
- Advanced architecture designed to help businesses minimize their risks and manage their compliance with regulatory entities like GDPR while still maintaining business continuity
- Multi-tenancy support helps your company store customer data and accounts, protecting the integrity of their personal information
- The GDPR compliant network monitoring system provides real-time attack visualization, which helps identify attacks and breaches as they happen, using rules-based, vulnerability, statistical and historical correlations to alert you immediately and identify crucial attack information for reporting
- Vulnerability correlation software integrates all the data from your detection systems, identifying and eliminating false positives so that your team is free to focus on actual threats
- CYBERShark is a GDPR compliant log management system, which compiles data into GDPR compliant logs while also improving visibility across your company’s distributed networks, allowing your business to identify patterns in customer behaviors, spotting both hidden threats and opportunities
- Sophisticated reporting tools to help put together reports for GDPR audits, as well as other regulatory entities like ISO, PCI, HIPAA and SOX
With the tools provided by this GDPR compliant SOC, your business and your data protection officer are more able to prevent and mitigate breaches and maintain compliance with the new GDPR standards.
See CYBERShark™ in Action
Interested in learning more about how CYBERShark can help your business attain and manage compliance with GDPR standards? Speak to a member of our team today to get a free demonstration. Give us a call at 844-564-7876.