GDPR Compliance: Far More than IT Security Controls

The European Union (EU) General Data Protection Regulation (GDPR) goes into effect May 25, and many organizations remain woefully unprepared to comply with its requirements. In a March 2018 survey of IT decision-makers conducted by Opinion Matters, 67 percent said their organization may not meet the GDPR deadline. Forty percent of U.S. businesses and 35 percent of global businesses fear that the financial penalties for noncompliance could threaten their existence.

The GDPR is a set of data protection and privacy standards that apply to any organization that stores or processes the personal data of individuals within the EU. It replaces the EU Data Protection Directive, which is more than 20 years old and does not address things like smartphones, social media and big data analytics. However, the GDPR is not simply a technical refresh of the older regulation. It is broad in scope and includes sweeping new protections that will have a dramatic impact on organizations worldwide.

U.S. businesses cannot ignore it — the focus is on the subject of the data, not where it is processed or stored. Organizations that do not comply will face stiff penalties of up to $20 million or 4 percent of their total annual revenue.

The GDPR has some of the earmarks of other data protection regulations, such as the Health Insurance Portability and Accountability Act (HIPAA). Organizations must provide “sufficient guarantees to implement appropriate technical and organizational measures” to ensure data security. This includes everything from data encryption to regular testing and evaluation of security systems.

Should a data breach occur, it must be reported to the appropriate supervisory authority “without undue delay and, where feasible, not later than 72 hours” after it’s discovered. By comparison, the various state data breach laws in the U.S. typically require notification in 30 to 45 days. Even if the data breach is relatively small, 72-hour notification will prove extremely difficult for most organizations.

But the most challenging aspect of the GDPR lies in the control it gives individuals over their personal data. Organizations must provide individuals with access to their personal data, correct any inaccuracies and delete that data upon request. To comply, organizations will need to know where all of the data related to an individual resides, and be able to access it quickly. In the Opinion Matters survey, just 52 percent of U.S. businesses and 39 percent of global businesses said they’re confident they know where their data is stored.

Transfer of personal data requires an individual to provide consent with “a statement or a clear affirmative action.” In other words, implied consent and the ability to opt-out are no longer sufficient. There are also new conditions for transferring personal data to a third country or international organization to ensure adequate protection.

The automated processing and analysis of personal data for the purpose of profiling is restricted, and data controllers will have greater responsibility for processing activities handled by vendors. The GDPR creates incentives for pseudonymization, which separates data from a personal identity without making it anonymous.

Organizations are required to appoint a data protection officer (DPO) to oversee their data protection strategy. The DPO is responsible for educating staff, maintaining comprehensive records, monitoring and auditing compliance, and serving as liaison between supervisory authorities and individual data subjects.

Clearly, the GDPR requires far more than the implementation of IT security controls. In our next post we will discuss some of the actions organizations should take as they prepare for GDPR compliance.