The General Data Protection Regulation (GDPR) is a regulation that requires businesses in the European Union (EU) to protect citizens' personal data and privacy in the EU. The GDPR applies to all transactions involving data collection in the EU and imposes stiff penalties for noncompliance. It sets new standards for consumer rights and challenges organizations to maintain compliance, especially for security teams that need to enforce these new rules.
One of the reasons for these difficulties is that the GDPR defines Personally Identifiable Information (PII) more broadly than previous data protection measures. For example, data such as name, address, and social security number have long been considered PII, but the GDPR also treats digital data like cookies and IP addresses as PII. Another issue is that the GDPR refers to a “reasonable” level of protection for PII without further defining this term. This ambiguity provides GDPR regulatory agencies a great deal of leeway in assessing penalties for noncompliance.
RedTeam Security is well-versed in the arena of GDPR compliance. We don’t make companies GDPR compliant, but our services can meet some requirements for compliance. Schedule a free consultation with our cybersecurity experts today to learn more about how we can help you become GDPR compliant. Contact us online or call 612-234-7848 today to discuss your cybersecurity needs.
The European Parliament adopted the GDPR in April 2016 as a replacement for a data protection directive from 1995. It carries provisions for the protection of PII, including the export of personal data outside the EU. All 28 members of the EU have passed the provisions of the GDPR into legislation, allowing all organizations within the EU to follow the same standard. However, this standard requires most companies to invest significant resources to achieve and maintain GDPR compliance.
The GDPR covers many types of PII, including the following:
The GDPR protects EU citizens when their PII is stored, processed, or transmitted within the EU. It also regulates the exportation of PII outside the EU.
The GDPR affects all organizations that directly handle PII on EU citizens, as well as their vendors and other third parties.
Organizations with a physical presence in the EU are bound by the GDPR, even if they don’t have a business presence in the EU. GDPR also applies to organizations that process the PII of EU residents. GDPR automatically applies to organizations with at least 250 employees, while the GDPR is somewhat more complex for smaller organizations. In these cases, the GDPR applies if the organization’s data processing affects EU citizens' rights or includes covered types of PII. In practical terms, this means a company’s size doesn’t affect the applicability of the GDPR.
Companies outside the EU are also greatly affected by the GDPR. A 2016 survey by PwC showed that 92 percent of U.S. companies consider the GDPR a top priority for data protection. Fifty-three percent of the respondents in a 2018 survey by Propeller Insights indicated the technology sector would be most affected by the GDPR. Others thought sectors like online retailers, software companies, financial services, and online services would experience the most significant impact.
The GDPR places equal liability for the protection of PII on data controllers and data processors. Data controllers are the organizations that own the data, while data processors are organizations that participate in managing the data. If one of the data processors isn’t in compliance, the data controller isn’t in compliance either. The GDPR also places strict rules for all organizations within this group to inform customers of their rights under the GDPR and report data breaches.
This collective liability means that a data owner’s contracts with customers and third parties like cloud providers, payroll service providers, and SaaS vendors must specify each party's responsibilities with respect to PII. They must also define consistent processes for managing and protecting data in addition to the specific methods for reporting breaches
Third-party data processors represent the largest expenditure of resources when a data owner is attempting to become GDPR compliant. Data processors typically have access to a large amount of PII from the data owner, and the GDPR makes it very clear that data owners need to ensure their vendors are in compliance with the GDPR. Contracts with clients also need to reflect the changes in government regulations due to the GDPR. This regulation also requires leaders in business, IT, and security to understand how their organizations store and process data to develop a compliant process for reporting data breaches. This process is a significant undertaking, but it’s essential for identifying the vendors that an organization needs to focus on from a security perspective.
The GDPR may also change the mindset of organizational stakeholders when it comes to data. They traditionally view their data as an asset to leverage, but this perception may shift to view the accumulation of data as an increase in liability. Organizations need to track data flow as it leaves their control and put appropriate protections in place, which they must specify in their contracts. This step will help third parties understand what they can and can’t do with the data they obtain from their clients.
Reporting a breach is especially important under the GDPR, which allows a 72-hour window from when a breach occurs to the time it must be reported. This requirement can be challenging when a vendor with many clients is breached. Each client may have a different entity for the vendor to notify, which could be someone in accounting, accounts receivable, or procurement. The contract between vendor and client must clearly define the reporting path in the event of a breach. The GDPR requires policies, procedures, and response structures that will allow an organization to complete its reporting process quickly.
The sheer number of contracts that a company may need to update also complicates the process of getting vendor contracts into compliance with the GDPR. An organization must know what data it has, how it’s processed, and where it goes before defining the responsibilities for handling that data. Many organizations find themselves having to play catch-up in completing the operational and technical issues needed to get the proper contracts in place before a deadline. The GDPR requires organizations to know what their operational processes with vendors will be. In particular, they need to know how their vendors’ security framework operates.
The GDPR defines three roles for ensuring compliance with its requirements, including the Data Controller, Data Processor, and Data Protection Officer (DPO).
The data controller defines how the organization processes PII and the reasons for processing it. This role is also responsible for ensuring that third parties comply with the organization’s data practices.
Data processors maintain and process PII. They may be internal or external to the organization and may perform some or all of these activities. The GDPR holds processors liable for noncompliance and breaches, so it’s possible that both an organization and its data-processing partners could be subject to penalties under the GDPR even if the partner was entirely at fault.
The GDPR requires the controller and a processor to designate a DPO, who ensures compliance for a particular data set by overseeing its data security strategy. Organizations need a DPO if they meet any of the following criteria:
Some government organizations like law enforcement agencies may be exempt from the requirement to designate the DPO.
Eighty-two percent of the respondents in the Propeller Insights survey indicated their organization already has a DPO on staff. However, 77 percent said they planned to hire a new DPO before the planned deadline of May 25, 2018 for implementing the GDPR. This regulation will also require most organizations to hire additional personnel to comply with the GDPR. About 55 percent of survey respondents reported recruiting at least six employees for this purpose.
The GDPR allows regulatory bodies to assess penalties as high as €20 million or four percent of the organization's global annual turnover, whichever is greater. However, most of the fines that have been imposed are well below this limit. The GDPR enforcement tracker reports that the EU has issued 282 fines for noncompliance as of May 29th, 2020. The great majority of these fines have been for thousands or tens of thousands of euros. DLA Piper's GDPR Data Breach Survey reports that the largest fine so far is for €50 million, which was imposed against Google in January 2020. The reasons for this fine included the lack of valid consent and transparency.
Regulators admit they lack the resources to handle the reports on data breaches that they've received, so they'll require more time to establish identifiable precedents for this process. The fines are also inconsistent across different regulators, adding to the uncertainty of the fines for noncompliance. Regulators currently disagree sharply on how they should calculate these fines, and observers believe that GDPR is still years away from providing legal certainty on this issue.
For the time being, demonstrating a good-faith effort to comply with the GDPR should be enough to protect organizations from harsh penalties. UK Information Commissioner, Liz Denham, stated in a 2018 speech that enforcement is a last resort and that the Information Commissioner's Office (ICO) would reserve hefty fines for organizations that “persistently, deliberately or negligently flout the law.” She added that organizations that self-report, engage with the ICO to resolve issues, and demonstrate effective accountability can expect the ICO to take these factors into account when considering regulatory action.
The GDPR is currently the world's strictest law on data privacy and security. The fact that it applies to any organization that collects data on people in the EU means that the GDPR can affect organizations worldwide, even if they aren’t based in the EU. The specific requirements for the GDPR are extensive, which you can find here.
GDPR.eu is also a valuable resource for learning more about GDPR requirements. This site contains 173 excerpts from the regulation and 99 articles in addition to checklists and guides. It also includes a PDF document of the entire GDPR. These materials all help you walk through how the GDPR may apply to you and your organization.
The following steps will also help improve your business in several ways not directly related to GDPR compliance. For example, the procedural and technical changes needed to comply with GDPR can also create efficiencies in how organizations manage and protect their data, resulting in cost savings. It can also increase consumer confidence, making your business more competitive.
If your review of GDPR leaves you with the feeling that your organization is at significant risk for noncompliance, there are several steps you can take to address these deficiencies. It's essential to begin by instilling a sense of urgency within your organization's top management. Executive leadership must prioritize the task of becoming GDPR compliant before you can expect to make significant progress.
It's also important to get other stakeholders involved, as your IT department won't be able to meet the GDPR requirements by itself. Form a cross-functional task force that includes representatives from any department that collects or uses customers’ PII, including finance, marketing, operations, and sales. These team members must effectively share the information needed to implement the procedural and technical changes that will get your organization in compliance with GDPR. They will also need to prepare for the impact these changes will have on their respective departments.
The risk assessment is usually the greatest obstacle to GDPR compliance. The first course of action should be to obtain a complete picture of an organization’s IT infrastructure, including a list of all applications that it runs. Specific information on the applications that process PII can significantly reduce this phase's scope and the time it requires.
Conduct risk assessments regularly to ensure you know what PII you process on EU citizens and the risks associated with it. These assessments must also describe the measures needed to mitigate these risks. Another critical component of risk assessments is identifying the shadow IT processes that involve PII, regardless of their size. These solutions often pose the greatest risk for noncompliance, since they tend to have a low profile and less documentation.
Many applications meet these criteria, making it challenging for large organizations to identify all of them. In a recent article on CSOonline.com, Matt Fisher, Senior Vice President at Snow Software, estimates that more than 39,000 commercial applications use PII. Only a fraction of these applications typically have high visibility, while the hidden majority is a severe risk to noncompliance.
Fisher also cites recent trends in IT allocation as a complicating factor in achieving GDPR compliance. He estimates that business units are responsible for about half of an organization’s IT budget in 2020, causing the IT department to lose track of the applications that an organization uses. This loss of visibility can threaten compliance.
Organizations will generally need a DPO to comply with GDPR, which may require them to hire a new team member if they don’t have one qualified for this role. The GDPR doesn’t require the DPO to be dedicated to this task, so it may be possible to fill the position with someone who is already performing similar duties. However, management needs to ensure that this dual role won’t create a conflict of interest.
The DPO may not be a full-time position, depending on the organization. A virtual DPO may be an option in these cases, allowing the DPO to serve multiple organizations. The GDPR allows this arrangement, provided the individual can meet a DPO's requirements for all the organizations. Most organizations already have a Data Protection Plan (DPP), but the DPO will need to review it and modify it as necessary to meet GDPR requirements. The DPO also needs to review the DPP on a recurring basis, especially after operational changes.
Mobile devices require additional measures to comply with GDPR. A recent survey by Lookout, Inc. shows that 64 percent of employees access PII with mobile devices, typically belonging to customers, employees, or partners. This practice can significantly increase the organization’s risk of noncompliance due to a loss of control over PII access.
Eighty-one percent of the Lookout survey respondents said their companies allowed them to install personal apps on the mobile device they use for work. If these apps use PII, they must do so in a way that complies with GDPR, even if the device doesn’t belong to the company. This is a particularly challenging requirement to meet since many employees use apps on their mobile devices that their organization hasn’t specifically authorized.
The GDPR requires extensive documentation of an organization’s progress towards compliance. For example, an organization must complete a Record of Processing Activities (RoPA) described in article 30 of the GDPR. A RoPA is an inventory of applications that process PII, including where, who, and how the organization is processing this data. This document is particularly important for the early stage of becoming compliant.
Once an organization has identified risks to data security and developed the appropriate measures for mitigating those risks, it must implement them. In most cases, this step involves revising the organization’s existing risk mitigation procedures. Once the GDPR team completes the RoPA, it can identify and investigate risks to determine the appropriate measures for risk mitigation. Small organizations may need help with this phase, as they often lack the required resources. A variety of external resources are available for mitigating the risks of noncompliance with GDPR, which can minimize the disruption to an organization’s normal operations.
The GDPR requires organizations to report data breaches within 72 hours of their occurrence, so they also need to test their incident response plans. A prompt response time is essential for minimizing the damage caused by the breach and will also affect the risk of fines.
A process for performing ongoing assessments is required for compliance with GDPR, including monitoring and the goal of continuous improvement. Some organizations also implement a program of penalties and incentives to ensure employees comply with the new policies. Forty-seven percent of the respondents in a survey by Veritas Technologies reported that their organization would probably add policies making it mandatory for employees to comply with GDPR requirements. Thirty-four percent of respondents said their organization would reward GDPR compliant employees, while 25 percent said employees might lose bonuses or other benefits for GDPR violations.
RedTeam’s services can meet some GDPR requirements. For example, we can assist you in complying with Articles 25 and 32, which require organizations to provide “reasonable” protection for data and privacy to EU citizens.
RedTeam can provide a free consultation for GDPR compliance. Our services can identify and document possible threats to data security and the privacy of EU citizens. We can also assess the probability of data breaches and their impact on your organization and develop proper security measures to mitigate these risks. Contact us online or call today at 612-234-7848 to schedule your free cybersecurity assessment