If you are in compliance or regulations and haven't heard of GDPR by now...you are behind the powercurve greatly.
First a little history. GDPR was enacted on 25May2016 and will be fully enforced on 25May2018. The two years in between are designed to help various companies worldwide become compliant and plan for the impact that GDPR will make. Consider GDPR an massive improvement on PII (Personally Identifiable Information) protection as well as the definition of what is considered PII under GDPR guidelines. The first thing you need to know is that the "G" in GDPR stands for General however, the way the regulation is written the "G" impacts Globally. This means that if you are dealing with any GDPR information for an EU or UK citizen regardless of where you are in the world then you fall under GDPR and possible penalties. Additionally, if you are located in the EU and process data from non-EU persons then it still applies to you. GDPR Penalties are nothing to laugh at either given that the fines are up to $26MM or 4% of your organizations global gross revenue...which ever is greater and based on how bad your company screwed up.
So, to make it easier to understand, if you deal with EU data then GDPR would apply to you. If you are in the EU and process data from outside the EU then GDPR applies to you.
If you deal with regulations then you know very well how much fun it is to read hundreds of pages of boring content. To make it easier, I refer people to gdpr-info.eu for an easier way of reading and understanding. This website takes the regulation and breaks it down for easier searching and referencing.
Having said that, GDPR can be complex! Data Controllers have quite a bit of responsibilities and an obligation to ensure processors are following the rules as well. Take a look at the below image that shows just some of the complexities of a controller.
In a nutshell though, what is GDPR? Well, GDPR takes all the current PII definitions and expands on it. The short story is that if you have any sort of personal information that can be attached to a name so you can determine who that person was then you have a GDPR situation. So, say I have the name "Tom Jones" (not the famous singer) and I happen to have the email address of "[email protected]" then I would have a situation where I could attach the name with an email address and would be under GDPR. This would mean that I would have to be able to prove a few things: 1. how I got the information, 2. why I have the information, 3. what am I going to do with the information, 4. how I protected the information, 5. If I gave the information to anyone or not, 6. how I destroyed the information, 7. all aspects of how I processed the information. To put it very subtlety, this is HUGE!!!
The above scenario would also apply in a variety of ways such as having, or having knowledge of, a persons:
- phone number
- IP address
- sexual orientation
- political orientation or political opinions
- union or trade memberships
- religious or philosophical beliefs
- racial or ethnic origin
- genetic or biometric data
- health related data
- Anything to do with child data under the age of 16.
- in addition to anything not listed above but currently covered under PII, PCI, PHI, FTI, etc...
You will also need to understand three main classification of entities. The first is the data subject and that is the human that the information is attached to. The second is the controller. A controller is the entity that receives the sensitive information from the data subject for processing and the processing should be in line with the consent form filled out by the data subject. The last is the role of processor. A processor is an entity that performs a task(s) on behalf of a controller(s) and is under contract by the controller to perform those tasks as well as protect the data to the same, or better, standards. It should be understood that some controllers can also be processors. So, for example, ADP (the payroll company) probably doesn't outsource payroll to another company so that would make ADP a controller and a processor. Conversely, any company that outsourced payroll to ADP would mean that the company was a controller and ADP would be a processor for that company.
So, what do you or your company have to do to become compliant or get closer to compliancy? Quite a few requirements have become mandatory based on the language as well as the penalties.
- Assign a Data Protection Officer (DPO) - A DPO must be assigned if processing large sums of GDPR data. This person must be available and involved in any involvement where there is a possibility of a loss of GDPR data. The DPO will be the point person for any GDPR issue with the affected persons and the Supervisory Authority (SA).
- Lawfulness of processing - Does your company have a lawful right to receive the data, store the data, or process the data? If you are unsure, then you are suggested to resolve this immediately as unlawful possession of GDPR data would be a serious violation.
- Data protection by design - You can no longer buy or build software and then run security assessments or vulnerability analysis after that software tool is in production. Now, you must assess data protection while in devops as well as ensure data protection of 3rd party software before deploying into production.
- Old equipment - You can't keep your legacy windows boxes around any more because you didn't plan on upgrading or don't have the budget to upgrade and the same thing applies to software that you simply just didn't want to go through the hassle of upgrading. With GDPR you must "implement appropriate technical and organizational measures". This means that old equipment or software isn't appropriate and will come to bite you in the end.
- Encryption - to put it simply, if your GDPR data (or any sensitive data) isn't encrypted then you are in serious trouble. This means completely encrypted at rest and in transit. One area of question is a site to site VPN tunnel. In this particular case, there is not enough encryption because the tunnel is encrypted but not computer to computer running through the tunnel. Other areas of appropriate security is recommended besides just encryption but failing to encrypt will be a huge red flag for a GDPR investigator if it comes up.
- Data Protection Assessments - As a part of doing business you will now be expected to assess your levels of data protection and acknowledge or remediate what is needed in order to become GDPR compliant.
- Privacy Impact Assessments - Similar to a data protection assessment, you are now expected to do a privacy impact access to increase visibility into what level of impact will happen for the data subjects as well as your company if there is a privacy issue.
- Logging - As a part of transparent communication, the data subjects (the person who the data actually refers to) have the right to request complete understanding of how their data was used. This means that you will have to be able to effectively report on who opened GDPR data, what they did with GDPR data, who they sent GDPR data to, how GDPR data was destroyed, etc... Essentially, complete awareness as it relates to all aspects of how the GDPR data was used...this means intense logging.
- Consent - Data subjects must have a clear and concise method of consenting to having their GDPR data collected from them as well as completely, with no misunderstanding, of how their data will be used and stored. So, remember all those websites that indicate cookie use? You will see a lot more of that! There can be no confusion on the consent message at all. The data subject must also have the ability to revoke consent in a manner just as easy as invoking consent.
- Data Mapping - You must be able to demonstrate accurately how GDPR data flows through, processed, and stored in your network.
- Policies - Now, you must have the appropriate administrative controls in place that allow for the protection of GDPR data. This means that you can no longer run a business without solid policies that can stand up to ISO, NIST, GDPR, etc... Your policies would have to cover data classification, data retention, data destruction, encryption, etc...
- Data Subject Rights - The owner of the actual GDPR data have numerous rights and if you are a company that processes or stores GDPR data then you are obligated to comply with their requests. Specific rights are:
- Transparent Communication - similar to the logging bullet point, the data subject has the right for complete and fully transparent communication of how their data is stored or used. This communication must be done in a secure manner where the data subject isn't at risk. Additionally, the first request from a data subject is free however any follow on request can be charged for.
- Right of Access by data subject - Again, as mentioned in the logging bullet point, the data subject has a right to see their own information. There can be no restrictions of access or intentional delete or denial of data.
- Right to rectification - The data subject has the right to correct, or change, their information if they feel it is incorrect.
- Right to be forgotten - the data subject has the right to insist on the total and complete erasure of their data. There are exceptions to this but this mostly deals with the health industry and the criminal justice system.
- Right to restriction of processing - the data subject has the right to restrict processing or prevent specific entities from accessing GDPR data.
- Notification - the data subject has every right to be notified as soon as possible for any issues or loss of their data and the company does have a limited amount of time to ensure this happens.
- Storage - You may only keep GDPR data for as long as you legitimately need it. Retaining longer puts your company at risk as well as violates GDPR.
- Right to object - The data subject has the right to object to the reason for processing or storage.
At the time of this writing, 70-80% of USA based business and over 50% EU/UK businesses are not ready. Those that are the most ready have been preparing for over 2 years. This means that the potential for fines and penalties (including confinement) are possible. You will see companies going on a massive spending spree for more security related appliances and services. The GDPR regulatory bodies are designed to be self funding in that they will survive based off of fines, this means that there will be an active search for GDPR violators.
You should also understand that GDPR is an overlay regulation. This means that you could be fined under GDPR and then receive more stringent country fines.
So, should you be concerned, knowing that funding is based off of fines, yes...ABSOLUTELY! The cost of compliance is far cheaper than dealing with the costs associated due to sanctions. For example, we have already discussed how GDPR could impose up to $26MM or 4% of global gross revenue (which ever is higher) as a fine. To add to that, could be possible country/state/province laws that could be possibly more stringent and include criminal charges. For example, GDPR requires breach notification within 72 hours, however Belgium requires within 24 hours. GDPR indicates, 30 days to respond to a data subject request, however Ireland indicates 21 days. Belgium has an additional 800,000 Euro fine for failing to register as a controller (Germany is a 50,000 Euro fine and Ireland is a 100,000 Euro fine). GDPR doesn't necessarily indicate a statute of limitations however Ireland does. GDPR indicates tough cookie or spam requirements, and they can only get tougher with an extra 800,000 Euro fine from Belgium if you are located there. UK requires a warrant to enter premises under the aspects of investigating a data protection incident, yet GDPR doesn't indicate you need one and Germany and Ireland specifically DON'T need a warrant provided it is during business hours.
What happens if you get caught? Naturally you should immediately show an "attitude of compliance" and offer your complete support in their investigation. Even if this results in temporary downtime or loss of productivity you should show that you are "very concerned" and want to offer any support needed to help the speedy closure to the investigation. Remember that the Supervisory Authority needs to conform to timelines as well and if you slow down the investigators then they will have to deal with that and likely to increase the level of discomfort of the investigation greatly. The short story is provide the absolute best example of compliance and cooperation possible. Hold nothing back and keep no secrets from the investigators. Lets not forget that you should also immediately alert your legal team.
You should also honestly ask yourself if you deserved to get caught. Did you prepare for GDPR? Did you even attempt to conform with GDPR in a timely manner or did you start to care 3-4 months before 25May2018? Do you honestly know you have areas needing improvement but you just "haven't gotten around to it"? Can you effectively demonstrate that you truly care about protecting data and the lawful processing of that data? If you didn't make any attempts and simply hoped that the regulators would never find you, then you truly deserved to get caught. The protection of data should never be taken in any other way other than extreme seriousness. The cost of compliance will always be less than the cost of sanctions. Think of it this way, if you leave your house unlocked and you get robbed, the police or insurance will probably not look favorably on your lack of caring about protecting your own valuables.
What happens if you receive sanctions? Well, first, the sanctions can be "up to" $26MM or 4% of the global gross revenue (whichever is greater), however that doesn't mean that they will immediately jump up to $26MM. For smaller companies, $26MM simply not be possible and put the company out of business. This means that jobs will be lost and possibly families will be at risk. Aside from a situation where it is safer for the public that the company is literally put out of business, it seems counterproductive for a government organization to make the unemployment numbers worse. This doesn't mean that sanctions won't occur, just that the sanctions may be of such a nature that the message of why the sanctions occurred was effectively delivered without destroying the entire company. Your company should also consider negotiations and usage of any appeal process that may be possible to help reduce the sanctions or propose the possibilities of paying any fines or penalties over time rather than all at once. Assuming none of that works, then you should figure out how you are going to pay those fines. The end result is that if you don't pay the fine, and are in the EU, then you will be prohibited from running your business. If you are outside the EU, then you can be prohibited from processing any EU data at all which possibly may be more of an impact on your company than just paying the fine. Additionally, you will also have to deal with the reputational and political risk dealing with customer trust. You will likely want to connect with a professional PR firm that specifically deals with reducing the potential damage. What you absolutely should not do, is portray anything less than truthful with your customers. GDPR and various country laws will require disclosure to affected individuals however you should consider being proactively upfront pertaining to the situation and that you are dealing with the issue in a positive, proactive, and honest manner. The end result is that if you are not willing to sacrifice all business opportunities with numerous first world, industrialized, and wealthy countries you should figure out how you are going to pay that fine. You should also understand any localized country laws that you may be in violation of that could lead to criminal extradition proceedings or to simply know what countries you should avoid during vacation. Having said that, the EU is cooperative so deciding not to go to Belgium, for example, due to criminal data protection laws being violated...may also put you in a position where you simply don't want to visit the EU at all for fear of being arrested in Spain and then sent to Belgium.
This article doesn't cover all aspects of GDPR, just the highlights. If you even suspect that you may have GDPR data, then you are encouraged to contact us. Arrakis has experience bringing companies closer to GDPR compliance and can help you resolve your GDPR issues before they become a serious issue. Arrakis has provided GDPR consultation to numerous Fortune 500 companies to help achieve this goal. Contact us today so we can help you help yourself!
- GDPR Rapid Assessments: A rapid assessment that gives you high visibility of your GDPR environment to give you a rough understanding of your posture and potential risk. Generally lasts 3-5 weeks. The activities would involve 5-10 interviews of an hour long and review of current policies/standards/procedures with everything wrapped up in an informative report.
- GDPR Detailed Assessments: A detailed assessment of your GDPR posture and potential risk. Deliverables will include a detailed report, and an SOW for Arrakis support in the area of remediation. The activities would involve 10-20 interviews of an hour long, detailed review of current policies/standards/procedures, review of network topology maps, data flow diagrams, etc... Generally lasts 7-9 weeks long.
- GDPR Remediation Support: Arrakis will provide detailed and informative support in the areas of GDPR remediation. Arrakis personnel will be high quality with numerous years and remediation projects under their belt and generally of the "C" suite type.
Hear the GDPR interview with priceofbusiness.com here.
Read the GDPR interview with www.paymentssource.com here.
HTML Code Creator