In this Ask the Admin, I will provide guidance on what you need to know about the new regulation.
All companies dealing with EU data subjects, even those not located in the EU, will need to comply with the EU General Data Protection Regulation (GDPR) by May 25, 2018. Fines for noncompliance can be up to 4 percent of annual turnover or 20 million euros, whichever is higher. It is impossible to cover all the intricacies of GDPR in this article. We will go over the basics.
Data Subjects, Controllers, and Processors
EU GDPR differs from current legislation. Organizations must comply, even if the data controller and processor are located outside the EU. It is important to note the location of the data subject. This is speaking about the person or body to which the data is related. A data controller decides how data can be used and in what manner it can be processed. Data processing includes actions such as retrieval, erasure, organization, alteration, and storage.
Like most regulatory codes that involve protecting personally identifiable information (PII), the EU GDPR probably does not require you to do anything that is not already considered a best practice. But considering many organizations turn a blind eye to even the most basic of security principles, it might be time to make some changes to IT operations and business practices. This is especially true if the new rules apply to you.
Data Protection By Design and By Default
GDPR does not contain a checklist of technical requirements that organizations must meet. Instead, it contains a set of principles. The first of these is to implement appropriate technical controls and organizational measures where data protection is by design and by default. Security cannot be an afterthought or something that is bolted on as an extra. Doing security after an app or system has reached production, is not only much harder, but not as effective as factoring it in from the beginning.
State of the Art
This is a principle that is left open to interpretation. I think it is safe to assume that organizations are expected to adopt current technologies and best practices when it comes to securing data. For example, it has long been acknowledged by experts that antimalware and endpoint firewalls are not enough to protect servers and end-user devices. Other measures, such as application control and removal of administrative privileges, are key to reducing the attack surface. As a constantly evolving arena, organizations need to review their security measures and procedures regularly.
Keeping Track of Data
Data processing must be audited. You need to know who did what and when. You need to know the DPA and any affected individuals. They must be notified of data breaches that expose PII with 72 hours to the DPA. The IT department needs to be able to identify where PII is located so that it can be accessed, modified, and destroyed. On that note, data subjects have the right to request information stored about them in a readable format. Organizations must ensure that all disaster recovery procedures are in place and have been tested.
Data Protection Officer
Public authorities must appoint a Data Protection Officer (DPO) to monitor compliance. For other organizations, a DPO is optional but recommended. This is even more important if there is a large-scale processing of subject data or especially sensitive information being processed, such as criminal records. Whoever is appointed to this role must have demonstrable experience in a similar position.
In this article, I outlined the basic requirements set out by the EU GDPR. For more detailed information, see Reform of EU data protection rules.