There’s a big change coming in the world of cybersecurity compliance, and it’s coming soon. The days of Equifax getting away with a lax response to a massive data breach are over. The “big change” is called GDPR, and every single business or organization in the world that does business with or domiciles citizens (even one) from the European Union (EU) countries will be expected to comply with it.
What is GDPR?
GDPR stands for General Data Protection Regulation, and it is the result of nearly 4 years of debate and preparation on the part of the EU to tighten up data security expectations for its citizens and businesses that provide goods and services to them. The law was approved by the EU Parliament on April 14, 2016 and will be enforced starting on May 25, 2018.
Essentially the law requires businesses to be in compliance with a series of standards that require high quality cybersecurity technology, procedures, and monitoring. Its primary focus is to protect the privacy of data of individuals who have shared personally identifying information (otherwise known in the cybersecurity world as “PII”) with businesses and organizations.
What Are the Implications for Non-Compliance?
The implications for non-compliance are severe. For example, many states require a breach notification to be issued within 60 days of discovery of the breach. In the Equifax case, as you may recall, the breach was discovered “officially” on July 29, 2017, and an announcement was issued on Sept 7, 2017 – more than 60 days after the event. The initial vulnerability was known as early as March 6, 2017, and patches were not applied to correct the vulnerability that led to the breach until July 30, 2017 – a day after Equifax realized it had a breach.
With GDPR, there would be no mercy for such behavior on the part of a company. GDPR tightens the window from discovery of breach to announcement of breach to SEVENTY-TWO HOURS (3 days). It trumps state laws that allow for longer notification periods. There is also no provision in the GDPR for “ignorance” – claiming that your organization wasn’t aware of the requirement – as an excuse for avoidance of compliance.
Monetary penalties for non-compliance, either on the breach notification period or evidence of neglect in achieving compliance, can be severe. The EU will examine various aspects of the situation, including how many people were affected by the breach, the presence of neglect or intentional non-compliance, whether the controller attempted to mitigate the effects of the breach, prior behavior, degree of cooperation with the investigation, the types of personal data exposed by the breach, and whether the breach was discovered by the EU rather than as a result of an announcement by the organization affected. Using this information, fines will be calculated.
If it is determined that non-compliance mainly resulted from technical weakness, e.g., no assessment of security had ever taken place, breach notification was poorly handled, the fine is €10 million, or 2% of global annual revenue, whichever is larger. If it is determined that non-compliance resulted from gross ignoring of key provisions of the GDPR, then the fine is significantly higher - €20 million, or 4% of global revenue, whichever is greater.
Clearly, these penalties alone should be enough to make businesses in NE Ohio and the region stand up and take notice!
Who is Affected?
According to the GDPR’s website (https://www.eugdpr.org/eugdpr.org.html), the new regulation applies to any organization, whether located in the EU or not, that offers goods or services to, or monitors the behavior, of EU data subjects. At its simplest definition, an “EU data subject” is any citizen of the EU. Think of the implications, for example, for Higher Ed institutions in our region, most of whom have students from EU countries in their attendance. Higher Ed is particularly vulnerable, if for no other reasons than cybersecurity has been only marginally implemented in most institutions and the open nature of the academic technology environment.
What this means is that if your business has received revenue from, provides services to, or tracks information about a citizen from the EU you are required to be compliant with every provision of the GDPR, or face significant penalties if found in non-compliance as the result of a data breach or other security event.
What Can You Do to Prepare?
Fortunately, there are many existing standards that can result in compliance with the GDPR, if properly applied. The NIST Cybersecurity Framework (NIST CSF) is one such framework for achieving compliance. In the case of Higher Ed institutions, there is also the NIST 870 171 standard, which already is required for institutions exchanging money with US Federal entities.
The standards, although complex, are not impossible to achieve. I recommend that, if you are concerned (and you should be!), you begin examining your business, the standards that are applicable to it, and ensuring that there is an ongoing effort to achieve or prove compliance. It can be costly to achieve full compliance, but the costs for operationalizing GDPR compliance pale in comparison to the penalties imposed by the EU for non-compliance in all cases.
You may also need to appoint a Data Protection Officer (DPO) if you are a public authority, engage in large-scale systematic monitoring of your customer data, or engage in large-scale processing of sensitive personal data (PII).
There is a defined list of things that any organization should do to prepare for GDPR:
Awareness – make sure key decision makers are aware of the new law, and how it could affect your business if found in non-compliance.
Information You Hold – document all personal data that your company holds, where it comes from, and who you share it with.
Communicating Privacy Information – review your privacy notices and make any changes necessary to accommodate new provisions of the GDPR.
Individuals’ Rights – examine your procedures to ensure that they cover all the rights that individuals have, including the right to “be forgotten” (data deletion), and standardized methods for sharing data securely between organizations.
Subject Access Requests – update your procedures to accommodate accelerated timeframes for requests for personal data from EU data subjects.
Lawful Basis for Processing Personal Data – identify the lawful basis for your organization’s need to process personal data in the context of the GDPR and update your privacy notice to explain it.
Consent – review how you seek, record, and manage consent, and whether you need to make any changes in the context of the GDPR. Revise existing consent agreements if they are not in compliance with the GDPR.
Children – ensure that you have systems and procedures in place to verify the age of your customers, and whether parental or guardian consent is needed for any data processing activity.
Data Breaches – ensure that you have the right procedures in place to quickly detect, report, and investigate a personal data breach.
Data Protection By Design and Data Protection Impact Assessments – familiarize yourself with existing standards for privacy impact assessments, and how to revise, select, and implement systems that are secure by design with provisions of the GDPR in mind.
Data Protection Officers – mentioned above, designate someone in your organization to take responsibility for data protection compliance, and where this role will be located in your organizational management and governance structure.
International – if your organization has offices in more than one EU country, determine lead data protection supervisory authority. Article 29 of the UK ICO will provide guidance for those unfamiliar with European law.
As you can see there are a myriad of significant requirements coupled with serious, rigid penalties. Bestul & Associates LLC GDPR Service is well positioned to work with you to ensure compliance and protection. Please contact us at firstname.lastname@example.org to schedule a free no obligation overview of how we can help prepare you for GDPR compliance.