With the EU’s General Data Protection Regulation (GDPR) enforcement deadline just two weeks away, GDPR preparedness should be top of mind for businesses around the world—not just a concern for businesses and organizations based in the European Union (EU).
The GDPR sets a high standard for data protection and applies to any organization that processes the personal data of EU residents—whether that organization itself is based in the EU or not. This is important, because the standards set by the GDPR are much more stringent than those set by current US privacy laws. And the penalties for non-compliance are harsh. Up to USD $24M, or 4% percent of worldwide annual turnover, whichever is higher.
The GDPR is built on seven data protection principles that, together, assure the rights of the individual are central to the collection and processing of personal data.
In this series of articles, we’ll explore the seven principles of data protection, how they relate to GDPR, and how you can use these principles to protect your company’s data and ensure compliance with GDPR and other regulatory guidelines.
But first, let’s take a look at the basics of the GDPR.
What is the GDPR, Exactly?
The General Data Protection Regulation (GDPR) is a very-soon-to-be-enforced new data protection law for all 28 Member States in the European Union.
Designed to replace the hodgepodge of data protection regulations and authorities currently applicable in the 28 EU member states, the GDPR will create a homogenous regulation that will apply across the EU.
The reform modernizes the principles from the EU's 1995 Data Protection Directive and applies to personal data of EU citizens from that is processed by what the regulation calls data controller and data processors (more on that later).
The new regulation strengthens users control on how personal data is processed and stored and grants key rights and freedoms such as the right to erasure, right to consent, the right to be informed, the right to data portability, and the right to erasure of personal data (ie. the "right to be forgotten."
Let’s dive into some of the top questions on the GDPR:
When does the GDPR go into effect?
The GDPR was signed into law in late April of 2016 and goes into effect on May 25th, 2018. After that date, any organization that collects, stores or processes the personal data of EU residents must comply with the General Data Protection Regulation.
What is Personal Data?
Personal data is any data which by itself, or when combined with other data that the possessor can likely access, can be used to identify an individual. To a cybercriminal, the collection, processing, and transfer of personal data makes organizations across a large number of industries lucrative targets for phishing, denial of service, ransomware and advanced persistent threat attacks.
What are data controllers and data processors?
Controllers and processors are two different types of organizations that the GDPR applies to—namely, those that "control" user data, and those that "process" it.
A processor is any organization that collects, processes, stores or transmits personal data of EU citizens. A controller is an organization that directs the processor's activities.
That means the controller defines the how and why of personal data processing, and the processor acts on the controller’s behalf. For example, a bank that outsources check imaging processes is the data controller, while the outsourcer is the processor.
Under the GDPR, processors need to maintain an audit trail of all processing activities, but it's the responsibility of the controller to assure that all of their data processors are in compliance. Controllers are not relieved of their data protection obligations if a breach occurs in a processors network.
Transfers of personal data between controllers and processors must be secure, and the data must be protected while it's processed. In certain cases, the GDPR can also require the data processor to delete personal data that is no longer needed after processing.
Who has to comply with the GDPR?
The rules of the GDPR apply to any organization that collects, stores or processes the personal data of EU residents. It doesn't matter where your company is headquartered. Even companies that do not have a physical presence in the EU must comply with the GDPR.
I’m already HIPAA compliant, will I be ok for GDPR?
Not exactly. There are some overlaps, but the GDPR is a much larger and more far-reaching piece of legislation. You can read more about the differences between the two here.
What are the penalties for non-compliance?
The consequences for non-compliance with the GDPR are severe—up to €20 million, or 4% of worldwide annual turnover, whichever amount is higher.
What about the UK? Doesn’t Brexit make them exempt?
No. Even with Brexit, UK firms will have to comply with the GDPR. The date for withdrawal from the EU is later than the May 2018 date that the GDPR comes into effect. Thus, UK businesses will be under the jurisdiction of the EU and subject to the GDPR. After Brexit, UK business will still have to comply if they collect, store, or process the personal data of EU residents.
Still have questions? Check out our Procrastinator's Guide to the GDPR for a more in-depth breakdown of the GDPR and its implications. Now let’s dive into data protection principle one: fair, lawful, and transparent processing of data.
Fair, Lawful, and Transparent Processing of Data
The first data protection principle of the data protection act and a foundation of the new rules under GDPR is the requirement for "fair, lawful, and transparent processing of data." So what does that mean?
Under this rule, the GDPR mandates that a data controller must be capable of providing a data subject (ie. the user) with detailed information about his or her personal data processing.
To be compliant, this data must be presented in an easily accessible manner, and in clear, concise, and transparent language. In other words, say goodbye to the 100-page user agreement.
To meet requirements for transparency, data controllers must inform data subjects before any data is collected, and whenever any changes in data collection processes are made, and finally, the data subject must consent to data processing.
This consent can take several forms, but it must be given from a data subjects' own free will, and positive action must be used to indicate consent (i.e. clicking a checkbox). That means implied consent is a big no-no under the GDPR.
The law also states that data collected and used for processing must be "adequate, relevant and limited to what is necessary for the purposes for which they are processed," and that the period for which that data is stored is kept to a "strict minimum."
How MOVEit Can Help You Stay GDPR Compliant
As noted above, if your business collects, stores, processes or transmits the personal data of EU residents, the General Data Protection Regulation (GDPR) will apply to you. With this much at stake, the best practice is to assure that the systems, user authentication, and encryption techniques involved in the transmission of personal data are secure and compliant with GDPR.
While the focus of principle one is largely on consent, there are many ways that a reliable Managed File Transfer solution like MOVEit can help keep your company GDPR compliant. For example, when a user asks for a copy of his or her data processing records, you will be compelled to comply with that request, under GDPR. With MOVEit's built-in data non-repudiation, you have the ability to prove who uploaded a specific file, who downloaded it, and that the file uploaded and the file downloaded are identical, thus giving you the capability to authenticate each user that visits a file, and provide a reliable log of said access.
MOVEit Secure Managed File Transfer also provides encryption of data in transfer and at rest, data integrity checks, integration with your existing security systems and detailed logs of file transfer activity.
We’ll be back next week with another post on Principle Two, but until then, check out these resources to learn more about GDPR and its implications.
And check out this video for a quick overview of the Seven Principles of Data