May 25, 2018 is GDPR Day. Ready or not, here it comes.
What you need to know.
The GDPR – General Data Protection Regulation – came into law on May 24, 2016 with plans to go into effect 2 years later, which will be May 25 this year, less than 4 months away. Reports indicate nearly a third of companies say they are not prepared for this legislation. But ready or not, here it comes and it has really big teeth in the way of new rules and huge fines if you’re caught out of compliance.
What Is GDPR?
The GDPR is the outcome of the EU’s four years of effort to strengthen protection and privacy of citizen’s personal information. When the 1995 EU Directive went into effect, the world didn’t operate under the public eye of the Internet or social media, with data crossing country lines every moment. The GDPR puts new laws into effect with new definitions, protections and penalties to fit the modern world. The GDPR will supersede the EU directive in every capacity and it affects not just Europe, but any and every country who handles data concerning European citizens. This impacts countless businesses and organizations in the US and worldwide.
GDPR Definitions, Roles and Rules Regarding Personal Information
One of the first key changes in the GDPR is what qualifies as personal data. The definition has broadened to include IP addresses, Internet cookies and DNA, as well as economic, cultural and mental health information.
As before, controllers and processors each bear responsibility for handling data lawfully – see below for more information on what lawfully means. Controllers define how and why personal data is processed and processors perform the actually processing of the data.
Examples of controllers include any commercial business, charity or government agency or department. Processors include IT service providers. All must abide by the GDPR. Side note: If businesses opt to use third parties in their data processing, they (the business) is always the one liable for its protection over the third party.
Controllers must document how and when individuals give consent for their data to be collected, and follow new rules for how consent can be obtained. Companies currently obtaining consent in a different way that doesn’t measure up to the new rules need to update their system to comply.
Both controllers and processors must be very clear and use plain language with people how their data is collected, what will be done with it and how it will be processed. Individuals can ask questions about this, as well as request access to the information on them, to know why and how it’s being processed, how long it’s been and will be stored, and who else has access to it.
Being outside the EU doesn’t affect controller and processor obligations. The GDPR applies as long as anyone is handling data belonging to people living in the EU, from any location.
What Does the GDPR Mean by 'Lawful'?
‘Lawful’ in this context means many things, first of which we’ve already mentioned, which is an individual must given consent to their data being processed. Other lawful requirements include:
• Protecting interests of the subject with respect to that which is “essential for the life
• Complying with all contract or legal obligations
• Processing data in the public interest or the controller’s legitimate interest such as fraud prevention
• Other areas as defined.
At least one of these justifications must be present in processing data lawfully.
Consumer’s Rights in the GDPR
Clearly, individual consumers have many rights under the GDPR. They can ask to access their data at “reasonable intervals” and controllers are obligated to respond within one month. When possible, controllers need to provide direct and secure means for consumer to view the data that is stored about them.
Consumers can request inaccurate or incomplete data to be fixed and updated whenever they want to make the request. They can withdraw consent and ask for their information to be deleted at any time and the controller must comply, unless there is a valid reason to dispute, which is noted below. Deleting data includes instructing other organizations, such as Google, to remove links to copies of the data as well as removing their own copies.
Even if a consumer doesn’t make a direct inquiry about their data, once the purpose for which the data was collected is fulfilled and the data is no longer needed, or if other lawful reasons for holding data are not met, controllers must delete the personal data at their own initiation. These rules protect consumers’ “right to be forgotten.” In some cases, controllers can push back on requests to erase data, such as if there is a valid public interest in the information. An example might be fraud prevention. But such disputes would need justification from data controllers.
GDPR Breaches and Penalties
Along with an increase in intensity of requirements in the above areas, the GDPR is also significantly more intense in the area of breach requirements and penalties.
Similar to US laws, (though not always followed), organizations are obligated to report any data breach that jeopardizes people’s information security. With the GDPR, a data breach must be reported to data protection authorities within 72 hours of becoming aware that individual’s data, rights and freedoms are at risk. Even before that step though, organizations should inform the people affected by the data breach. If an organization fails to meet the 72-hour deadline, the penalty could be as much as 2% of their annual global revenue or €10 million Euros, which is over $14 million US dollars. The GDPR won’t have any tolerance for companies sitting on breaches for months or years before coming clean.
For other violations of basic data processing principles, such as lacking a legal basis for the processing, transferring data to other countries or ignoring people’s data rights, the fines get worse. Companies could face penalties of up to €20 million Euros, which is over $28 million US dollars, or 4% of their global annual turnover, whichever is greater. Looking at some former examples of companies who have been fined, had they been fined under the GDPR, their fines would have been much larger. For example, TalkTalk’s fine of £400,000, already considered a large penalty, could have totaled £59 million under the GDPR. In the UK, the Information Commissioner’s Office (ICO) fines in 2016 of £880,500 would have been £69 million under the GDPR.
Whether organizations violate the GDPR in intentional or accidental practice or as a result of a data breach, their liability under the GDPR is non-negotiable and severe. And as of today, with the calendar ticking down to May 25, the majority of organizations are not prepared to face the GDPR or to adequately deflect and defend against today’s advanced cyberthreats.
Trusted Execution™ – A Security Game Changer
When it comes to data protection, Virsec believes that a new approach is required to counter today’s threats. Instead of relying on signatures of past attacks to guess what’s coming next, Virsec precisely pinpoints threats at the source, within critical applications. Trusted Execution maps correct application behavior, and instantly detects and blocks deviations caused by attacks. This deterministic approach stops threats in real-time, delivering unprecedented accuracy, without false positives.
Learn more: Application Security Resources | Virsec Systems