Are You Ready for GDPR?

Have you heard about the General Data Protection Regulation (GDPR)? If so, you’ve probably realized that it is not just one of many other data protection frameworks or requirements. GDPR is considered to be one of the most significant information security and privacy laws of our time and is the top regulatory focus of 2018, even among US companies. With the May 25, 2018 deadline for GDPR compliance creeping closer, it’s important to understand if or how this new legislation is going to affect your business and ask yourself: are you ready for GDPR?

What is the Purpose of GDPR?

The concept of people owning their personal data and having data rights was a focus of the 1995 European Union Data Protection Directive (DPD), which was created to make the processing of personal data fair and lawful. The DPD set a minimum standard for data protection laws among EU Member States, but the Directive needed updating because technology, information security threats, and the way we share data have changed dramatically in 20 years.

Born out of cybercrime threats, technology advances, and concerns about data misuse, the EU’s GDPR will require data controllers and data processors, organizations that handle personal data of EU residents, to “implement appropriate technical and organizational measures…to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services.” GDPR applies to any entity performing activities like collecting, using, storing, disclosing, or combining personal data of any data subject in the EU. What is personal data, according to GDPR? Personal data is defined as any information relating to an identified or identifiable person, or data subject, who can be identified by a name, an ID number, location data, or physical, physiological, genetic, mental, economic, cultural, or social identity.

GDPR doesn’t just apply to organizations physically located in the EU, but also any organization in the world providing services to data subjects within the EU. The cost of non-compliance greatly exceeds the cost of compliance. GDPR is enforceable and is equivalent to a US Federal Law, and failure to comply with GDPR can lead to fines of up to €20 million or 4% of annual global turnover – whichever is greatest.

What are the Roles involved with GDPR?

GDPR requirements depend on performing one of several data processing roles, so determining what role your organization plays sets the groundwork for determining which GDPR requirements apply to you. Is your organization one of the following?

• Data Controller: The person or organization that determines the purposes and means for processing personal data. How much authority and decision-making over personal data does your organization have? The greater the authority, the more likely it is that an organization is a data controller.
• Joint Controller: Multiple organizations having authority over personal data. The purposes and means for processing personal data are jointly determined and the requirement is to clearly define the responsibilities among joint controllers. The organizations must share authority over the data, not just share a data pool. For example, if a few organizations make an agreement to collect, use, or combine personal data and have mutual authority over that data, you might have a joint controller relationship.
• Data Processer: The person or organization that processes personal data on behalf of a data controller. Processing is essentially anything done to the data, including storing, archiving, or reviewing. Data processors cannot process data without the authority of the data controller. They must notify the data controller of any breaches or using/changing of sub-processors. Data processors must provide sufficient compliance guarantees to the data controller.
• Controller-Processor: You can have situations where a person or organization is both a controller and a processor. A SaaS provider could serve as a data processor based on the data they receive from their clients, but they could also serve as a controller because they employee EU citizens. Two sets of data exist, and the SaaS provider has different responsibilities towards the two sets.

There are two other important roles set forth in GDPR:

• Data Protection Officer: An individual that has expert knowledge of data protection law, is independent from an organizational reporting perspective, cannot be told how to do their job, and cannot be penalized for their job. This could be a person who’s also fulfilling other roles within an organization (without a conflict of interest), but it could also be an outside contractor.
• Supervisory Authority: Independent, public authorities for each EU member state. Supervisory authorities are responsible for monitoring the application of GDPR and addressing non-compliance. These are the government organizations that you will be interacting with and they have the authority to create additional GDPR compliance.

Because GDPR becomes enforceable May 25, 2018, Supervisory Authorities have not yet issued any enforcement action to give us case studies or clarify compliance requirements. In this pre-enforcement phase, it’s crucial to monitor regulatory developments as they come out. If you haven’t begun preparing for GDPR compliance, you should start now. In a highly data-driven world, it’s our responsibility to help protect organizations from data and privacy breaches.

Originally from KirkpatrickPrice.

About KirkpatrickPrice

KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to over 600 clients in more than 48 states, Canada, Asia, and Europe. The firm has over 13 years of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SOC 1, SOC 2, HIPAA, HITRUST CSF, PCI DSS, GDPR, ISO 27001, FISMA, and CFPB frameworks. For more information, visit www.kirkpatrickprice.com, follow KirkpatrickPrice on Twitter (@KPAudit), or connect with KirkpatrickPrice on LinkedIn.