In the last blog the coming GDPR regulation was highlighted and the implications that this will have for all of us. On a positive note this is good for consumers. The challenge though is for companies who need to meet this new regulation. Any company that stores or processes personal information about EU citizens within EU states must comply with the GDPR if they have:
- A presence in an EU country, even if they do not have a business presence within the EU
- No presence in the EU, but it processes personal data of European residents
- More than 250 employees
- Fewer than 250 employees but its data-processing impacts the rights and freedoms of data subjects, is not occasional, or includes certain types of sensitive personal data
Or in other words just about all companies. So how does a company comply? A problem is that the GDPR takes a wide view of what constitutes personal identification information so the same level of protection for an individual’s IP address or cookie data will be required as for sensitive data such as name, address and Social Security number. There is also a problem of interpretation. Companies must provide a “reasonable” level of protection for personal data, although what constitutes “reasonable” is not defined. A consequence of this is that there are likely to be quite a few fines for data breaches and non-compliance as GDPR is introduced.
The GDPR defines three key company roles that are responsible for ensuring compliance: data controller, data processor and the data protection officer (DPO). The data controller defines how personal data is processed and the purposes for which it is processed. The controller is also responsible for making sure that outside contractors comply. Data processors may be the internal staff that maintain and process personal data records or any outsourcing firm that performs all or part of these activities. Notably it is the data processors who are liable for breaches or non-compliance. Thus if your cloud provider is fined you may well be fined as well so choose carefully. A DPO needs to be designated to oversee data security strategy and GDPR compliance. Companies are required to have a DPO if they process or store large amounts of EU citizen data, process or store special personal data, regularly monitor data subjects, or are a public authority.
So what if your company is non-compliant? The GDPR allows for penalties of up to €20 million or 4 percent of global annual turnover, whichever is higher. Some predictions are that around half companies will not be compliant when GDPR comes into force and around $6 billion in fines and penalties will be collected in the first year. How these will be assessed, e.g. what is a major breach that could cause damage and what is a minor breach, will need to be decided upon. Here GDPR places a requirement on companies to perform impact assessments to mitigate the risk of breaches by identifying vulnerabilities and how to address them.
The good news for consumers though is that we will get a lot more information about data breaches. A key requirement brought in by GDPR is that companies must report data breaches to supervisory authorities and individuals affected by a breach within 72 hours of when the breach is detected. Thus, although the introduction of GDPR is likely to be costly and painful for companies, we will know a lot more about how safe our data is in the future and also which companies we can trust with our data.