The General Data Protection Regulation (GDPR), Europe’s new framework for data protection laws, officially went into effect on May 25, 2018. And it’s causing U.S. businesses in every industry to prepare for enforcement. GDPR brings forth important policy updates to the way organizations across the globe secure and handles personal data.

Whether you’re a hospital that has patients who live in the European Union or you’re a legal firm with clients in the EU, you’re required to meet the new GDPR standards.

What is GDPR?

The General Data Protection Regulation (GDPR) is a regulation in European Union law on data protection and privacy for all individuals within the EU and addresses the export of personal data outside the EU.

Although this regulation was initially adopted back in April 2016, it became enforceable May 25, 2018. GDPR is important for businesses as it syncs all data protection regulations throughout the EU, making it easier for non-European companies to comply with these regulations. During a time where there is large economic value of personal data, the GDPR brings a new set of digital rights for EU citizens.

According to the GDPR directive, personal data is any information related to a person such as a name, a photo, an email address, bank details, updates on social networking websites, location details, medical information, or a computer IP address.

These new regulations make no distinction between personal data about individuals, whether it’s private, public or working roles. In a B2B environment, it’s about individuals interacting and sharing information with each other. People in organizations obviously make the business, but the interactions between the individuals are exactly that – people are people.

How does it affect my business?

Does GDPR affect me?

Most likely, YES.  If not right now, it very likely will soon, so it’s wise to go ahead and take some initial steps to prepare your organization for future compliance.  Any company that stores or processes personal information about EU citizens within EU states must comply with the GDPR, even if they do not have a business presence within the EU.

Does your organization need changes?

Here are a few things to look for to equip your business with the tools it needs to be compliant with these new regulations

  • Implemented by the European Union (EU), GDPR has a global impact, affecting companies around the world, not just in the EU.
  • Beyond new responsibilities for businesses, GDPR defines new rights for individuals including more involvement with the information a business manages.
  • Non-compliance now carries more serious risk ranging from mandatory periodic audits to fines.
  • Implementing an Enterprise Content Management solution can help businesses reach GDPR compliance with enhanced document security.

It’s time to tighten up policies and procedures so your business meets the GDPR requirements. Whether your organization operates in the European Union or works with an organization that does, GDPR will have an effect on the processes in which businesses access, share, and protect business data.

Is your organization prepared for GDPR?

Here are a few things to consider:

  • Understanding the impact of GDPR, and risks of non-compliance
  • How GDPR applies to the way businesses manage client information
  • The importance of having a GDPR-compliant document management solution

If you ask most SMB owners and leaders, the understanding of these items is not concrete. In fact, in a study of more than 800 IT and business professionals that are responsible for data privacy at companies with European customers, Dell and Dimension Research found that 80% of businesses know few details or nothing about GDPR and 97% of companies don’t have a plan to be ready for GDPR.

GDPR and Guidelines for Member States

If you’re taking the General Data Protection Regulation (GDPR) at face value, you might be missing the power it grants to Member States.

The regulation is intended to serve as a baseline, not an endpoint. So, while the GDPR points out specific guidelines Member States and organization must follow, it also includes leeway for Member States to offer different interpretations of specific articles or impose additional restrictions.

The following Member States have already imposed their own laws that build upon the GDPR’s baseline.

  • Austria
  • Belgium
  • Germany
  • Slovakia

And, bills have been drafted in 16 other countries.

Another important note is that these powers are not just afforded to countries that are official members of the EU. It also applies to 3 countries outside of the EU who are still in the EU economic area:

  • Norway
  • Iceland
  • Liechtenstein

The articles in the GDPR applying specifically to Member States generally fall into 1 of 2 categories:

1. Things Member States are required to do.

Here are some of the key articles in this category:

Article 84: Penalties

Member States are responsible for determining and enforcing penalties for GDPR violations, as well as establishing supervisory authorities who are responsible for the enforcement.

Article 85: Processing and freedom of expression and information

Member States are required to reconcile GDPR regulations with “the right to freedom of expression and information…”

2. Things Member States are allowed to do.

Here are some of the key articles in this category:

Article 6: Lawfulness of processing

Member States can stipulate additional provisions applying to the lawfulness of processing personal data, specifically when processing is necessary for compliance with a legal obligation or for a task carried out in the public interest.

Article 8: Conditions applicable to child’s consent in relation to information society services

Member States can change the age of consent for processing to as low as 13 years old.

Article 22: Automated individual decision-making, including profiling

The GDPR stipulates that data subjects “have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.”

Member States can allow organizations to bypass this as long as “suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests” are implemented.

Article 23: Restrictions

Member States can restrict the scope of certain GDPR articles, “when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure…” to protect national and judicial interests.

Article 89: Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific, or historical research purposes, or statistical purposes

Member States can adjust the rights referred to in Articles 15 (access), 16 (rectification), 18 (restriction), and 21 (objection)  when personal data is processed “for scientific or historical research purposes or statistical purposes” or “for archiving purposes in the public interest.” However, the Member State’s adjustments are restricted to only those cases where the fulfillment of those rights are likely to impair the achievement of the specific purpose for which the data is being processed.

The more organizations learn about GDPR, the more complex the regulation seems to be. But it doesn’t have to be that way.

What can I do to prepare for GDPR?

While there are many things you will need to do later, there are some key steps you should take now to be ready.  Each of these are aspects of a healthy data governance program that should be in place:

1 – Document your Data

One of the most common issues organizations face is not having a clear audit trail of what data they have and how it can be accessed.  As organizations experience rapid growth, they typically trade off security and management policies for “speed to decision-making,” subsequently providing access to a wider group of people and groups, without having a clear audit trail for the flow of this information.  If your organization is ever required to perform an information audit, you need to be ready to identify where and how the information came to rest in that location.  This is similar to processes in the food industry, where manufacturers must be able to track the product down to the “lot level” when a recall happens.

The best way to document your data is through a Data Catalog system.  There are many available on the market today that have its own unique features.  Each will in various ways, address the gap present in many companies to providing the information audit.  The additional advantage data cataloguing has is in the effort to democratize data in an organization.  Making information available to the people who need it and performing critical and timely analytics is an essential characteristic of a data-driven company.  Don’t be left behind not having your data catalogued.

2 – Refine and Document Data Access Policies

In today’s fast-paced organization, sometimes people just “need access” to get the job done.  However, the risks are far too great to simply provide the access without proper justification or visibility into how the data will be used and for how long.  The best way to do this is to create an audit trail of data access control data.  Some data catalog products can provide this feature.

You should also identify through your data governance initiatives the process by which individual data access requests will be processed.  This provides an appropriate approval/denial process for each request and documentation on what was requested.

3 – Build Compliance into your Data Design

If you are unsure of whether your current systems have enough features built-in to comply with the coming laws, consider a Privacy Impact Assessment (PIA) to ensure you do comply.  While, it is outside of the scope of this blog to fully outline, the Information Commissioner’s Office (ICO) has released the Code of Practice for PIA, which includes how to perform it, as well as templates to assist in the process.

Going forward, regardless of your own organization’s requirement to meet GDPR guidelines, data should be considered, valued, and protected as the asset that it is.  This Privacy Impact Assessment could prove to be a guide in achieving a level of compliance.

4 – Stewardship

Lastly, a data-healthy organization with a solid data culture and governance process in place, will ensure that data stewardship is a priority.  Each area of the system should have controls and accountability to data quality and user access.  This will ensure the organization is making good decisions with good data.

As an organization, you should also consider a “Data Protection Officer” (DPO) role, as someone who would be ultimately responsible for all the stewardship of data within an organization.  Much like a CFO or Controller governs monetary assets, the DPO will provide the necessary oversight and accountability that organizations will need in the future.

Why the GDPR Should be on Your Radar if You’re in IT

So, what should organizations be preparing for in regards to the new GDPR requirements? Here are a few important keys to consider if you maintain information for any EU citizens:

1. The GDPR requires strict adherence to individual consent while acquiring their personal details.

Many of the current U.S. regulations are organization-centric and are mainly targeted at protecting an individual’s information from a security breach. The GDPR takes consent to a new level. It requires the organizations must get an active consent from the individual before storing any of their personal details in their database.

2. The GDPR includes a right to be forgotten rule worth noting.

With current regulations, an individual’s record that is in the organization’s database cannot be erased simply because the person wants to. The GDPR allows individuals a right to erasure, although what must be done is not black and white.

3. The GDPR emphasizes compliance, risk activities, and high-security storage.

Similar to many of the current regulations, the GDPR provides strict guidelines when it comes to implementing a risk-based approach to data processing and measuring the effectiveness of privacy and security compliance controls. With the GDPR, it is mandatory for organizations to deploy adequate security, encryption, pseudonymisation, redundancy, and intrusion detection mechanisms in order to ensure that constituent data is not compromised in any way.

GDPR and Pseudonymisation of Personal Data

While the GDPR sets forth stringent security requirements, it also provides guidance for fulfilling those requirements.

Pseudonymisation is one example of such guidance. If you’re unfamiliar with that term, here’s how the GDPR defines it:

“The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.”

The GDPR identifies pseudonymisation as a mechanism that “can reduce the risks to the data subjects concerned and help controllers and processors to meet their data-protection obligations.”

However, it’s important to note that pseudonymised data is not anonymous data. Anonymous data can never be traced back to an individual, and as such, is not considered personal data by the GDPR.

Pseudonymised data, however, can theoretically be traced back to an individual. The risk of this is decreased due to the fact that different sets of information needed to re-identify an individual are stored in separate locations, but it’s a risk to be aware of, nonetheless.

How Pseudonymisation Can Help Your Organization

In short, pseudonymisation is a way for your organization to achieve compliance with specific GDPR articles and add an extra layer of security to personal data.

For example, Article 25 suggests that pseudonymisationhelps the organization to implement the data protection principle of data minimization. This helps meets the Article 25 requirement to protect the data as it is processed.

Basically, when you determine how you’ll process data, and when you actually process that data, you need to have sufficient security measures in place to protect it. The GDPR refers to this as“data protection by design and by default” and identifies pseudonymisation as a clear-cut way to accomplish it.

Additionally, pseudonymisation can provide a safeguard against the inherent risk of data processing.

Article 32 mandates that “the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk” including “the pseudonymisation and encryption of personal data.”

Again, we see pseudonymisation identified as a clear winner for reducing risk to personal data.

Additionally, if you’re processing data “for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes,” this data is “subject to appropriate safeguards…in order to ensure respect for the principle of data minimization.”

Pseudonymisation is offered as a potential component of these safeguards, “provided that those purposes can be fulfilled in that manner.” (Article 89)

The GDPR encourages organizations to pay attention to their particular level of risk, but is not afraid to identify pseudonymisation as a potential means to reduce that risk.

What You Should Know About Pseudonymisation

Just because data has undergone pseudonymisation does not mean it is no longer subject to the strict processing requirements of the GDPR.

Article 26 states that “Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person.”

So, while pseudonymisation can add a layer of security to data processing, the GDPR still specifies that it is personal data and should be treated as such.

GDPR compliance requires not just an understanding of its component parts, like pseudonymisation, but a clear understanding of the big picture of data security.

GDPR Breach Notification Checklist

One of the more challenging aspects of the GDPR will undoubtedly be the requirement to report breach notifications to the supervisory authority within 72 hours of becoming aware of the breach (see Article 33).

Within GDPR, there is an important clarification to note for the meaning of “data breach.” A “personal data breach” should be addressed differently than a normal “data breach.” It is not legally required to report on a “data breach,” but in the event of a personal data breach, things change with the risk of penalties for non-compliance.

Additionally, Article 34 requires that “when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.”

If you’re keeping track, that’s two new requirements under GDPR related to reporting security breaches.

So, how does the GDPR define a personal data breach? And, how should you go about reporting one should it occur? Furthermore, how do you prepare for a breach so that, if one does occur, you have procedures in place to respond and report it appropriately?

Preparing for and responding to personal data breaches is not just a requirement of the GDPR; it’s a good business practice in general. Here’s a practical checklist for preparing for and responding to personal data breaches in accordance with the GDPR.

Preparing for a Breach

1. Understand how the GDPR defines a “personal data breach.”

The GDPR’s definition of a data breach is not patently different from typical definitions, but it’s important to know the standard you’ll be held to should one occur.

According to the official text, a “’personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.”

2. Locate and document data on your network/systems.

Next, you’ll need to know what’s at risk. Where does your organization store personal data? All departments should collaborate to ensure no personal data or potential weak spots are overlooked.

Once you’ve determined where personal data resides, document its location and the controls in place to prevent unauthorized access to it. Review these controls and ensure they are sufficient because the one thing better than correctly responding to a breach is not experiencing one in the first place.

3. Implement controls to help prevent and identify breaches.

To prevent security breaches, ensure your organization is following proper information security hygiene as well as conducting regular security awareness training for employees so they can identify potential attacks.

Additionally, make sure you’re consistently testing the perimeter security of your network with internal and external penetration tests and vulnerability scans. This can help identify and correct potential weak spots in a safe, controlled environment.

You may already have appropriate firewall configuration and network segmentation controls in place, but also make sure you’re performing network monitoring and reviewing logs on a regular basis for suspicious behavior. Additionally, train personnel to identify the signs of a breach, and report breaches correctly within your organization.

One aspect of the GDPR that differs from other regulatory or compliance requirements is the mandate that personal data breaches must be reported to the supervisory authority within 72 hours.

This being the case, it’s important to configure your breach notification services to alert early enough to enable fulfillment of this minimal reporting window.

4. Perform tabletop incident response tests.

Assuming you’ve already implemented an incident response plan, make sure you’re testing it regularly. The goal is not necessarily to perform the most thorough test imaginable, but to ensure all involved employees have a clear understanding of their responsibilities should a breach occur.

Responding to a Breach

1. Identify the extent of the breach.

Regardless of how the breach was detected, one of the first things you’ll need to do is determine its extent. What’s the nature of the breach? What sort of information was disclosed, altered, deleted, etc.? What is the approximate number of data subjects concerned and the categories and approximate number of data records concerned?

Refer to your incident response plan to identify which personnel are responsible for breach discovery and analysis. Your incident response plan should also include potential consequences of a breach and mitigation strategies based on the type of information compromised. So, once you’re aware of a breach, begin following the mitigation strategies outlined in the plan. This might mean taking databases offline or blocking all remote access until you know the extent of the breach.

2. Identify to whom you need to report the breach.

While the GDPR introduces strict breach notification requirements, it’s worth noting that strong encryption can help maintain the integrity of your data should you experience a breach. It can also help you make the case that a breach is unlikely to be damaging to users since the data is unusable unless decrypted.

That said, any personal data breach, unless it “is unlikely to result in harm to the data subject,” is required to be reported to the supervisory authority within 72 hours of discovery (see Article 33).

In many cases, U.S. companies affected by the GDPR are service providers, acting on behalf of companies in the EU. If you fall into this category, you’re a data processor, and you would report a breach to the EU company with whom you’re doing business. That company would then be responsible for reporting the breach to the appropriate supervisory authority.

However, if you’re a data controller, i.e. your company “determines the purposes and means of the processing of personal data,” you are responsible for reporting directly to the regulatory body of each EU country with whom you do business. (See Article 4 for “controller” and “processor” definitions.)

Breaches are also required to be reported to data subjects “without undue delay” if “that personal data breach is likely to result in a high risk to the rights and freedoms of the natural person” (see Article 34).

However, if you are able to prove any of the following, you are NOT required to notify data subjects of a breach (according to Article 34):

  • “the controller has implemented appropriate technical and organizational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular, those that render the personal data unintelligible to any person who is not authorized to access it, such as encryption;
  • the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects referred to in paragraph 1 is no longer likely to materialize;
  • it would involve a disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.”

Note: The above exceptions apply only to data subjects, NOT the supervisory authority.

Any breach must be reported to the supervisory authority unless it meets the exception noted in Article 33 (“unlikely to result in harm to the data subject”).

3. Report the correct information to appropriate people within the required timeframe.

The GDPR also specifies what information should be reported when notifying either the supervisory authority or data subjects of a breach. When reporting to the supervisory authority, your notification should (according to Article 33):

  • “describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
  • communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
  • describe the likely consequences of the personal data breach;
  • describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.”

When notifying data subjects of a breach, the notification must “describe in clear and plain language the nature of the personal data breach,” (see Article 34). You must also adhere to items B, C, and D of Article 33 noted above.

Breach notifications must be handled transparently and clearly with both supervisory authorities and data subjects. Failure to do this not only makes you non-compliant with GDPR regulations but risks damaging your organization’s reputation.

Ensure the incident response plan includes breach communication principles, including the following:

  • Center communication around facts, not speculation.
  • Ensure information communicated is consistent.
  • Provide customers an avenue to learn about the breach and inquire about their data.

As mentioned, breaches must be reported to supervisory authorities within 72 hours of discovery and to data subjects “without undue delay” (see Articles 33 and 34).

The breach notification requirements set forth by the GDPR present new and unique challenges. LBMC’s computer incident response services can help you plan and execute a GDPR-compliant incident response plan.

Is Your Organization Prepared for GDPR Enforcement?

In many ways, GDPR takes cybersecurity to a different level for certain organizations. It’s going to be just as significant, if not more, than the current industry regulations.

Making sure your organization is aligned with the data handling requirements of the GDPR before the enforcement date of May 25th is critical. In addition to familiarizing yourself with the GDPR requirements, it’s important to map those requirements to your organizational policies and procedures. This is where our team at LBMC can help.

LBMC provides many options that can help you with your data woes. We have GDPR compliance services, data insights services and various software solutions to meet your business needs.