“The GDPR marks a significant development in the field of EU data protection law.”
As an update to the Data Protection Directive of 1995, the General Data Protection Regulation (GDPR) creates a uniform data protection standard within the European Union. It applies to any company that offers goods and services to European citizens, whether they are inside or outside the E.U., and goes into effect on March 25th 2018.
“The changes which are to be ushered in by the GDPR on Friday 25 May 2018 are substantial and ambitious.”
The GDPR is expected to set a new standard for consumer data, and companies will be challenged as they put systems and processes in place to comply. Because the GDPR widens the definition of personal identification information, companies will now need the same level of protection for things like an individual’s IP address or cookie data as they do for name, address, and Social Security number.
- The new regulation applies to any organization that holds or processes the personal information of any European citizen, regardless of where the organization itself is based, or where the data processing takes place.
- The new regulation widens the scope of what is meant by “personal information” to include anything that could identify a European citizen, including IP addresses and cookies.
What types of privacy data does GDPR protect?
- Basic identity information such as name, address, and ID numbers
- Web data such as location, IP address, cookie data, and RFID tags
- Health and genetic data
- Biometric data
- Racial or ethnic data
- Political opinions
- Sexual orientation
What is the risk of noncompliance?
The final draft of GDPR imposes strong new duties and huge fines if companies don't comply. The regulation provides for increased penalties (administrative fines of up to €20 million or up to 4% of annual worldwide turnover, whichever is higher) to be imposed in the event of noncompliance.
What should my company be doing to prepare for the GDPR?
Considering the risks and potential penalties, organizations with an EU presence, and those without an EU presence who target or monitor EU individuals, need to:
- Understand the impact of the GDPR
- Determine the best strategy for compliance
- Establish a sense of urgency that comes from top management
- Hire or appoint a Data Protection Officer (DPO)
- Create a data protection plan
- Conduct a risk assessment
- Implement necessary measures to mitigate risk
“IDC predicts that by 2020, data breaches will affect nearly 25% of the world’s population.”
The GDPR requires that companies report breaches within 72 hours when they do occur. How well the response teams minimize the damage will directly affect the company’s risk of fines for a breach. Companies also need to set up a process for ongoing assessment to make sure that they remain in compliance with GDPR over time.
How important is application security testing?
Although many of the requirements don’t relate directly to InfoSec, the processes and system changes needed to be GDPR-compliant might very well affect existing security systems and protocols.
Protecting and securing data is about breaking down silos between NetOps and DevOps to identify where data comes from and how it flows from the customer, through the applications, into databases, and back out again to other applications and APIs. The job of the newly mandatory Data Protection Officer (DPO) is to find out where the data lives and how it moves, then assign responsibility for making sure that the data of employees and customers is kept safe both in motion and at rest.
The bottom line
The provisions of GDPR are consistent across all 28 EU member states, which means that companies have just one standard to meet. However, that standard is quite high and will require most companies to make a large security investment to meet GDPR requirements.
Experts are predicting that the EU could collect as much as $6 billion in fines and penalties in the first year. This makes it essential for organizations to ready themselves for this change. They also need to add application security into their overall cyber security strategy as part of an end-to-end GDPR compliance program.
“GDPR isn’t just about finding data and making sure it’s secure; the regulations dictate that organizations need to find the context of data in use, and prove everything is being done to protect the subject’s data and the rights of the subject itself.”