The clock is counting down on a deadline to ensure companies comply with new European Union (EU) regulations to protect people's personal data.
On May 28, 2018, the General Data Protection Regulation (GDPR) will come into effect, and will apply to any organization, including those outside the EU, that collects or processes data about EU citizens.
Understanding and sticking to the rules is a challenge for companies so below is a beginner's guide to some of the key points.
What is personal data?
Personal data is defined by GDPR as private, professional or public life information and can be a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information or a computer's IP address. It does not include data connected with national security activities or law enforcement.
New rights for EU citizens
To tackle the risk of companies making unfair decisions about people using algorithms, the GDPR gives EU citizens the right to question and fight such decisions.
The GDPR also gives individuals the right to request erasure of personal data. Companies will be legally obliged to securely delete data when:
- the information is no longer necessary for the purposes for which it was collected
- the information was not collected with the explicit, informed consent of the data subject
- the information has been unlawfully processed.
Securely deleting data is not straightforward. However, encrypting it and then deleting the encryption key renders data completely and permanently unreadable.
Data Protection Officers and data breaches
Some companies are required to appoint Data Protection Officers, while organizations that collect or process data must give notification of any data breach.
The toughest penalties for breaking GDPR rules are:
- a fine up to €10,000,000 or up to 2% of the annual worldwide turnover of the preceding financial year
- a fine up to €20,000,000 or up to 4% of the annual worldwide turnover of the preceding financial year.
What to do
With the deadline just a few months away, what can organizations do to ensure they are GDPR-compliant?
A good start is an audit against the GDPR legal framework to establish exactly what is expected of your organization.
Identify data about EU citizens. Find out who is controlling/processing/storing it and then where this is stored, who can access it and with whom it has been shared?
Establish how the data is being protected. Is it encryption, tokenization or psuedonymization – and don't forget any data that is backed up.
Keep a record of GDPR activities – it could be a crucial tool for demonstrating to the GDPR Supervisory Authority that your business has taken the right action.
Finally, make your goal what the GDPR calls "data protection by design and by default". In other words, set up processes to ensure data that enters a business is located and protected from the moment it arrives.
For more help, our experts go into these steps – in partnership with ISC2 – in a joint webinar entitled "6 Steps To GDPR Compliance".