Find out the most commonly asked questions about GDPR.
If you’re like most business owners, you’re probably wondering if and how the new EU General Data Protection Regulation (GDPR) applies to you. We’ve received many questions about this new security mandate, and here are answers to our most frequently asked GDPR questions.
GDPR stands for General Data Protection Regulation. It was designed to harmonize data privacy laws across Europe, protect and empower all EU citizens with data privacy, and to reshape the way organizations across the region approach data privacy. This mandate replaces the 1995 EU Data Protection Directive and was finally approved by EU parliament on April 14, 2016 after four years of preparation and debate. It went into effect 20 days after its publication in the EU Official Journal—in May of 2016—and will be directly applicable in all member states two years after this date (i.e., May 25, 2018).
The effective date for the EU GDPR is May 25, 2018.
The GDPR applies to any organization (operating in or out of the EU) that processes any personal data, also called personally identifiable information (PII), of EU citizens—whether that organization is a cloud-storage service, university, hospital, merchant, etc.
Yes. Even if the data subject from the EU inputs their own information, the GDPR requirements still apply.
Yes. Personal data includes things like name, address, email, IP address, etc.—data that can directly or indirectly identify a person. Even the magnetic card stripe (also known as track data) contains the cardholder’s name.
See also: GDPR 101 Part 1: Should I Be Worried?
No, but there are data security controls that will cross over. The GDPR scope will likely be much larger than PCI DSS requirements, as it includes all personal data, not just payment card details.
There may be some requirements of the GDPR--for instance keeping “records of processing activities” (Article 30)--that will not apply to organizations with less than 250 employees. However, there are stipulations to rules like these, and to be safe, you should consult a data security and compliance expert.
Organizations can be fined up to 4% of annual global turnover (aka revenue) or €20 Million—whichever is greater—for violation of GDPR. These are the maximum fines that can be imposed for the most serious infringements, like insufficient customer consent to process data or violation of the core “Privacy by Design” concepts.
According to article 28, there is a tiered approach to fines. A company can be fined 2% of annual global turnover for not having their records in order, 2% for not notifying the supervising authority and data subject about a breach, and 2% for not conducting an impact assessment.
It is important to note that these fines apply to both controllers and processors, and data 'clouds' will not be exempt from GDPR enforcement.
Since the GDPR applies to the personal data of all EU citizens, businesses in the UK who process EU citizen data post-Brexit would still need to follow its mandates whether or not the UK retains GDPR after Brexit is complete. UK Prime Minister Theresa May announced that the process for the UK to leave the EU would begin on March 29, 2017 and is expected to take at least two years. The effective data for GDPR is May 25, 2018, which means there will be an overlapping window of time when the UK is a member of the EU and the GDPR is in force.
The “Right to Erasure” is one of the individual rights named in the GDPR. It states that data subjects can request that their personal data be deleted. There are legal and legitimate reasons that organizations could be allowed to keep data beyond retention periods—even if a data subject exercises their right to erasure. For example, an organization may be required to hold records for the IRS, HIPAA requirements, PCI requirements, or legal cases. In these cases, the organization would obviously need a legal basis for keeping such data. It’s best to consult with legal counsel to understand your business’s unique position.
SEE ALSO: GDPR Articles 12-23
Supervisory authorities must be told within 72 hours of when the controller becomes aware of a data breach—where feasible, and unless the controller can demonstrate that the breach is unlikely to result in risk to the rights of the data subject. Controllers may also give reasons for delay, if applicable.
Conditions for consent to use data are strengthened overall by the GDPR, and personal data used for marketing purposes must be approved beforehand by the customer in the form of an “opt-in” program. While each business and its operations are different, some may be wondering about old contacts, business cards, or mailing lists with data obtained before GDPR. Depending on your business model, there could be a few ways you might be able to address this problem, however remember that you will need to clear any solutions with legal counsel:
PCI DSS explicitly requires logging—which is a good thing when it comes to maintaining security, detecting attacks, etc. If you’re in the PCI realm, you should continue to use logging and thorough log management. The “right to erasure” may be a tricky GDPR requirement and tone we feel will need more legal definition and precedence to be established. However, if you foresee this being an issue for your company, you should seek corporate legal counsel.
Yes. SecurityMetrics GDPR Defense is a new product designed to help small-to-medium businesses secure personal data and get on the path to GDPR compliance.
GDPR Defense contains the following tools to help fulfill certain GDPR requirements while also providing a central location to track, maintain, train, and report on those efforts:
If you’re part of a large organization and need help with GDPR, learn more about our consulting here.
If you have more questions about GDPR, or would like a PCI audit or HIPAA audit, please contact us.
.svg)
