Even though enforcement doesn’t begin until May 2018, there are some key questions every organisation should be asking itself as the enforcement day approaches.
What Data Do You Have and Where is it Stored?
You need to assess what kinds of data your organization currently has under management. Often people don’t realize that creating and maintaining an accurate inventory of the structured and semi-structured data your organisation is responsible for is difficult, if not impossible, to do manually. This task must be automated using tools that can detect unknown data stores and locate personal and confidential data within the data structure based on a variety of pattern recognition techniques.
Who Has Access to the Data and Can You Control that Access?
Limiting access to personal data can be accomplished in several ways including data collection minimization and data masking. While these are both recommended steps, some users and applications will need access to the live personal data. Identifying those applications and users requires user access controls, user rights management and activity monitoring. Like data inventories, these tasks are best automated with technology.
What Responsibility Do You Have for Your Processors?
If you’re a data controller, you need to take steps to ensure that the processors will protect the data you control, in accordance with your GDPR policies. This critical requirement is best addressed by a combination of contracts from your legal team and technology that can enforce limitations on the movement of data.
Chapter V of the GDPR covers transfers of personal data of EU data subjects to third countries or international organizations and mandates that organizations that control or process such data ensure that any such transfers be done with adequate safeguards in place to protect the personal data of EU subjects. If adequate safeguards are not in place, then the data should not be transferred.
What About Data Transfers from the EU to the U.S.?
A simple question: Can your organization control its data if it enters the U.S.? Model contracts and Binding Corporate Rules (BCRs) will help some companies address specific controller-processor relationships. Companies that cannot utilize these contracts previously relied on the Safe Harbor Framework to provide a legal basis for data transfers to the U.S. The Safe Harbor Framework was invalidated in 2015 and replaced by the EU-U.S. Privacy Shield Framework in 2016.
The Privacy Shield Framework utilizes a self-certification format and is open to U.S.-based organizations. Once an eligible organization makes a public commitment (via the Privacy Shield website) to comply with the framework, the commitment will become enforceable under U.S. law.
Although debate still continues as to whether the Privacy Shield Framework will pass muster in the face of a legal or regulatory challenges, as of now it has credibility given that, as of March 1, 2017, 1,750 organisations — including Facebook, Google and Microsoft have joined the EU-U.S. Privacy Shield and it has been approved by the European Commission.
What to Do First?
GDPR compliance may seem daunting initially, but if you can answer the questions above, you’re already off to a good start. At a high level, your responses will help you build a preliminary plan along the following lines:
- Identify what kinds of data you have, where it’s stored and its risk profile
- Examine the data flow and all the access points
- Assess current protection policies and procedures
- Perform a prioritized gap analysis to the new requirements
- Identify technology, processes, contracts, and resources to address the gaps
- Work back from the May 2018 enforcement date to determine your timeline for rolling out the new elements.
The consequences of non-compliance
Compared to its predecessor, the Data Protection Directive (95/46/EC), the GDPR gives data protection authorities more investigative and enforcement powers and the power to levy more substantial fines. The GDPR is a regulation that applies in all member states of the EU.
The GDPR provides a new one-stop-shop regulatory framework for the investigation of complaints and enforcement of the GDPR requirements. Under this framework a member state’s supervisory authority will operate in one of three roles:
- Lead Supervisory Authority: will act as the lead supervisory authority for the controllers and processors whose main establishments are located in its member state. This will permit a controller or processor to rely on the guidance and enforcement procedures of one single EU supervisory authority.
- Local Authority: may deal with complaints or infringements that only affect data subjects in its member state.
- Concerned Authorities: will act when data subjects in their member state are substantially affected and will cooperate with the lead supervisory authority for the matter.
This model is designed to provide a uniform, cross-EU enforcement model that still provides individual member states flexibility on matters that pertain only to data subjects residing within their territory.
How is the fine calculated?
Article 58 of the GDPR provides the supervisory authority with the power to impose administrative fines under Article 83 based on several factors, including:
- The nature, gravity and duration of the infringement (e.g., how many people were affected and how much damage was suffered by them)
- Whether the infringement was intentional or negligent
- Whether the controller or processor took any steps to mitigate the damage
- Technical and organizational measures that had been implemented by the controller or processor
- Prior infringements by the controller or processor
- The degree of cooperation with the regulator
- The types of personal data involved
- The way the regulator found out about the infringement
If it is determined that non-compliance was related to technical measures such as impact assessments, breach notifications and certifications, then the fine may be up to an amount that is the greater of €10 million or 2% of global annual turnover (revenue) from the prior year. In the case of non-compliance with key provisions of the GDPR, regulators have the authority to levy a fine in an amount that is up to the greater of €20 million or 4% of global annual turnover in the prior year. Examples that fall under this category are non-adherence to the core principles of processing personal data, infringement of the rights of data subjects and the transfer of personal data to third countries or international organizations that do not ensure an adequate level of data protection.
What this all means
The time to start planning for GDPR compliance is now. May 2018 is not as far off as it seems, and time-consuming investigations and hefty fines may loom on the horizon. Once you discover and inventory your data repositories and sensitive data you can begin to better scope your GDPR readiness project.
By Spencer Young, RVP EMEA at Imperva