Select Monthly Archives
- May 2017
- March 2017
- February 2017
- January 2017
- December 2016
- November 2016
- October 2016
- September 2016
- August 2016
- July 2016
- March 2016
- October 2015
- September 2015
- July 2015
- May 2015
- March 2015
- February 2015
- January 2015
- December 2014
- September 2014
- August 2014
- July 2014
- June 2014
- March 2014
- January 2014
- December 2013
- September 2012
Written By: Ryan Hogan May 01, 2017
1. What the heck is GDPR?
The GDPR is the European Union’s General Data Protection Regulation. It is a single unified law about data privacy for the EU that is meant to protect its citizens and also reduce the barriers of doing business that come from having each member state create its own privacy regulations. It goes into effect in May of 2018, so you have about a year to get ready for it.
2.Why should I care?
The GDPR has significant requirements and can lead to hefty (possibly catastrophic) fines for non-compliance. If you have employees, partners, customers, or customer prospects in the EU you need to ensure their data is properly handled and protected. Failure to do so can lead up to fines up to 20M Euro or 4% of your organization’s annual global turnover.
3. Isn’t GDPR the same as EU Privacy Shield?
No - they are different but related. EU Privacy Shield is the new arrangement that allows companies to legally send data from the EU to the United States. It replaces Safe Harbor and is largely in response to the Edward Snowden revelations about U.S. surveillance. The EU Privacy Shield is based on the Data Privacy Directive (DPD), which is the current set of guidelines about privacy in the EU. In May 2018 the DPD will be replaced by GDPR, and it is likely the EU Privacy Shield will update its requirements to be more closely aligned with the GDPR. So if you are a U.S. company that does business in the E.U. you will need to be compliant with both the EU Privacy Shield and the GDPR. If you have already enrolled in EU Privacy Shield and already meet the EU Privacy Shield requirements then you are probably 80%-90% of being compliant with the GDPR.
4. Is there anything new in the GDPR that isn’t in Privacy Shield?
Yes - the GDPR includes a few things that are not already in the EU Privacy Shield requirements.
First is the need for a Data Protection Officer (DPO) if your organization meets certain requirements. This person can be a consultant or law firm, but they have to physically reside in an EU member state, and they need to be knowledgeable about data privacy and information security. Depending on the size and complexity of your organization, you may need multiple DPOs.
Next, Data Protection Impact Assessments (DPIA), also known as Privacy Impact Assessments (PIA), are required if your organizations meets certain requirements. This is basically a risk assessment focused on privacy-related risks; you can incorporate it into your existing Risk Assessment process if you have one, or do it as a separate activity. Even though you are not required to do a DPIA it is still a really good idea to do a data inventory, data flow mapping, and PIA periodically so that you know:
- What you have to protect
- How it flows through your in-house and 3rd party vendor systems
- What strategies and tactics will best help you reduce your privacy risks
Third, the GDPR wants organizations to have “a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.” So if you are not already doing some sort of regular internal and/or external audit (i.e. SOC2, ISO 27001) of your security program you should get that ball rolling now, rather than waiting until Q1 2018 as these things take time schedule and execute.
Fourth, the GDPR has very specific Breach Notification requirements in both timeframe (report within 72 hours) and content of a breach notification. While I would not describe the requirements as onerous, now is the time to make sure you have a good incident response plan that will meet the requirements and then test it (at least a tabletop test) to make sure it works as expected. Hopefully you will never need it.
Fifth, organizations need to keep records of the type and purposes for which they handle PII either as a Controller or Processor. Again, a good a data inventory, data flow mapping, and PIA will help in answering these requirements as well as ensuring you’ve taken steps such as adding appropriate clauses to your contracts or performing due diligence on relevant vendors.
Finally, the GDPR tries to ensure children’s data (under the age of 16) are protected and that proper notice and consent is given to parents and children.
5. Isn’t Privacy the same thing as Information Security? What should I do to get ready?
Privacy is not the same thing as Information Security. While it is true you cannot have an effective Privacy program without an effective Information Security program, privacy adds additional considerations to an information security program, and the GDPR has requirements related to business operating procedures (such as giving proper notice and obtaining consent) rather than focusing on the Information Security Triad (confidentiality, integrity, and availability).
To get ready for GDPR the best thing to do is assess your privacy program and compare it to the EU Privacy Shield and GDPR requirements. I would also recommend you do a data inventory, data flow mapping, and PIA so that you understand what needs to be done and how best to do it.
AppSec Consulting specializes in preparing our clients to meet a variety of security and privacy frameworks and certifications, including ISO 27k, SOC 2, HIPAA, PCI, GDPR, and EU Privacy Shield. Contact us today for an assessment of your security, compliance, and privacy needs. You’ll speak with an Information Security expert, not a sales person —we’ll listen a lot, determine your needs, and provide clear, actionable recommendations. We look forward to seeing how we can help.
Check out our Privacy Services page.