Is your organization ready for the May 25, 2018, effective date of the General Data Protection Regulation (GDPR)? This short guide gives you a sense of what guidelines it contains, along with whose data it safeguards and who will have to follow the rules.
Understanding the GDPR
5, 4, 3, 2, 1… Second by second, the European Union is counting down the amount of time left until the enforcement of the General Data Protection Regulation begins. The GDPR is a set of stipulations developed by the European Union for the safeguarding of data. It was enacted because European nations were still working with 1995 legislation (Directive 95/46/EC).
The official GDPR site notes that the law is intended to create greater common ground between the different information privacy laws that are currently in force in different countries on the continent. It is also meant to give better privacy rights to citizens. Contained in this regulation are some significant shifts for individuals as well as for organizations that manage or in any way interact with sensitive personal data.
The GDPR is big news in part because it is a long time coming – the result of over four years of negotiating and fine-tuning. The European Commission started outlining its proposed strategies for reforming the treatment of data privacy in January 2012. The idea of this effort was to make sure that the European nations were in good position for the digital era. Although there were other reforms laid out at the time as well, the GDPR was central.
The European Parliament and European Council both passed this new framework in April 2016 – at which point the directive and regulation were made public. Then in May 2016, the EU Official Journal published the GDPR. The GDPR is on everyone’s minds lately in the security and IT fields because we are ramping up to the date when it becomes effective: May 25, 2018. The idea for that two-year stretch prior to the law going into force was that it would give both individuals and businesses ample time to get ready for compliance.
When the law was passed, Digital Single Market VP Andrus Ansip noted that the treatment of the confidential information of the European people had to be based on an educated knowledge that data was being protected against unauthorized access. “With solid common standards for data protection,” he said, “people can be sure they are in control of their personal information.”
What businesses must be GDPR compliant?
All members of the EU have to comply with the General Data Protection Regulation, and it impacts nations outside Europe as well.
In the United Kingdom, many people are confused about this legislation because it was negotiated prior to Brexit. It is essentially being put into effect in the UK via a Data Protection Bill that mandates many (though not all) of the same standards and protocols.
Any companies that are not within the EU but that provide services or goods to European people and/or organizations have to comply with the law. The GDPR is of great interest to all global enterprises, as well as small businesses that are doing business on the continent. Because that’s the case, this issue is high-priority across just about every industry.
How the GDPR changes things
Businesses get hacked and otherwise experience data breaches all the time. Data may be stolen by cybercriminals or otherwise become accessible to unauthorized parties that are not supposed to be able to view it. Assuming that these parties are malicious, the situation can quickly turn into a nightmare.
To guard again these scenarios, the GDPR gives rights to citizens to be able to look at the information that is held by different organizations.
Businesses and agencies need to give people access to their data while meeting certain information management requirements. They can only collect and use data as described within the legislation. Furthermore, firms that manage information have to secure it so that it is not used for nefarious purposes. They must respect the rights of the owners of data as detailed within the law. Otherwise, they can get fined according to the new table released in the law.
Beyond the above parameters, the other aspect that is new is the expanded liability of organizations that handle data on the behalf of others – called data processors under the law (see below).
Data controllers & data processors
The law places the businesses that must meet compliance in two categories: data controllers and data processors. The GDPR’s Article 4 describes these two types of organizations:
- Data controller: A data controller is an individual, public agency, or another organization (i.e., any company) that, either by itself or in collaboration with outside entities, decides why and how digital information is processed, stored, or otherwise handled.
- Data processor: A data processor is an individual, public agency, or another organization (again, could be any business) that manages data for a controller. Note that if you are in the UK and the Data Protection Act applies to your organization, the GDPR will probably be applicable as well (since its essence is being implemented).
“You will have significantly more legal liability if you are responsible for a breach,” notes the UK’s Information Commissioner’s Office. Specifically, processors are now liable.
The General Data Protection Regulation makes it necessary for processors to keep records related to information and its management. In this manner, it becomes a much more significant legal concern to follow industry best practices, avoid corporate negligence (failure to use accepted standards for data protection), and make sure that information is actually secure.
Furthermore, GDPR compliance will now apply to all legal agreements between processors and controllers.
Close parallels between HIPAA & the GDPR
From a compliance perspective, these designations are interesting because they are so similar to the law that has developed in the United States related to the protected health information (PHI) that is the subject of HIPAA compliance – i.e., abiding by the Health Insurance Portability and Accountability Act of 1996. HIPAA has always applied to both covered entities (roughly equivalent to the controllers) and business associates (roughly equivalent to the processors). Also, US law requires that a contract called a business associate agreement (BAA) must be signed between every covered entity and business associate, just as agreements must be signed into effect between controllers and processors.
What are the penalties for noncompliance?
There are incredibly strong fines for failure to comply with the GDPR, with violations leading to fines as high as the greater of 4% of annual turnover (total sales) or 20 million Euros (roughly 24.4 million USD).
Incredibly, a recent survey found that 52% of organizations think that they will get GDPR fines, while another report predicted that the new law would result in $6 billion of fines from the European Union in its first year alone.
Your GDPR-compliant hosting plan
Is your organization in need of GDPR compliance? You do if you in any way come into contact with data of European citizens or businesses, whether you are classified as a controller or processor.
At Total Server Solutions, we offer GDPR-compliant hosting. In fact, we previously established our data protection through an audit to meet the service control standards devised by the American Institute of Certified Public Accountants’ Statement on Standards for Attestation Engagements 16 / 18 (SSAE 16 / 18). See our beliefs.