Is Your Business GDPR Ready? 5 Things You Need to Know About this New Data Regulation
The General Data Protection Regulation (GDPR), which goes into effect in May, is expected to set a new standard for consumer rights regarding their data. And non-compliance could cost companies dearly. If you think the new European data protection rules don’t apply to you, think again.
Here are five things every U.S. company should understand about GDPR.
What is GDPR?
GDPR is a regulation that requires businesses to protect the personal data and privacy of EU citizens. Going into effect on May 25th, 2018, and replacing the outdated 1995 EU Data Protection Directive, the new rules are designed to give individuals greater control over their own information. Under GDPR, data controllers, or businesses that collect personal data, must ensure that personal data is gathered legally under strict conditions.
Under the new regulation, data processors – companies that collect and manage data on behalf of businesses – must also protect client data from misuse and exploitation. Data controllers who have transferred personal data to third parties (data processors) are putting pressure on the data processors for GDPR compliance.
At Bridgepoint, we’re getting a lot of questions from clients whose organizations are considered data processors about how to achieve GDPR compliance and safeguard personal data.
Here’s a few things about GDPR we’ve discovered:
- GDPR has expanded the definition of personal data to include not only items such as name, address, and social security number, but also data points such as IP address, username, password, and cookie data.
- It further requires companies to be able to remove that information on request as part of the “right to be forgotten,” and requires companies to report a data breach within 72 hours of becoming aware of it.
- This regulation places greater emphasis on documentation and evidence to demonstrate accountability. Therefore, even if you were already following EU 1995 Guidelines, you may need to take additional steps to organize and document your procedures in the event of an audit.
If these new obligations sound both technically and financially daunting, consider that the penalty for noncompliance is up to €20,000,000 or 4% of worldwide revenue, whichever is greater. That makes protecting personal data not only a matter of ethics, but potentially a matter of survival.
Are you subject to GDPR?
As the name implies, GDPR applies to any company that is EU-based or that does business in the EU. But if you have no direct business operations in any EU state and assume that means your company is in the clear, think again. The reality is that any U.S. company that markets products or services online or collects personal data or behavioral information on EU customers will most likely be subject to GDPR. However, determining your level of compliance can be tricky under the new rules and requires careful analysis.
How ready are U.S. businesses?
Recent reports show that while organizations around the world are embracing cloud technology, they lag behind in protecting sensitive and regulated data. One survey shows that while 78% of respondents plan to use cloud and SaaS-based applications, only about half have appropriate technical and organizational safeguards in place. Not surprisingly, about the same number also expect to be fined under GDPR*.
Here in the U.S., businesses are concerned about GDPR, but also report a significant readiness gap. More than three quarters of U.S. respondents in one survey agree the new rules will result in considerable fines, and 80% think compliance will provide them a competitive edge. At the same time, only 65% are familiar with the regulations, and only 30% have reached full compliance in advance of the May deadline**.
Part of the difficulty is that identifying and tracking personal data as required by GDPR is a time-consuming and often confounding task for companies attempting to take a DIY approach to compliance. Most organizations store personal data in multiple, unrelated, and sometimes siloed systems, including applications, databases, and backups. Even controls already in place for meeting PCI-DSS, NIST, or HIPAA regulations may not be robust enough to track data at this level – much less permanently remove it.
What should you do to get ready?
Get started now. If you have not already done so, you should take immediate steps to determine how GDPR applies to your organization and implement a strategy before the May 25th deadline. These steps should include:
- Communicating with company leadership about the issue
- Determining what personal data you hold, where it resides, and who has access
- Prioritizing the aspects of GDPR that will most affect you
- Identifying gaps, and
- Developing a roadmap to compliance
Bridgepoint understands GDPR and can help
GDPR is new to U.S. companies, and complying with this lengthy and complex set of regulations can be overwhelming. If you are unsure how to assess your readiness, our seasoned cybersecurity experts can help. Bridgepoint can guide your organization through each step of the process, from data discovery to executing a solid compliance strategy. Get in touch with our experts to get a GDPR readiness assessment.
* Ovum Report – Data Privacy Laws: Cutting the Red Tape
** Varonis – Countdown to GDPR: Challenges and Concerns (Independent survey of cybersecurity professionals)