If your company is doing business in the EU, you must be aware of the impending European General Data Protection Regulation (GDPR) enforcement deadline on May 25th, 2018. GDPR is a significant update of the existing 1995 EU Directive (95/46/c) and comes with massive penalties that can reach to the greater of €20 million or 4% of global annual revenue.
The GDPR contains provisions that require businesses to protect the personal data and privacy of EU citizens (AND visitors to the EU) for transactions that occur within EU member states. The GDPR also regulates the exportation of personal data outside the EU. Companies that do business in any of the 28 EU member countries or process the personal data of EU citizens must be in compliance by May 25, 2018. Compliance standards are quite high and will require most companies to make a significant investment to meet and to administer.
With the deadline fast approaching, this is a good time to educate yourself on what the changes are, who is affected, key requirements, implications, preparedness, and potential penalties. We will address these items in a four-part blog series with some help from one of our security partners, Imperva.
- Part 1: Who is subject to the GDPR?
- Part 2: The security requirements of the GDPR
- Part 3: What the GDPR means to organizations & how to prepare
- Part 4: GDPR penalties for non-compliance
Here are some definitions that will help with understanding the GDPR.
Personal data and data subject – “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.” Example: You work at a Fortune 500 company and as your employer it holds your personal data. You’re the data subject.
Controller – “person, public authority, agency or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.“ Example: A manufacturing company collecting personal information from its employees is the Controller.
Processor – “person, public authority agency or any other body which processes personal data on behalf of the controller.” Example: A payroll company processing employee paychecks on behalf of the manufacturing company is the Processor
Part 1: Who is subject to the GDPR?
If you are a Non-EU company you may be under the impression that the GDPR doesn’t apply, however you could still be affected by it. GDPR requirements apply to any organization doing business in the EU or that processes personal data originating in the EU, be it the data of residents or visitors.
Bottom line, organizations of any size in any country that process anyone’s data—if that data originated in the EU—is subject to the GDPR. The borderless realms of the internet mean that companies not intending to control or process EU-sourced data could find out they are subject to GDPR requirements.
Consider these scenarios:
1. You’re part of a financial analyst firm tasked with projecting a European company’s revenues for the next three years. You work out of an office in the US, but use personal data provided to you by your client that was collected in the EU. Since this data was collected in the EU it is subject to GDPR requirements, even though you’re based out of the US office and didn’t originally collect the data.
2. A mobile and on-line website allows people to shop for, buy and rate products. The US-based company that owns the retail storefront collects personal data about the people that visit and make purchases. The information is subsequently used in advertising campaigns and sales reports. If a person visits the website while they are physically present in the EU, the requirements of GDPR follow the personal data collected during their visit. That essentially means that any website or mobile application that is accessible by a person in the EU will need to comply with GDPR.
3. There are of course allowances for small businesses and practical limitations on what the EU would attempt to enforce. But entities located outside the EU that market their products or do business with people inside the EU will need to consider the ramifications of not complying.
Need a GDPR Planning Framework?
Part 2 of this GDPR series will take a closer look at the actual security requirements. If you’d like more information on planning for the GDPR, we recommend this helpful blog post that outlines a readiness framework including milestones for each stage.
For a free GDPR data security consultation, contact one of our security experts here.
