Most companies view their customers’ personal data as a digital commodity that can help with marketing, customer retention, analytics and more.
However, the European Union’s (EU) upcoming General Data Protection Regulation (GDPR) comes into force on May 25, 2018, and will require businesses like yours to give EU citizens much more control over their personal data.
The GDPR applies to any business that operates in the EU or manages EU-based data.
Unfortunately, standard cyber security measures likely won’t be enough to comply with the rule, as U.S. regulations usually only require businesses to protect data such as financial or medical information, and the GDPR’s definition of personal data is much broader.
The GDPR defines “personal data” as “…any information relating to an identified natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.” (gdpr-info.eu)
If your business fails to protect personal data and comply with the GDPR you could face major fines.
But complying with the rule could attract customers who value privacy and give businesses better insight into their data management procedures.
As a result, it’s critical to understand the GDPR’s requirements and the steps needed to stay in compliance.
What does the GDPR consider as personal data?
Under the GDPR, personal data counts as any information relating to an identifiable person. Essentially, any information that could potentially lead to a person’s identification can be considered personal data.
Here’s some examples of personal data under the GDPR:
- IP addresses
- Internet cookies
- Email addresses
- Any location information
- Medical data, including genetic and biometric data
Because the GDPR applies to a broader range of data, businesses need to be especially careful when examining their data management procedures.
GDPR Compliance Requirements
Any violation of the GDPR can be financially devastating to your business, as fines can reach as high as 20 million Euros (almost $25 million) or 4% of a company’s global annual revenue.
In order to protect your business and avoid the hefty fines, it’s important to keep these five key features of the GDPR in mind:
1) Requirements for controllers and processors – The GDPR defines two distinct types of operators in its regulations (controllers and processors). The following are general definitions and standards that apply to these entities:
- Data controllers- Under the GDPR, any organization that collects, uses or discloses personal information of EU citizens may be considered a data controller. Controllers must protect EU citizens’ data and ensure that the organizations that process personal data on their behalf also comply with the GDPR requirements. Controllers must conduct privacy impact assessments for any high-risk processing and maintain records of all processing activities.
- Processors- Data processors are the organizations that actually process the data on behalf of the controllers. These entities must also implement appropriate safeguards, return or delete data once processing is complete, and notify the controller of any data breaches. Processors cannot subcontract any tasks without a controller’s permission.
2) Lawful bases and consent requirements- Data controllers can only process data under one of the GDPR’s six lawful bases:
- Consent from the data subject
- Contractual necessity
- Compliance with legal obligations
- Protection of a data subject’s or another person’s vital interests
- Actions that benefit the public interest
- Actions for a business’s legitimate interests
Additionally, a data subject’s consent must be unambiguous – silence or inactivity does not constitute consent. Parental consent is required when organizations process data for individuals under the age of 16.
3) Mandatory data breach notifications- After a data breach is discovered, data controllers must notify all affected individuals within 72 hours. However, when a breach could potentially affect individuals’ rights or freedoms, the notification must be made immediately. Data processors must also report data breaches to data controllers.
4) Right to erase- Data controllers are required to erase processed and/or stored personal data under the following conditions:
- Data is no longer needed
- An individual objects to the processing
- The processing was unlawful
5) Requirement for data protection officers- Data controllers and processors may be required to designate a data protection officer in the following scenarios:
- If data processing is carried out by a public authority or body
- If core activities involve regular and systematic monitoring of individuals on a large scale
- If core activities consist of large-scale processing of certain categories of data (i.e., data related to racial or ethnic origins, criminal convictions or political views)
While this list outlines a number of the major considerations, it shouldn’t be used as a GDPR compliance guide. To review the full text of the GDPR, helpful FAQs and summaries of key provisions, visit the EU’s official website.
5 Key Topics To Consider When Creating Your GDPR Compliance Plan
Because businesses can collect, manage and store data in different ways, it’s important for your GDPR compliance plan to include details that are unique to your business.
Here’s some of the most important topics to consider when making your plan:
1) Conduct a readiness and data assessment.
Review the GDPR and determine if it applies to your business. You should also establish what personal information you collect, where it’s stored and who has access to it in order to identify what data applies to the GDPR.
2) Identify compliance gaps.
During your initial assessment, it’s important to identify any potential compliance gaps. In some cases, you may find that you are able to reduce your GDPR compliance burden by changing the way you store or track EU data.
3) Establish oversight.
Continually document, model and coordinate potential GDPR issues and remediation strategies. You should make this information readily available to any employees who may handle personal data.
4) Implement a GDPR compliance program.
After you’ve established key processes to identify compliance gaps, create a GDPR compliance program to address potential concerns. This program should account for the following:
- Policy management
- Data life cycle management
- Individual rights processing
- Information security
- Data breach management
- Data processor accountability
- Training and awareness
4) Examine your vendors’ and partners’ data management practices.
Make sure that business partners such as cloud service providers, payment processors and marketing firms are ready to comply with the GDPR. Even if your own data protection measures are in place, you can still be held partially liable for a vendor’s failure to comply.
5) Review Your Cyber Risk Management Program and Secure Cyber Liability Insurance
Companies like yours process massive amounts of personal data every day and expose themselves to risks from cyber attacks, data breaches and more.
Just one breach can result in serious damage to your finances and reputation.
To better protect your company, it’s important to speak with a qualified insurance advisor to improve your cyber risk management program and secure cyber liability insurance. Not only can insurance advisors provide general guidance on any applicable data breach laws, they can also help you round out your risk management and insurance programs with a custom cyber insurance policy.
My name is Pat O’Neill and I’m a Risk Advisor here at The O’Neill Group, an insurance and risk management firm in Northeast Ohio.
I’d love to support you in your cyber risk management program, and discuss cyber liability insurance as a viable option to keep your business protected.
This article was adapted from Zywave. This is not intended to be exhaustive nor should any discussion or opinions be construed as legal advice. Readers should contact legal counsel or an insurance professional for appropriate advice.