As a Managed IT Services firm, we’ve had many of our clients approach us in recent months about the new General Data Protection Regulation (GDPR). Often there is concern and confusion about how the new regulation affects their organization, and the first question is always “Is our data safe?”. Once we’ve explained that there is no need to be concerned and that their data is in fact safe and secure, the conversation then shifts towards what GDPR really is, whether GDPR applies to US organizations, and the steps organizations need to take to be in compliance with the GDPR.
In reality, the technical aspect of GDPR is only a small portion of its requirements. The majority of the regulation are focused on policies and procedures. In this article we’ll overview what the GDPR consists of and what it means for you.
What is GDPR?
First let’s start by understanding exactly what GDPR is. The foundation of GDPR is to give European Union (EU) citizens and residents “digital rights” given the increasing economic value of personal data. The intention is to give control of personal data back to citizens and residents in the EU. In addition, the idea is to streamline the rules for protection of data across the EU by foreign companies who process the data of EU residents.
Does GDPR apply to you?
The next question we get is “Does GDPR apply to us?” The answer to that is somewhat complicated. GDPR applies to organizations that do business within the EU, and can apply to organizations outside of the EU. There are three criteria to determine if your organization needs to be GDPR compliant.
- Where is your organization established? If you have a presence in the EU, then GDPR will definitely apply to you.
- Does your organization envision doing business with EU residents? If so, then GDPR will apply to you.
- Does your organization utilize any kind of technology platform to monitor and track the behavior of EU residents? If so, then GDPR will apply to you.
An organization must carefully analyze its operations to determine if any of these criteria apply to them. For example, if your organization is US based and happens to process an online transaction with a EU resident then the regulation does not apply. But if your organization tracks the transactions of EU residents then the regulation does apply. It’s important to understand that GDPR does not only apply to EU citizens. It applies to any individual in the EU whose data is targeted, including visitors within the EU. In addition, there are gray areas that could indirectly subject an organization to GDPR. For example, a US based organization that uses a third party based in the EU to process its data should comply with GDPR.
What does GDPR involve?
In today’s digital age, almost any service we use will involve our personal data, which in turn is analyzed and possibly stored by organizations. Given that a data breach will inevitably happen, it is the responsibility of your organization to ensure that personal data is gathered legally as per the conditions dictated by GDPR. Additionally, if your organization does collect data then it is your responsibility to ensure that the data is protected and respects the rights of the individual. Organizations who violate these rules will face strict penalties.
One of the key provisions of GDPR is breach notification. In the event of a data breach, an organization must notify the relevant authorities within 72 hours of the breach. In addition, the organization must directly notify the individuals whose data has been breached. Failure to comply with these rules can results in significant fines and penalties.
How to prepare for GDPR?
So now that you have an understanding of what GDPR is and whether it applies to your organization, how do you prepare? First, it is important to understand what needs to be done to prepare for GDPR compliance. There are many useful resources available online. For instance, the ICO outlines 12 Steps to Prepare for GDPR. Note that preparation for GDPR, as an internal function within your organization, requires extensive discussions with people from various departments including management, marketing, legal, and IT.
Second, preparation for GDPR will be more complex for some organizations depending on the nature of their business operations and size of organization. For this reason, it may be appropriate to hire outside consultants who specialize in GDPR compliance to help you prepare for and maintain compliance.
In summary, there is a common misunderstanding that GDPR is simply about security of data. While cybersecurity and data security are certainly fundamental components, the objective of GDPR is to promote accountability and governance by having companies implement both technical and organizational measures to protect the personal data of EU residents.
From an IT perspective, GDPR further underscores the need for organizations to invest in Cyber Security as a preventative measure. As I explain in a previous article, there are several basic steps that an organization can take to start protecting their data at a relatively low cost, especially when compared to the financial cost and reputational damage that can result from a data breach.
Written by: Payam Pourkhomami, President & CEO, OSIbeyond