What is GDPR? Do I Need to Do Anything?
Well let’s start with the easy part – GDPR stands for General Data Protection Regulation. The regulation was enacted to provide citizens of the EU with greater control over their personal data and assurances that their information is being securely protected by the organizations and business they choose to permit to use and/or retain it.
GDPR is a little complex in who the “players” are (i.e. customers, data owners, data processors, etc.), but overall it is meant to afford citizens 8 basic rights:
- The Right to Access – individuals have the right to request access to their personal data and to ask how their data will be used.
- The Right to be Forgotten – if consumers no longer what their data in the hands of organizations, they have the right to ask that it be deleted.
- The Right to Data Portability – customers have the right to have providers transfer their data from one provider to another when moving services.
- The Right to be Informed – this requires organizations to inform individuals that their information will be retained. Consumers must be able to opt in or out of this process.
- The Right to Have Information Corrected – this requires the ability for data to be updated when incomplete or out of data, at the consumers discretion.
- The Right to Restrict Processing – consumers can request that their data be retained but not used for processing.
- The Right to Object – this includes the right of consumers to stop of the processing of their data for marketing purposes. There are no exemptions to this rule and it requires that organization cease processing immediately upon request/objection by the consumer.
- The Right to be Notified – if there is a data breach, this requires organizations to inform consumers of a breach or loss of their data within 72 hours.
Failure for organizations to comply with any of GDPR guidelines may result in very serious penalties. British Airways is facing fines of up €200 million euros for a data breach that occurred in September of 2018. The guidelines state that the governing body of GDPR has the right to inflict penalties of up to 4% of an organization’s global revenue or €20 million euros, whichever is greater.
So what if I am not in the EU? Well, if your organization has any footprint in any EU or any EU member country, or serves any EU citizens, then you must comply. Furthermore, it does not matter that your data may live outside the EU.
The first step is getting your arms around your digital estate – your data. Start with mapping your data; where does it live; what is in there; who can access it; what risks are there for breach? Next, let’s do some house cleaning. Don’t keep any more data than you need. Review the data in this digital estate and ask yourself:
Why did we save this?
Why are we archiving or backing this up as opposed to just deleting this data?
What is the value of collecting all of these differing data points? Maybe we just need fewer details?
Are their better ways to secure the data? Encryption?
Once you have your arms around the data, then its time to begin to review your overall security posture and ensure you have adequate processes and policies to ensure compliance to GDPR, but also a mature security model.
There is a lot involved in GDPR – way more than I can cover here, so don’t be afraid to ask for help. Engage your current partners or feel free to build a new relationship with us – we would love to work with you!
Please do not substitute these guidelines for legal advice.