General Data Protection Regulation
On May 25, 2018, the General Data Protection Regulation (GDPR) will go into effect as the primary law regulating how companies protect EU citizens’ personal data. The purpose of the GDPR is to impose a uniform data security law on all EU members. In addition to EU members, it is important to note that ANY company that markets goods or services to EU residents, REGARDLESS of its location, is subject to the regulation. As a result, GDPR will have an impact on data requirements in the United States. All organizations, including small to medium-sized companies and large enterprises, must be aware of all GDPR requirements and be prepared to comply by May 2018. By beginning to implement data protection policies and solutions now, companies will be in a much better position to achieve GDPR compliance when it takes effect.
The GoldSky Compliance Gap Assessment will focus on the specific requirements of the EU-US Privacy Shield and GDPR Security Requirements. This will include:
- Interviews with key personnel in core functional areas and information technology;
- Review of documentation to support EU-US Privacy Shield and GDPR compliance;
- Testing of identified EU-US Privacy Shield and GDPR controls;
- Identification of gaps in the Organization’s compliance with the EU-US Privacy Shield and GDPR.
The GDPR itself contains 11 chapters and 91 articles. Some of the key privacy and data protection requirements of the GDPR include:
- Requiring the consent of subjects for data processing
- Anonymizing collected data to protect privacy
- Providing data breach notifications
- Safely handling the transfer of data across borders
- Requiring certain companies to appoint a data protection officer to oversee GDPR compliance
Simply put, the GDPR mandates a baseline set of standards for companies that handle EU citizens’ data to better safeguard the processing and movement of citizens’ personal data.
The following are some of the chapters and articles that have the greatest potential impact on security operations:
Articles 17 & 18 – Articles 17 and 18 of the GDPR give data subjects more control over personal data that is processed automatically. The result is that data subjects may transfer their personal data between service providers more easily (also called the “right to portability”), and they may direct a controller to erase their personal data under certain circumstances (also called the “right to erasure”).
Articles 23 & 30 – Articles 23 and 30 require companies to implement reasonable data protection measures to protect consumers’ personal data and privacy against loss or exposure.
Articles 31 & 32 – Data breach notifications play a large role in the GDPR text. Article 31 specifies requirements for single data breaches: controllers must notify SAs of a personal data breach within 72 hours of learning of the breach and must provide specific details of the breach such as the nature of it and the approximate number of data subjects affected. Article 32 requires data controllers to notify data subjects as quickly as possible of breaches when the breaches place their rights and freedoms at high risk.
Articles 33 & 33a – Articles 33 and 33a require companies to perform Data Protection Impact Assessments to identify risks to consumer data and Data Protection Compliance Reviews to ensure those risks are addressed.
Article 35 – Article 35 requires that certain companies appoint data protection officers. Specifically, any company that processes data revealing a subject’s genetic data, health, racial or ethnic origin, religious beliefs, etc. must designate a data protection officer; these officers serve to advise companies about compliance with the regulation and act as a point of contact with Supervising Authorities (SAs). Some companies may be subjected to this aspect of the GDPR simply because they collect personal information about their employees as part of human resources processes.
Articles 36 & 37 – Articles 36 and 37 outline the data protection officer position and its responsibilities in ensuring GDPR compliance as well as reporting to Supervisory Authorities and data subjects.
Article 45 – Article 45 extends data protection requirements to international companies that collect or process EU citizens’ personal data, subjecting them to the same requirements and penalties as EU-based companies.
Article 79 – Article 79 outlines the penalties for GDPR non-compliance, which can be up to 4% of the violating company’s global annual revenue depending on the nature of the violation.
GoldSky Security offices in Orlando, Denver or Chicago can help support your GDPR compliance requirement.
“We are grateful to GoldSky Security for performing our Enterprise Security Risk Assessment & NIST 800-171 Gap Assessment. The engagement proved to be invaluable in assisting LSI on our journey to attain CMMC accreditation. The onsite portion of the assessment was exceptional. It was evident the GoldSky Security team we worked with were extremely knowledgeable in Federal Security contracting space. The Threat out brief report they provided was extremely detailed which will help us transform our company into a security conscious culture that will dramatically reduce our risk over time. Thanks again! ”