Countdown to EU’s General Data Protection Regulation (GDPR)
With a little more than eight months until the GDPR becomes enforceable, the opportunity to meet the 25th May 2018 fully compliant date is rapidly disappearing. For many, the decision to delay implementing the regulation has been driven by a belief that it doesn’t apply to them, particularly if they aren’t based in the EU.
We need to be conscious, though, that any organisation that holds any personal information about any EU citizen falls under the jurisdiction of the GDPR and could be subject to prosecution should that data be breached. Such data includes name, address, phone number and even the IP address used when the user visited your web site or online store. The GDPR has been furnished with some substantial teeth, with the ability to impose fines of up to 4% of global annual turnover or €10m, whichever is greater. It’s not too great a stretch to imagine that the first organisations to fall afoul of this regulation will be made examples of.
What you should consider as the deadline approaches
Key elements to be considering as the deadline for enforcement approaches include the following:
- If you process data for another organisation, i.e. don’t collect it directly yourself are don’t use the data yourself, you still need to be compliant. Unlike the Data Protection Directive (95/46/EC), it’s not just the collector of the data that’s liable.
- With the GDPR personal data is defined as “any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, post on social networking websites, medical information, or a computer’s IP address.” This is extremely broad, so make sure you are aware if you collect or process any of this data whether deliberately or not.
- Make sure that any data you do collect is covered by appropriate authorisations from the user as these have expanded substantially; simple agreements are unlikely to suffice moving forward.
- Lastly, make sure you have processes in place to notify users of a breach when it happens. GDPR allows only 72 hours for such notification to take place.
There are, of course, many more elements to consider, and the enforcement date will be upon us before we know it. We have Christmas, Easter and many other holidays between now and 25th May 2018, and as a result there is probably little more than six working months to get ready. With the pressure we have on our organisations – our cybersecurity teams particularly – that doesn’t leave us with much time. If you haven’t looked at GDPR then we’d urge you to do so now, and if you have and think there’s still time, we’d urge you to look again.
Best practice in personal data security can only benefit us as individuals and as organisations. Better notification and more openness in admitting we’ve been breached will help us all respond to the threats that are out there. GDPR is the first significant data protection legislation in several years; the rest of the world is watching and is likely to adopt similar protections for their own citizens. Being GDPR compliant will help prepare you for those as well. As my Grandmother used to say, “A stitch in time, saves nine.”
Get our GDPR guide
BeyondTrust has written a new guide on the objectives of the GDPR, and how BeyondTrust privileged access management and vulnerability management solutions can help. Download the guide, or contact us for a strategy briefing today!