You’re hearing the buzz on the General Data Protection Regulation (GDPR). Do you know how it impacts your organization? If you do business in the European Union (EU), regardless of your location, or process personal data of people who reside in the EU, then you need to be compliant by May 25, 2018.
- What’s the GDPR?
- Are you impacted?
- What do you need to do to comply?
- Are you ready?
- What if you are not ready by May 25, 2018?
Let’s address these questions and help identify how you and your partners may need to help ensure you are complying with the GDPR.
What’s the GDPR?
In May of this year, companies who do business in the EU will have a new set of rules to comply with: the General Data Protection Regulation (GDPR). This is a broad and significant regulation that impacts all organizations that process personal data of people who reside in the EU — regardless of the organization’s location. Due to the broad scope and significant penalties that can be incurred by failing to meet the regulation’s requirements, GDPR is something that all companies need to be aware of, and many companies will need to adjust how they do business in order to comply.
For context, in 1995 there was a set of regulations called the Data Protection Directive implemented to address, in part, privacy rules. The new GDPR creates a unifying law across the EU which increases data subject rights, strengthens the obligations of companies to protect those rights, and extends the power of the Data Protection Authorities to help enforce the protection of those rights. By creating this regulation, the EU Parliament has updated a 20-year-old law, made it a more consistent standard across the entire EU, ensuring that Controllers (those who determine the purposes and means of processing personal data) or Processor (those who process personal data on behalf of the Controller) have a single regulatory body to which they are being held accountable for these requirements.
The creation of the GDPR has taken years to get through the EU Parliament, partially due to the difficulty in aligning the many nations’ perspectives of the proposed rules. The final language of the regulation was signed off in May of 2016, and there has been a two-year period during which companies put into place the changes necessary to comply with the new regulations. This period ends on May 25, 2018.
Are you impacted?
As noted above, the GDPR requires all companies that process personal data of people who reside in the EU, “regardless of whether the processing itself takes place within the Union” (Recital 22). Many businesses within the United States (and other regions of the world, of course) do business with people in the EU. A key aspect here is the identification of personal data. Personal data, in this regulation, is defined as:
“Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person” (Article 4).
If for any reason, you have personal data that you maintain, you should review your business model and your systems to identify if you are processing or controlling personal data that would require GDPR compliance. If the activities for which you are collecting or using personal data are related to the offering of goods or services to EU citizens (irrespective of whether payment is required) and the monitoring of behavior that takes place within the EU, then you will be responsible for complying with the regulations. You may be required to modify your processing or storage of personal data if you are a Controller or Processor. Similar to the US HIPAA requirements, the responsibilities can differ between the two roles, but the Controller assumes a greater level of responsibility, including vetting their Processors and assessing their compliance.
What do you need to do to comply?
The standards for GDPR compliance are high, and in some cases will require significant changes to how business is typically done in the United States. For example, to comply you must:
- Obtain clear, explicit, and unambiguous consent from the individuals regarding the use of their personal data (including the positive affirmation of the consent, and understanding of the proposed use of the data). Note: if the purpose for which the data will be used changes, new consent may be needed.
- Be able to provide your data subjects with copies of the data being retained about them.
- Ensure that user’s age is captured and obtain all necessary additional consent to use the data. (Children under the age of 16, and in some countries possibly 13, may need parental consent, as well.)
- Have means by which an individual may request to be ‘forgotten’ and by which your firm can comply with this request in a timely fashion (due to the initial purpose for the data collection and processing no longer needing the personal data, due to the consent being withdrawn, due to the expiration of the legal retention periods, due to an objection to the use of the data, or if the use is in violation of the GDPR).
- Be able to transport the data effectively between data controllers at the request of the individual identified by the personal data.
- Be able to quickly (within 72 hours) report any breach to the appropriate supervisory authority.
- Identify a Data Protection Officer (DPO) to act as the primary point of contact and responsible party for your firm’s compliance efforts.
These and many other changes may cause significant changes in how you process or control data, both for yourself and possibly for other companies. The changes you may need to make, the data you may need to collect, the processes by which you may need to obtain, process, store, report on, and dispose of data, may all need to be reviewed and revised. The EU Parliament provided a two-year period during which this effort can be done, but that period is ending soon, which brings up the key question…
Are you ready?
This is the million dollar question — are you ready? Are your systems capable of supporting these new requirements? Are your processes in place to ensure that all required escalations, verifications, and internal audits to confirm compliance with the GDPR?
For many companies, they are not. Some companies have clients in the EU but believe that they fall outside of the EU GDPR requirements. Some companies process data for other firms and assume erroneously that they have no responsibility for the data. And some organizations buy data regarding people around the world and have no system in place to ensure they can “forget” an individual’s personal data when required to do so.
Is this you?
What if you’re not ready by May 25, 2018?
If your organization is found to be non-compliant with the GDPR, you are subject to significant fines and penalties. You could face fines up to 4% of your annual global revenue or €20 million (whichever is greater). While this is the maximum fine, you could face tiered penalties (e.g. you can be fined 2% for not having your records in order, not reporting the supervising authority and data subject about a breach, and even not conducting an impact assessment). The key here is to identify your responsibilities under the GDPR, identify how you will close any gaps, and get moving. It is clear that the EU Parliament views this as a significant priority, and that they will be looking carefully at firms that have data breaches to ensure that they comply with the Regulations. Firms that are found to be non-compliant will likely face serious fines, public outcry, and significant difficulties in regaining public trust. This means that the efforts you take now to comply are a smart investment in avoiding high costs later, given the increased incidence of data breaches.
Essential to building your approach to GDPR compliance is gaining a clear understanding of shared responsibilities across your environments. AWS has established a clear Shared Responsibility Model (AWS Shared Responsibility Model PDF) regarding their role in the storage and processing of data, and the standard AWS Business Associate Addendum (BAA) intended for HIPAA requirement compliance may help outline the responsibilities of data Processors as opposed to Controllers. As an AWS Advanced Consulting Partner with extensive experience in AWS cloud environments, nClouds acts as a Processor for our client data, and can help implement solutions in AWS that address security and alert response and management. However, recognize that much of the responsibilities for the GDPR are shouldered by the Controllers, the creators, and users of the applications that run in your environments.
In our next GDPR-related post we’ll dive into how the Shared Responsibilities Model separates what the Data Controller is responsible for managing, what the Data Processor can be responsible for, and what organizations like nClouds can offer to help with GDPR compliance.
In the meantime, are you on AWS? Do you need help with GDPR? Contact us.