The Facebook and Cambridge Analytica scandal is only the latest in a series of massive privacy breaches affecting people worldwide, leaving them with a slew of questions about the vulnerability of their personal data. In response, the titans of the internet have mostly gone silent. Even with the uproar about how outsiders handle Facebook’s user data, it took CEO Mark Zuckerberg five long days to admit mistakes, falling short in appeasing angry users. But that changes on May 25, at least for consumers in the European Union (EU), as the long hand of the dial ticks back toward the rights of the individual now that the General Data Protection Regulation (GDPR) will restrict how personal data is collected and handled.
For these EU citizen users, it’s mostly about their knowledgeable consent ensuring they understand what data is collected about them. “Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it,” according to the GDPR Portal, a site designed to educate the public. A specific focus is data protection for children requiring parental consent for children up to age 16.
For companies, the in-your-face reality is it’s mostly about expensive penalties. “Under GDPR organizations in breach of GDPR can be fined up to four percent of annual global turnover or €20 million (whichever is greater).” That’s the maximum fine, but there are also painful tiers of fines that include 2 percent for “not having their records in order” (Article 28), not “notifying the supervising authority and data subject about a breach” or “not conducting impact assessment.” Because these rules apply to both controllers and processors, cloud providers are not exempt.
Does this Affect Companies Outside of the EU?
Yes, it does. Even though the GDPR’s jurisdiction covers just those citizens in the 28 member countries of the EU, it encompasses protection of data that is also processed elsewhere. So, that means those entities even outside the EU — media, financial and educational institutions; global corporations like those in the Fortune 500; an extensive range of technology companies, large and small — that gather, store, analyze and use data from EU citizens on websites and apps via 50 billion internet-connected devices around the world could also be subject to penalty. Essentially, no one is exempt.
But, in reality, no one really knows how enforcement will play out in the U.S., for instance, until that is put to the test. The EU-U.S. Privacy Shield Framework was specifically developed to comply with transatlantic data protection requirements. It “was designed by the U.S. Department of Commerce and European Commission to provide companies on both sides of the Atlantic with a mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States in support of transatlantic commerce.” Regardless of how this law will be enforced, everyone must be ready.
A survey in late 2017 by security compliance firm TrustArc and the International Association of Privacy Professionals found that 84 percent of its U.S. respondents expect to be ready for the GDPR early by May 2. Are you? If not, don’t panic. But, you must act soon. Here are 11 steps to help your business prepare for the GDPR:
1. Assign a Data Protection Officer (DPO)
In the GDPR, Articles 37-39 require a DPO on staff (in addition to any current IT or data security personnel) as the point person for compliance and liability.
2. Educate Your Entire Staff
Anyone in your enterprise who handles data or will need to understand or discuss matters in and around data breaches needs to be educated about the GDPR, including those who interact with new users, maintain CRM systems or perform data entry. Information officers and social media teams also must be educated, as they will be critical if the need for public information is required. Therefore, have a communication plan in place for such notifications.
3. Detect, Investigate and Report a Breach of Personal Data
Under Article 33 of the GDPR, there is a specific process to comply with how to respond to a data breach. Prepare for this important requirement. Within 72 hours (or as necessary in phases), document the data breach and notify the supervisory authority and take the steps below. (The only exception is if it is unlikely to result in a risk to the rights and freedoms of individuals, and then a reason for delay must be submitted):
- Describe the nature of the data breach including the categories and approximate number of data subjects and records.
- Communicate the contact details of the DPO or other security staff.
- Describe the likely consequences of the breach.
- Describe the measures taken or proposed to be taken including those to mitigate its possible adverse effects.
4. Conduct an Audit of Your Current Data Security System
Perform an audit and maintain an ongoing inventory to pinpoint where personal data is stored across your infrastructure, including cloud environments and anywhere else assets are held. Also, Article 30 of the GDPR requires all controllers to document all your processing activities: the personal data stored, its origin and with whom it’s shared. One strategy is to place in action a Security Information and Event Management (SIEM). The SIEM tool can monitor suspicious behavior and source IP addresses and other details. Because data stored in the cloud is also under the auspices of the GDPR, be sure your SIEM tool can record that activity.
5. Review Your Current Privacy Notices
The GDPR replaces the existing EU Data Privacy legislation – Directive 95/46/EC or local legislation like Data Protection Act (DPA) of 1998 in the United Kingdom in which businesses, via a privacy notice, provide information such as intent of use when collecting personal data. Now, under the GDPR there are additional details to share, and must now be in concise, easy to understand clear language. Also, some individuals’ rights will be modified under the GDPR. Depending on your lawful basis for processing their personal data, you will have to explain and document that in your privacy notice.
6. Ensure Your Policies Reflect the GDPR’s Rights for Individuals
7. Review and Update Your Request Procedures
In most cases, you won’t be able to charge for complying with a request, of which you’ll have one month to comply, but you can refuse or charge for requests manifestly unfounded or excessive.
If you refuse a request, you must explain to the individual without undue delay why, and that they have the right to complain about it or seek judicial remedy.
Here, as in your privacy notice, explain and document your lawful basis.
8. Reset Your Existing Consents Strategy
If you’re using consent as a basis for processing personal data, and your existing consents do not meet the GDPR standard, you need to immediately review how you seek, record and manage consent. Make sure it meets GDPR requirements for being specific, granular, clear, prominent, opt-in, properly documented and easily withdrawn.
For Google’s part to comply with the GDPR, they’ll gather direct consent from users of their assets, Google.com, Gmail and YouTube. But for third-party websites and apps that use Google’s ad products to sell their own ads, these publishers must be responsible for obtaining their own users’ consent. They can use their own forms and terminology, but, Google requests they keep consent records, offering GDPR-specific and clear instructions for revoking permissions. Additionally, Google plans to offer third-party publishers a tool to deliver non-personalized ads to end users who don’t consent to ad-targeting. As a result, Google will execute this being the “co-controller” of third-party publishers’ users’ data.
The IAB — a trade association that counts Google among its members — also has their own proposed solution They’ve released a GDPR framework for standardizing how publishers gain consent to process user data on behalf of all ad-tech vendors. This framework will enable publishers to inform visitors what data is being collected, how it will be used and who is using it. (The resulting consent data, by the way, is cleverly called the ‘Daisybit.’) Additionally, the framework accomplishes an important although controversial strategy to collect and use data without consent by tracking whether ‘legitimate interest’ is employed.
9. Protect Data of Children
Do you have a systemwide strategy to verify ages or to obtain parental or guardian consent? The GDPR establishes special protection for personal data of children under the age of 16, and your system’s verifications must be in place. This particularly focuses on social media and networking.
10. Develop a Policy for Privacy and Data Protection
Article 35 of the GDPR requires data protection impact assessments (DPIAs), and it also requires companies to “implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.” Such a policy should include regularly testing your systems to confirm security controls are effective. Potential methods to validate security controls and incorporate them in an ongoing process include manual or automated assurance and consolidating and integrating security tools.
11. Get Help Now With Those Who are GDPR-Compliant
Be sure to work with third-party providers who themselves are GDPR-compliant, such as email service providers, CRM services or marketing and PR agencies.
Protection of our employees’ and clients’ privacy, in the course of the personal data processing is the cornerstone of the Ciklum Information Security Framework.
If you are wondering how Ciklum assures the privacy of your personal data, do not hesitate to contact our Data Privacy Compliance Team at firstname.lastname@example.org