The European Union’s General Data Protection Regulation (GDPR) has been adopted and goes into effect on May 25, 2018. That may not feel soon to some, but given the complexity and nuances of the regulation, that date really is just around the corner.

Know Your Data

Many organizations in Europe are already requesting more insight into the GDPR to help them avoid the substantial potential penalties (fines of up to 20 million euros or 4 percent of worldwide annual turnover per incident) for violating the GDPR compliance requirements.

Countless organizations outside the EU, however, are completely unaware that the GDPR may also apply to them. Why? Because the GDPR applies to any business that holds data about or markets to persons within the EU. Fortune 500 businesses and others, beware.

Begin your education now! Learn what you need to know, think about what the regulation means, consider its implications and prepare your business for success.

Data Subjects, Controllers and Processors

Per the GDPR, Data Subjects — which include end users, customers and employees, among others — have the right to make a claim if their Personal Data is not protected in compliance with the GDPR regulations. Further, EU regulators have a right to impose huge fines for violations.

Data Protection is a key concern for businesses, and the GDPR creates more obligation and liability for Data Processors and Controllers. For these reasons, it’s important to consider some general Data Protection best practices to help think through the activities Data Controllers and Data Processors will need to adopt to prepare for the GDPR — including the who, what, when, where and how of Personal Data.

Read the Interactive Solution Brief: Ready, Set, GDPR

Three Goals of the GDPR

Before we talk about requirements, let’s set the context by considering the very important goals of the GDPR and clarify what is meant by Personal Data. The GDPR’s three main goals are:

  1. To ensure protection of the fundamental privacy rights of Data Subjects (e.g., ensuring the security and confidentiality of Personal Data, but also ensuring proper notice, choice, right of access, rectification and erasure, just to name a few);
  2. To update the privacy laws so that they reflect and keep pace with the way the technology landscape has changed over the last 20 years; and
  3. To unify the 28 disparate privacy laws of the EU member states.

Within that framework, Personal Data is information about an individual. It can be any data related to you: personal identification; location data; biometric, physical, physiological, genetic or mental health data; economic, cultural or religious sentiment data; social, political or gender preference data; and more.

Data Protection Requirements

People and businesses are now paying avid attention to the GDPR requirements because of the heavy fines that go along with violating the regulation. Below, I will focus on some key requirements for processing Personal Data:

1. Condition for Consent

This requirement mandates that Controllers have the consent of Data Subjects to process their Personal Data, with some exceptions. Controllers should also be able to provide proof of consent for all their Data Subjects. Data Subjects have the right to withdraw their consent at any time, and consent is limited to specific purposes. It doesn’t apply more broadly and use needs to cease as soon as the specific purpose is met.

Data Subjects also have the right to request documentation about their Personal Data processing, and the Controller and Processor need to be able to provide this.

2. Right to Access and to Obtain Data for the Data Subject

Data Subjects have the right to request access to information held about them and be provided with detailed documentation, in plain and simple language and in electronic form, from the Controller. This should describe what information is held, how Personal Data is being accessed, the purpose of the access, where it is being accessed, what categories of Personal Data are being accessed and who has access. The Controller needs to provide all these details.

3. Right to Erasure

Data Subjects have the right to request the erasure of their own Personal Data if certain conditions are met. That is, they can request the deletion of Personal Data if they do not wish to allow the Processor or Controller to use it. The Controllers should be able to carry out the erasure without delay and provide documented proof that the Personal Data was removed. This gives the power to the Data Subject on whether Personal Data is or is not used. This right only applies to the Data Subject’s information.

4. Right to Rectification, Object and Profiling

Data Subjects have the right to request that the Controller correct their Personal Data if it is inaccurate. Data Subjects also have the right to object to profiling that has the effect of discriminating against individuals on the basis of race, ethnic origin, political opinions, religious beliefs, sexual orientation or gender identity, trade union membership, etc.

The GDPR Brings Big Changes

In addition to the above requirements, the GDPR also included some big changes of which organizations should be aware. These are all highly impactful changes that will impact the organizations that are preparing for May 2018.

Some of the biggest changes and innovations include: the Data Breach Notification requirements; the obligatory appointment of Data Protection Officers; the obligatory Data Protection Impact Assessment; the new obligations that apply to Data Processors; and the obligatory use of Data Protection by Design.

For clarification purposes, Data Protection includes both Privacy and Security. Therefore, Data Protection Impact Assessment means both Privacy Impact Assessment and Security Impact Assessment, and Data Protection by Design means both Privacy by Design and Security by Design.

Get Educated

To be in a position to meet the GDPR requirements, organizations should start getting educated now. Some requirements are relatively simple to meet but others, such as enabling systems to support the right to be forgotten, will be more difficult to achieve since they require business process changes.

Beginning the education process and starting to think through how and what it will take to meet the GDPR requirements should be the first logical step on the path toward embracing the GDPR.

Organizations should assess their Personal Data landscape, including where it is stored and how it is accessed, and gain a better holistic understanding of the GDPR requirements. Only then can they move forward and begin considering which technologies they will need to install to support the GDPR. Then they can determine what their deployment road map will need to look like to successfully prepare for May 2018.

Read the Interactive Solution Brief: Ready, Set, GDPR

More from Data Protection

Cost of a data breach 2023: Pharmaceutical industry impacts

3 min read - Data breaches are both commonplace and costly in the medical industry.  Two industry verticals that fall under the medical umbrella — healthcare and pharmaceuticals — sit at the top of the list of the highest average cost of a data breach, according to IBM’s Cost of a Data Breach Report 2023. The health industry’s place at the top spot of most costly data breaches is probably not a surprise. With its sensitive and valuable data assets, it is one of…

Cost of a data breach 2023: Financial industry impacts

3 min read - According to the IBM Cost of a Data Breach Report 2023, the global average cost of a data breach in 2023 was $4.45 million, 15% more than in 2020. In response, 51% of organizations plan to increase cybersecurity spending this year. For the financial industry, however, global statistics don’t tell the whole story. Finance firms lose approximately $5.9 million per data breach, 28% higher than the global average. In addition, evolving regulatory concerns play a role in how financial companies…

Advanced analytics can help detect insider threats rapidly

2 min read - While external cyber threats capture headlines, the rise of insider threats from within an organization is a growing concern. In 2023, the average cost of a data breach caused by an insider reached $4.90 million, 9.6% higher than the global average data breach cost of $4.45 million. To effectively combat this danger, integrating advanced analytics into data security software has become a critical and proactive defense strategy. Understanding insider threats Insider threats come from users who abuse authorized access to…

One simple way to cut ransomware recovery costs in half

4 min read - Whichever way you look at the data, it is considerably cheaper to use backups to recover from a ransomware attack than to pay the ransom. The median recovery cost for those that use backups is half the cost incurred by those that paid the ransom, according to a recent study. Similarly, the mean recovery cost is almost $1 million lower for those that used backups. Despite this fact, the use of backups is actually falling. This was one of the…