The General Data Protection Regulation (GDPR), which came into effect on 4 May 2016, is the latest EU regulation dealing with data security. This intensely contested and embattled regulation introduced the most significant data protection framework in the more than 20 years since the original publication of the data protection directive in 1995. The result will be noteworthy changes to the rights of the individual with respect to how data is protected, maintained, and ultimately destroyed.
The regulation’s greatest benefit is the responsibility it places on businesses and data processors to implement a standardized level of capability to respond to potential cybersecurity breaches, including data loss detection, incident response management, and ultimately, if necessary, robust client notification requirements.
What You Need to Know
- Whom It Affects: The remit of the GDPR is vast, with considerable implications for businesses across Europe, and for businesses worldwide that process data on European citizens. This extraterritorial implication has never previously been applied to data, and will give legal counsel significant food for thought when assessing risk and liability leading from client data losses, both accidental and as a result of an external cybersecurity compromise. Failing to comply holds grave consequences not only for the bottom line, but also in relation to the complexity of implementing additional systems and platforms to continuously adhere to the various stipulations.
- Obligations: The GDPR introduces rights of objection, meaning that companies must now clearly inform the data owner as to their data protection rights at the first point of contact, i.e. at the point of signing up for a new service. Organizations with online services must provide an automated mechanism for users to object to their data being processed, and are required to implement a mechanism through which data will cease being processed while any complaint is considered—a technical measure which will require significant investment for most online systems underpinning corporate business platforms. These complaints may ultimately result in the need for the data to be erased, typically with a 30-day period—again proving a challenge for most online systems where personal data is aggregated or a component of a larger data fusion activity.
Most relevant to the cybersecurity community are the enhanced regulation elements present in the GDPR pertaining to the roles and responsibilities of data controllers in the event of a suspected or identified data breach. These responsibilities include mandatory notification of both the national supervising authority (e.g., the ICO) and in many instances the data subject (e.g., the individual) in a time frame not to exceed 72 hours.
- Exemptions: The regulation lays out specific exemptions with respect to the requirements on particular data processors, for example for the purposes of law enforcement or national security. The revised regulation lays out in more depth what is considered sensitive or “special” data, classifying biometric, health, or genetic information as requiring special handling considerations. In addition, the law specifies greater obligations regarding the provision of consent, including the evolution to a standard where consent must be obtained explicitly, rather than previous incarnations where consent was “assumed” by default by many organizations.
Questions to Consider
- Do you have a dedicated incident response team established?
- Does this team include senior management members of each of the relevant business units (e.g., CIO, CISO, HR Director, Legal Director, CFO)?
- Has a response exercise ever been carried out to ensure that the processes are significantly well defined and reliable?
- Have you identified a panel of pre-approved external advisors for ad-hoc resource support or specialties that do not exist internally?
- Have you carried out an internal privacy impact review?
- Have you carried out a gap analysis on your existing service provider contracts?
- Have you assessed your current insurance coverage to insure that it adequately addresses your exposure?
- Have you carried out a data notification review to ensure that you can contact clients and be prepared for any public relations or crisis communications required?
- Have you carried out a review of legal and contractual supplier agreements to ensure that you have placed the necessary contractual obligations on your service providers?
The new regulation places significant focus on ensuring that data protection accountability is designed into systems and processes. This requires businesses to implement significant organizational change, and more crucially, to implement technical controls to demonstrate compliance with the regulation.
The result of the GDPR is that businesses now have a much more significant obligation with respect to data handling and processing. Most medium-size to large enterprises will be obligated to increase their budgets to include the costs of monitoring, managing, and remediating data handling requirements, often moving this from an audit or compliance managed responsibility to a more cross-business function, potentially stand-alone with increased interfaces into the information management and cybersecurity functions, should they exist.