The European Union is replacing the patchwork of individual EU countries' privacy laws with a new EU-wide legal framework called the General Data Protection Regulation, or GDPR, by May 2018, that carries stricter rules and stiffer penalties. But regardless of the new law, if you haven't already, Incorporating data protection into your culture is a practice you should adopt.
By May 2018, any company holding data on citizens of the European Union (EU) will face new data privacy rules known as the General Data Protection Regulation (GDPR). The new regulations may produce more compliance headaches for your company as well as strict penalties for non-compliance.
The new legal framework replaces the EU Data Protection Directive and the patchwork of individual EU countries’ privacy laws. For most privacy infringements, penalties for violating certain requirements include fines of €10 million or 2 percent of global annual revenue, whichever is higher. Violating core principles could result in fines of €20 million or 4 percent of global annual revenue, whichever is higher.
The GDPR splits companies into two types: those that process data and those that control it. If you are established in the EU or you offer goods or services to companies or individuals in the EU, you are responsible for complying with the law or potentially facing stiff penalties.
The law applies to any personal information (PI) and in some instances expands the legal definition of PI from previous rules. For example, while Internet addresses were not explicitly considered PI in the previous EU directive, they are now.
What should you do?
You need to become familiar with the GDPR, find out if you need to comply with the regulations, and, if so, plan to meet its requirements. For example, you may need to hire or appoint a data protection officer, make changes to meet stricter security requirements or create a process for notifying of any breach within 72 hours of discovery.
Besides studying the GDPR and determining how it applies to you, security and risk professionals should consider these steps:
1. Incorporate data protection into your culture
Data protection should be part of every company’s culture, not just to meet GDPR requirements, but because it’s a good basic practice. Forgoing data protection will only make the GDPR requirements more onerous. Besides, ignoring your customers’ privacy is not a good long-term strategy. It increases the chance that your business will run afoul of the law or suffer the wrath of angry customers. And there’s always the chance you’ll make headlines in a way you didn’t intend.
2. Put someone in charge
The GDPR requires some businesses to have a data protection officer who is responsible for ensuring that a company is in compliance. The data protection officer may lead impact assessments and maintain mandated documentation, among other requirements.
3. Take only what you need
There’s another way to clear the privacy bar on data: don’t collect it in the first place. If you’re processing or storing PII you don’t need, stop. Minimizing the data you’re collecting means less to protect.
4. Audit, adapt, repeat
Industry news often seems like a roll call of companies that at one time complied with data-protection regulations—HIPAA, SOX, PCI DSS, or GLBA—but still found themselves breached. Testing your applications and infrastructure early and often to make sure they comply with GDPR and any other data protection regulations is good practice. Every change to infrastructure and business processes should be examined to gauge its impact on your company’s compliance.
Regulations like the GDPR highlight the need for you to be familiar with compliance. While 2018 may seem like a long way off, you should start looking at the regulations today.
David Holmes is the world-wide security evangelist for F5 Networks. He writes and speaks about hackers, cryptography, fraud, malware and many other InfoSec topics. He has spoken at over 30 conferences on all six developed continents, including RSA Europe in Amsterdam, InfoSec in London and Gartner Data Center in Las Vegas.
David writes a bi-weekly column at SecurityWeek, and has had the good fortune to write for DarkReading, SC Magazine, Network World and many other computer security magazines and websites. He has three patents pending for F5 and still contributes code to open-source projects such as OpenSSL.
This publication is provided for your convenience and does not constitute legal advice. Customers and prospective customers should seek their own legal counsel on laws or regulations affecting the processing of personal data.