GDPR and Data Security: What You Need to Know
This is the third post in our series to help businesses prepare for the EU General Data Protection Regulation (GDPR). To learn more, see our previous posts, “What GDPR Means for B2B Marketers” and “Does My Company Need a DPO for GDPR Compliance?”
In case you haven’t heard, a major change is coming to the European Union on May 25, 2018, and it will affect companies around the world. With the General Data Protection Regulation (GDPR), the EU is ushering in a new era of privacy and security reform to better protect its residents. If your organization has even one customer or employee who resides in an EU member country, then the GDPR applies to you.
Some of the biggest differences between GDPR and the regulation it replaces (Data Protection Directive 95/46/EC, established in 1995) reside in the area of data security. Think about how much the online environment has changed since 1995 and you can easily understand why the EU Commission felt a new approach was needed.
To help you prepare for the May 25 deadline, we’re highlighting some of the most important data security aspects of the regulation.
Data Controllers vs. Data Processors
Before we explore details about GDPR’s security requirements, it’s important to understand how the regulation treats data controllersversus data processors.
According to the GDPR official website,
A controller is the entity that determines the purposes, conditions and means of the processing of personal data, while the processor is an entity which processes personal data on behalf of the controller.
So, for example, if you buy clothing from an online retailer, that retailer has gathered personal data about you (your name, email, physical address, etc.). The retail organization has control over how that data is processed; therefore, they are the data controller. The same retailer may utilize a cloud-based service for storing customers’ data, or it may use a third-party software-as-a-service for its invoicing. The vendors of these services process the data but do not control it; therefore, they are the data processors in this scenario.
Since True Influence does not originate data, but rather aggregates it from our partners, processes it, and then delivers it to our customers, we are classified as a data processor under GDPR.
GDPR and Data Security Processes
Part of the rationale behind GDPR is ensuring that companies handling the personal data of EU residents provide adequate levels of security to guard against hacks and breaches. Article 32 of the legislation states that “the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.”
The article goes on to offer the following specific actions:
- Encryption and pseudonymisation of personal data
- Ability to ensure ongoing confidentiality, integrity, availability, and resilience of data processing services and systems
- Ability to restore access to personal data promptly in the event of “a physical or technical incident”
- A process for regular security testing
Data Breach Notification
Unfortunately, data security breaches are common occurrences in today’s online environment, and the EU wants to ensure that both the proper authorities and the affected data subjects are notified of serious breaches as quickly as possible.
The GDPR defines a personal data breach as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.” This definition is significantly broader than the data breach laws of most U.S. States, which typically apply only in cases involving specific information that could be used for fraud or identity theft.
Notifying Supervisory Authorities
Under this regulation, data controllers are required to report any personal data breaches to the appropriate supervisory authority within 72 hours. Data processors are not required to notify supervisory authorities of breaches, but they must notify data controllers “without undue delay.”
Article 33(1) of GDPR does provide an exception to this requirement for cases in which “the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.”
Notifying Affected Data Subjects
If a personal data breach “is likely to result in a high risk to the rights and freedoms of natural persons,” the data controller must notify the affected data subjects “without undue delay.”
Article 34(3) of GDPR states that this action will not be required if:
- The data controller has implemented measures which “render the personal data unintelligible to any person who is not authorised to access it, such as encryption”
- The controller has taken measures to ensure that the risk to data subjects’ rights and freedoms “is no longer likely to materialise”
- Complying would involve disproportionate effort, in which case the controller may issue a public communication
Data Security by Design and by Default
When organizations design or implement new systems, security is often an afterthought, something to be tacked on just before a launch. The EU wants to change this and ensure that companies are building in data security during the planning process for any system that handles personal data.
Article 25 of the GDPR requires that data controllers must, “both at the time of the determination of the means for processing and at the time of the processing itself,” implement measures for protecting personal data. Controllers must also implement measures ensuring that, by default, they only collect and process the personal data that is necessary for each purpose. This requirement applies to:
- The amount of personal data collected
- The extent of the processing
- Then time period of storage
For companies that do business with EU residents, personal data security must become a top priority if they are to comply with GDPR. Avoiding possible fines is an obvious incentive, but it’s also important to consider the business implications for your organization.
GDPR’s data security requirements represent a higher standard for data security than what we currently see in the marketplace. If you can truthfully state that your data protection systems are GDPR compliant, you send a message that your organization takes the privacy and security of personal data seriously. You tell potential customers and business partners that, in today’s dangerous online world, you are meeting the highest standards to ensure that their information is safe and secure. And that’s a selling point that hits home in any country.