IT Insights The Privacy Race: GDPR Explained
Companies worldwide are fighting to keep up with the shifting regulations that are safeguarding our personal data THE WORLD IS ESSENTIALLY A GLOBAL NETWORK for data transmission, which makes identifying and securing personal information even more difficult. For decades, professionals have been implementing a multitude of risk-based or security-focused frameworks to manage and protect their environments. The newest framework that is keeping professionals abuzz with questions is “GDPR,” which stands for General Data Protection Regulation. GDPR could be the most impactful data security legislation in Europe in more than 20 years. Though this regulation is intended to protect European citizens, it will have an impact on many US companies.
Companies who do business in the European Union (EU) will need to comply with GDPR to avoid hefty fines and penalties. Regulation will go into effect in May of 2018, but planning should start now. Complying with this law will necessitate changes you may not be anticipating, and these changes will require time, money and effort to implement.
What Exactly is GDPR? GDPR IS THE LATEST EFFORT to strengthen and harmonize data privacy laws across the EU. The preceding data security regulation in the EU was called the 1995 Data Protection Directive, and because times have changed so significantly since its implementation, it was in dire need of a facelift. GDPR was the solution. While GDPR does not veer from the original goals of the 1995 directive, it does institute many new regulatory policies and guidelines to address our new datadriven landscape. One of the biggest changes to the original directive is GDPR’s expanded scope. No longer does the directive only apply to organizations located in EU member states; GDPR expands its scope to jurisdictions outside of the EU. Any company that handles or controls the data of EU citizens must be in compliance with GDPR, no matter where it is located.
IT Insights: The Privacy Race: GDPR Explained
SOME OF THE KEY CHANGES that are expected include:
‘‘
• GDPR adopts increased penalties for noncompliance. Entities that do not implement the required changes can be fined up to 4% of their annual global net revenue, or a maximum of €20 million. • Notifications of a data breach must be disseminated within 72 hours. • GDPR allows EU citizens to have more control over their personal and sensitive data. They have the right to direct that their data be forgotten and completely erased; they have the right to know when, how and where their data is being used; and, they have the right to update their information whenever necessary. • Many organizations, especially those that utilize large swaths of personal data, must select a Data Protection Officer (DPO) who will serve as the data security expert for the company. They may be a staff member or a person external to the organization, and their role will be to ensure that the company is effectively self-monitoring their data security. DPOs will lessen the need for state supervision, which had been a clunky and burdensome constraint under the 1995 directive.
Any company that
‘‘
Key Changes
handles or controls the data of EU citizens must be must in compliance with GDPR, no matter where it is located.
How Will This Affect You?
GDPR WILL IMPACT any company that controls or processes the personal data of an EU citizen. Where your company is headquartered is of no consequence – if you work with, or show intent to work with, EU citizens or customers, you must comply with the regulation. GDPR regulators consider something as simple as having a Euro (€) currency option on your website an intent to sell to EU customers. GDPR sets high data security standards, so you will need to prove without a shadow of a doubt that the security measures you have in place are adequate. Even though this regulation is stringent, complying with GDPR will only help your organization. Yes, it may require significant changes to your existing data security framework, but if the result is a more secure system, isn’t that a good thing? What’s more, the changes required will result in more mature internal procedures, which makes it more likely that you will reduce the potential cost of an incident, should one occur.
Will You Need to Comply With GDPR?
2
Example Scenario
GDPR Compliance - Yes or No?
An organization based in Dallas, Texas, has global operations. The organization advertises in markets in Europe and collects revenue in multiple forms of currency, including those in the EU.
This organization will likely need to comply with GDPR.
An organization based in Los Angeles, California, has operations in Europe and employs EU citizens.
This organization will likely need to comply with GDPR.
A community bank based in San Antonio, Texas, provides lending and mortgage solutions to the regional area. A citizen from the EU obtains a loan to purchase a home in Texas.
This organization may not need to comply with GDPR since their intention is not to target EU citizens.
IT Insights: The Privacy Race: GDPR Explained Creating an Action Plan GDPR MAY SEEM a bit intimidating at first, but complying with this law has the added benefit of improving your data security measures. The changes you make will only bring positive changes to your company. Start with this three-part plan: Part 1 – Assess Yourself Before you begin making changes to your existing policies, perform a thorough self-examination of your current security practices. Ask yourself some of these questions: • • • • • • • •
What kinds of customer/client/employee data do we collect? What is the typical lifecycle of the data that we collect? Are our customers truly aware of how their data is being used? Once we have collected the data, who controls it? What data do we share with third parties? How are we ensuring that third parties are handling the data up to our (and GDPR’s) standards? If a breach were to occur, what plans do we have in place to inform affected parties? If regulators require evidence that we are compliant with GDPR, do we feel confident that we could provide that evidence?
Your responses can help you determine to what extent you must comply. Part 2 – Protect Yourself The core concept of GDPR lies in protecting the data itself. Here are some techniques you can implement to protect yourself and the data that you control.
PROTECTING YOUR DATA Familiarize yourself with international data transfer requirements. Safeguard the data that you control. You can use encryption or anonymization, and GDPR also introduces the option to use “pseudonymization.” These are all methods to separate the data from its identifiers. Only keep the data that you absolutely need, and delete the rest. Require that third parties who access your data comply with the standards you set. Provide training to your employees on the importance of data security and explain why your particular procedures are in place. Update (or create) and document data breach and data privacy policies and procedures, and make sure that all those within the organization are aware of them. Define the roles and responsibilities of those internal and external to your organization who will be implementing, operating and maintaining your security protections on a day-to-day basis. Ensure that your data subject has the right to access, change or delete their data from your systems if they request to do so. Keep records of all of your data processing activities so that you can self-audit in the event of a breach. Allow your data subjects the right to decline data profiling-based direct marketing.
3
IT Insights: The Privacy Race: GDPR Explained Part 3 – Check Yourself Take advantage of GDPR’s requirement to appoint a Data Privacy Officer (DPO). A quality DPO can be the first line of defense against any new threats that arise. The DPO is required to ensure compliance with GDPR and alert the necessary parties within the company if they find a weakness. DPOs are also in charge of training employees on data security measures, maintaining policies and procedures, being the liaison between the company and regulatory agencies, and discussing concerns that data subjects may have. Your DPO can also help you perform a data impact assessment periodically to ensure your company is still in compliance with GDPR. When it comes to data, just remember: assess yourself, protect yourself, check yourself.
GDPR Action Plan
1) ASSESS YOURSELF
2) PROTECT YOURSELF
3) CHECK YOURSELF
The Road to Compliance WHILE COMPLYING WITH GDPR may prove to be a challenge, it is not without reward. In the end, knowing how to safeguard personal data will not only be great for those whose data you control, but can give you a competitive advantage over your US counterparts who have not yet made the investment to implement the framework. Working with an independent advisor to gain added insight into your environment can amplify the operational and competitive benefits even more.
CONTACT US Neha Patel, CPA, CISA Partner, IT Advisory Services neha.patel@weaver.com Brian Thomas, CISA, CISSP, QSA Partner, IT Advisory Services brian.thomas@weaver.com Reema Parappilly, CISA Partner, IT Advisory Services reema.p@weaver.com Weaver’s IT advisory services group focuses on delivering performanceenhancing consultations that address your IT and business agendas. We work directly with CIOs and others to create a more risk-aware, effective IT organization that can drive process efficiencies throughout your company and better support and deliver transformational business change. Specific services we provide include: • • • • • • • • • • • •
Application controls review Business continuity/disaster recovery Cloud computing assessment Data analytics Data privacy Information security and vulnerability assessment ISO27001 reviews IT audit IT governance and organizational effectiveness IT risk assessment Pre- and post-implementation application reviews System and Organization Controls (SOC) reporting
Disclaimer: This content is general in nature and is not intended to serve as accounting, legal or other professional services advice. Weaver assumes no responsibility for the reader’s reliance on this information. Before implementing any of the ideas contained in this publication, readers should consult with a professional advisor to determine whether the ideas apply to their unique circumstances. © Copyright 2018, Weaver and Tidwell, L.L.P.
4 www.weaver.com | 800.332.7952