What is the GDPR?
The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of personal information of individuals within the European Union (EU)
Why was the GDPR drafted?
The drivers behind the GDPR are twofold:
Firstly, the EU wants to give people more control over how their personal data is used, bearing in mind that many companies like Facebook and Google swap access to people's data for use of their services. The current legislation was enacted before the internet and cloud technology created new ways of exploiting data, and the GDPR seeks to address that. By strengthening data protection legislation and introducing tougher enforcement measures, the EU hopes to improve trust in the emerging digital economy.
Secondly, the EU wants to give businesses a simpler, clearer legal environment in which to operate, making data protection law identical throughout the single market (the EU estimates this will save businesses a collective €2.3 billion a year).
When will the GDPR apply?
The GDPR will apply in all EU member states from 25 May 2018. Because GDPR is a regulation, not a directive, the UK does not need to draw up new legislation - instead, it will apply automatically. While it came into force on 24 May 2016, after all parts of the EU agreed to the final text, businesses and organisations have until 25 May 2018 until the law actually applies to them.
So who does the GDPR apply to?
'Controllers' and 'processors' of data need to abide by the GDPR. A data controller states how and why personal data is processed, while a processor is the party doing the actual processing of the data. So the controller could be any organization, from a profit-seeking company to a charity or government. A processor could be an IT firm doing the actual data processing.
Even if controllers and processors are based outside the EU, the GDPR will still apply to them so long as they're dealing with data belonging to EU residents
It's the controller's responsibility to ensure their processor abides by data protection law and processors must themselves abide by rules to maintain records of their processing activities. If processors are involved in a data breach, they are far more liable under GDPR than they were under the Data Protection Act.
Why is GDPR such a big deal?
Essentially, the principles and core objectives of GDPR are the same as those in the existing 95/46/EC data protection directive currently in force. While there are some new requirements to consider, GDPR represents more of a continuation of existing regulatory intentions, rather than a step change in requirements. The main difference between the existing and new law is what happens when things go wrong.
Regulators, also known as supervisory authorities, in charge of data protection wield a number of hefty sticks with which to enforce the new regime under GDPR. These include (but are not limited to):
- Substantial fines for non-compliance, up to 4% of global annual revenue
- Mandatory breach notification within 72 Hrs, which could affect company reputation
Consider the following:
An employee loses his or her company-issued computer at the airport, and the information on the drive is not encrypted.
An employee emails a spreadsheet containing customer names and contact details to the company’s marketing agency, but accidentally sends it to the wrong email address.
An unencrypted USB thumb drive with customer details is dropped at the train station
A malware attack uses compromised user credentials to get access to the customer database, laying bare millions of customer records.
What do all four have in common?
All are potential data breaches, with a high likelihood of exposing personal data to people who are not authorized to access it.
- The right of data subjects to be represented by a third-party body in the pursuit of a complaint, similar to class action lawsuits
- A suspension of the right to conduct personal data processing (which could severely restrain a company from operating)
The net effect of these sanctions is that the processing of personal data now represents a substantial risk to the operations of most businesses. It is the intention of the regulation that these sanctions force a change in behavior towards processing personal data. Companies will be incentivized no longer to treat personal data protection as a minor issue: it will now feature highly on every company's risk register.
How are companies approaching GDPR?
In many ways, the answer depends on their starting point. Companies that have a strong understanding of personal data throughout the organization, with rigorous data management processes and controls, are generally at a good starting point with regard to GDPR. Companies that have been less focused on personal data and have been loose in their adherence to existing laws will struggle. This starting point is influenced by a number of factors, the main ones being:
Industry: Companies that operate in a regulated industry are generally more prepared for GDPR, mainly because they understand the process of compliance. Even though they may not have an ideal resume with regards to data management, they have a mechanism for reaching compliance. Clearly, those industries that do focus on personal data as well have a greater advantage.
Size: Generally speaking, larger firms tend to have more resources to apply to obligations like GDPR and have a greater standard of process and technology maturity.
Location: Some countries in the EU have a robust set of data protection rules that correspond closely with the incoming GDPR. Other countries in the EU have a much lighter data protection regime. These variances also exist beyond the EU. Companies operating predominantly from one country will naturally assume the required level of data protection prevalent in that country. GDPR changes this situation by unifying (to a large but not complete extent) the rules and their application across all EU countries. Extraterritoriality so extends the application of the law globally.
Is GDPR an Obstacle or an Opportunity?
For some companies, GDPR represents the chance to re-architect their information governance regimes, orientating the management of personal data around recognized best practices. The Motivation for this could be a desire to operate efficiently and cost-effectively, or even to create competitive advantage by processing customer data appropriately for Eg Industries like Banking , Retail, Telecom, Utilities..etc. For other companies, GDPR is a chore, a distraction from other business priorities that must be addressed, but with the minimum effort. Overall, the split between those companies seeing GDPR as an opportunity and those regarding it as an obstacle is remarkably even, almost 50:50 (see Figure 1). But this even spread masks a high degree of variance between industries. There is a world of difference in the approach of companies in regulated industries such as utilities, banking, oil and gas, and telecommunications: these companies tend to be GDPR "Opportunists." In contrast, manufacturing, wholesale trade, transport, media, and (worryingly) education are much more GDPR "Obstaclers."
Is GDPR an IT issue or a legal and compliance concern?
The answer is both, and in fact is broader still. The impact of GDPR is far-reaching, and should involve sales, marketing, HR, lines of business, and, of course, the board. The leadership of GDPR may also then depend on who within a company has the prevailing authority and gravitas, and their vision will influence the company's approach.
Does GDPR Represent an Opportunity or an Obstacle?
Q1.The following best describes industry wise approach to GDPR compliance
TECHNOLOGIES REQUIRED FOR GDPR COMPLIANCE
Modern Applications For Collecting, Storing, And Processing Personal Data
Data Discovery, Cataloguing And Classifying
Data Loss Protection(Dlp)
Data Encryption
Email Encryption
Data Breach Identification And Blocking
Pseudonymization
Data Portability
Endpoint Security And Mobile Device Management
Perimeter Security
Cloud Storage And Sharing Services
Anti-Malware
Application Security Testing
Behavior analytics, privileged access management and format-preserving encryption
Identity And Access Management
The GDPR – the EU's newly introduced legal framework for the protection of personal data – is now in place, and will be enforced from May 25, 2018. Organizations have less than 11 months to ensure they have appropriate organizational and technological measures in place to ensure compliance. The cost of non-compliance is extremely high in both financial and nonfinancial terms, making the option of doing nothing in response to GDPR invalid.
The Regulation applies to every organization anywhere in the world that controls or processes personal data of EU residents, and the financial penalties regime for organizations found in non-compliance is based on total worldwide revenue, not only on revenue earned within EU member states.
The Major Implications to summarize that Decision maker must consider
Re- Examining the Data Strategy
Rapid catch-up Strategy for Non EU Firms
Organizational and Techological collective ownership to address the Mandate.
Information Courtesy: IDC Reports, Osterman Research, Inc , Network Security Magazine
Article written by: Prasad Babu, Enterprise Account Manager, Alpha Data.