If you heard any sound bites from the recent Facebook testimony by CEO Mark Zuckerberg, you probably heard “GDPR” referenced several times. This blog attempts to provide a very high-level overview, briefly summarize the 4 Ws and provide additional details including definitions and implications for IT departments and organizations.
What is GDPR?
- The General Data Privacy Regulation replaces the European Union (EU) 1995 Data Protection Directive as well as many national data protection laws of Belgium, France, Germany, and the United Kingdom.
- GDPR is a single set of laws (over 200 pages) and a single regulatory authority applying to all companies doing business in or with Europe.
- GDPR protects individuals’ data that are managed by businesses including requirements for:
- Security of personal data
- Enhanced privacy protections for individuals (including the right to be forgotten)
- Timely access to requests (30 days)
- Mandatory personal data breach reporting (72-hour notification)
- Severe fines for non-compliance (up to 20 million Euros or 4% of group worldwide revenue, whichever is greater)
Who is Affected by GDPR? More than you would think:
- GDPR applies to businesses who are selling goods or providing services to people living in the European Union.
- Whereas the earlier directive applied to organizations based on geographical location in one or more EU Member States, GDPR applies to any organizations that controls or processes (including collecting or analyzing) EU data, regardless of where the businesses are located.
When is the Deadline to Comply? May 25, 2018
- GDPR was published on May 4, 2016 with a 2-year transition period between the earlier 1995 Directive and the new Regulation which takes effect on May 25, 2018 for any organization which operates in the EU market.
- Beginning May 25, 2018, organizations will be expected to comply immediately from that date.
Why Should I Care?
- Any company doing business with any other company (including its vendors and customers) that does business with Europe will be impacted.
- GDPR impacts virtually every communication technology including physical and electronic storage, files, photos, media, email, videos, video conferences, backups, etc.
- GDPR has a global impact for data transfers, because personal data cannot be transferred outside of the EU to another country or region that lacks equivalent data protections.
- Companies who want to avoid loss of revenue from selling to customers who do business in the EU and/or avoid the potential of severe fines must take both organizational and technical measures and processes to comply with GDPR.
- Complying with GDPR is NOT optional.
Personal data: “any information related to an identified or identifiable natural person”
Data Subject: the natural person identifiable by the personal data
Controller: the natural or legal person, public authority, agency or other body, alone or jointly with others, determines the purposes and means of processing the personal data (note: this means both the business operating in the EU or doing business with companies that operate in the EU).
Processor: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller (note: this include MSPs, Cloud Service Providers, etc.)
Personal data breach: a breach of security leading to accidental or unlawful destruction, loss, alteration, or unauthorized disclosure.
Data Protection Officer (DPO): a person in your company responsible for all issues related to the protection of personal data.
Right to be forgotten: data subjects have the right to have his or her personal data erased and no longer processed.
What Processes are Affected?
Because GDPR requires comprehensive control and management over your data, practically every data management process will be affected in some way. The biggest impact will be on Backup and Archive and the biggest challenges will be the right to be forgotten and the requirement to respond to a personal data breach in 72 hours. Below is a starting list of other functions and areas that must be considered:
- Data Classification
- Data Loss Prevention
- Identity Access Management
- Cross-Border Transfer
- Data Portability
Where to Go to Learn More
GDPR is a journey. The first step is to learn and get educated on its implications on your company and especially its impact on IT data processes and controls for personal data. Many major vendors are proactively providing education as well as practical guides and white papers.
For example, Microsoft has an online webinar and a quick, interactive 10-question evaluation to assess your readiness to comply with GPPR. Microsoft brought together Office 365, Windows10, Enterprise Mobility and Security into a single solution called Microsoft 365.
Because GDPR is far reaching and mandatory, many organizations are utilizing this as a “forcing function” to reevaluate their overall data protection policies and procedures and/or to upgrade their backup/archive products to incorporate indexing and metadata tags to help prepare for the future and the unknown. For example, CommVault can consolidate discovery, compliance, backup and disaster recovery, archiving and remediation operations under a unified solution. They also provide role-based access to stakeholders across the organization.
For more information on GDPR or help managing your data protection practice, contact Sanity at firstname.lastname@example.org.