GDPR Compliance: What Organizations Need to Know

With the General Data Protection Regulation (GDPR) going into effect on May 25th, 2018, companies have less than a year to get ready, and many are starting to panic. Europe has been a leader in data security and privacy requirements, but GDPR compliance raises the stakes, with stricter rules, heavier fines and broad jurisdiction within the EU.

But the new regulations are not as daunting as they seem. Privacy and data protection rules have been getting stricter and enforcement has been getting tougher for years, and most companies are already required to secure business data against hackers and other threats. Here’s why you shouldn’t panic just yet.

GDPR Compliance Overview

The GDPR is a binding set of laws to protect the privacy and personal information of EU citizens, as well as citizens of the European Economic Area countries: Norway, Liechtenstein and Iceland. The GDPR replaces the European Union’s Data Protection Directive (DPD), with even stricter regulations, and a different legal structure.

In European law, regulations are different than directives. Directives like the DPD tell each member country the results they’re expected to achieve, and allow them to create their own laws to enforce those results. As a regulation, the GDPR is the law for all member states, which mean a GDPR compliance approach that works in one EU country should apply throughout the EU. So while the laws are getting more strict, you won’t have to worry about different laws, standards and enforcement bodies across Europe.

GDPR compliance rules are binding for any organization, collecting, storing or processing data of EU residents. It applies to data obtained in commercial transactions — for example, an individual’s name, credit card number and order from an online retailer — but it also covers non-commercial information, such as data collected by a free social media account. In fact, organizations that collect EU resident data are on the hook even if they don’t have an office in the EU.

GDPR compliance requires a range of controls to protect citizens’ privacy, ensure their security, and allow them to retain control of their data and how it is used. Moving to a privacy by design approach, where measures like data anonymization and encryption apply throughout the system should be your goal. The GDPR also requires explicit consent for sharing data, and allows individuals the right to withdraw their consent, rescinding the organization’s right to retain their data.

Penalties for violating GDPR compliance are very high. Depending on the rule breached, organizations can be charged “fines up to 20,000,000 EUR, or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.” It’s hard to predict exactly how aggressive enforcement will be, but you definitely don’t want to be the one to find out. Time’s tight, and the consequences are no laughing matter. But don’t worry — you got this.

GDPR Checklist: 5 Reasons Not to Panic

1. GDPR is what you’re already doing under compliance requirements.

GDPR compliance will likely require significant investment and retraining, but it shouldn’t be brand new. Most compliance regimes already have strict requirements for how you have to treat certain kinds of personal data. If you’re PCI compliant (which most businesses are) there are strict requirements for everything you do with credit card data. You need to encrypt it, only use it in certain systems that have been designed for it, restrict who can access it as much as possible, and submit to quarterly checks for network vulnerabilities.

HIPAA compliance also has extremely rigorous restrictions for Protected Health Information — any information that can be used to identify patients. It makes providers responsible for not only their own security, but also the security of partners, and calls for data anonymization or tokenization in many cases, such as published studies or securing patient feedback.

That doesn’t mean you’re already there. There’s a good chance that there are some GDPR compliance standards you’re not meeting even with your most protected data. Many businesses aren’t sufficiently transparent with how they handle public data, for example, and don’t give consumers a way to opt-out. Your GDPR strategy may also call for data localization, which could force you to change the way data moves through your organization, so that EU data is only handled in the EU, for example.

But it does mean that very little of the new regulations should be alien to your organization. Almost all of it is such that you should be doing for some of your data already. Becoming GDPR compliant will require you to scale up protections and begin safeguarding a wider range of data over a bigger range of infrastructure, but you’ll be using tools and techniques you’re already familiar with through other compliance regimes.

2. GDPR is an opportunity to unify your data protection strategy.

For many companies, the most difficult and costly thing about compliance isn’t so much the strictness of the requirements, but the sheer range of requirements. A diversified enterprise could easily be on the hook for half a dozen major compliance regimes, and dozens more different state and regional data privacy and security laws, that you may not even be aware of. Jurisdictional boundaries are complex and haven’t been thoroughly tested yet, but you’re theoretically on the hook for data protection laws anywhere you sell a product, even if you don’t operate there.

But most organizations are still struggling to implement initiatives for discrete regimes. A manufacturer of high-tech components may put together a SOX compliance taskforce, have a second team struggling to meet ITAR compliance for the avionics division, other teams working to meet 21 CFR Part 11 standards for medical devices, and dedicated initiatives scheduled to adapt business privacy policy to California Online Privacy Protection Act (CalOPPA) and various other privacy regulations.

It’s too much. Any marginal cost benefit you gain by only meeting privacy, security and transparency protections where you’re strictly required to is offset by the crushing complexity of balancing all those different regimes. Sooner or later, you’d need to come up with a more unified way to do it, even without the new laws.

Because GDPR compliance requires such strong protections for so much data, it’s the perfect opportunity to create a unified data protection and privacy strategy. This strategy should bring together infosec, data management, legal, governance and compliance officials along with c-suite stakeholders and representatives of different divisions of your business.

The goal is to apply standards sufficiently rigorous to satisfy all your compliance requirements across your business. For example, rather than having separate governance standards for customer data in Europe, America and other regions, come up with one set of standardized practices and controls that can satisfy requirements everywhere as much as possible.

3. You can use GDPR compliance to position yourself as a consumer advocate.

GDPR has strong personal privacy protections, allowing consumers to choose what they share and what they don’t. In most cases, data of EU residents needs to be either revocable at the demand of the consumer, or else randomized so that it can’t reveal the identity of the consumer. These protections also apply to temporary EU residents — for example, Americans traveling in Europe, although that may not always be enforceable. Organizations can meet GDPR compliance without offering opt out everywhere, and many will attempt to do this, but it can be more complicated and pose legal conflicts in places like California with their own enhanced consumer protections.

This poses require some changes in marketing by restricting the ways your company can use data to target consumers, but tokenization has gotten sophisticated enough to preserve much of the personalization consumers expect. And organizations who apply those same standards everywhere can do a lot more to ingratiate themselves with consumers by touting their consumer protections.

We suggest being explicit about the protections you offer, going beyond what the law requires and telling your consumers about it. Explain how you protect their data, what rights they have, and how strong their security is, and integrate it into your messaging. Apply it within your organization as a differentiator — particularly outside of Europe where those protections aren’t required. Consumers everywhere are sick of breaches, and worried about how much companies track them. If you can show your customers that you go above and beyond to protect their data it will show your customers that you see them as more than just data and cashflow. That’s how you create loyal customers.

4. GDPR compliance will help you decrease other IT security risks.

GDPR compliance rules prescribe strong security protections that can help your whole organization minimize the risk, scope, and damage of breaches. For example, data controllers and processors are supposed to pseudonymise personal data and encrypt it.

The GDPR defines pseudonymisation as, “the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.”

Essentially, this provides two layers of protection over your data. Encryption prevents unauthorized parties from reading the data without a special, carefully guarded code. Pseudonymization means that, if the data is breached or an insider tries to use it maliciously, it will be much harder to tie particular personal data to particular people. Both of these should be standard security practices anyway, and in many companies, they are. By applying them to all consumer data, GDPR compliance forces everyone else to take this important step.

GDPR Article 32 also requires organizations to ensure:

  • “The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.
  • “The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.
  • “A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.”

These are crucial safeguards that should occur throughout your organization. One of the biggest security problems organizations face is hackers gaining access to confidential data through unsecured parts of the network. By setting high standards for security, and regular testing and evaluation, GDPR compliant organizations will lower the frequency of major security incidents, and catch breaches more quickly.

5. Encryption key management can help you comply with GDPR.

It’s very hard to control where data goes in the cloud. Many cloud services are designed around a non-localized model to facilitate access from anywhere. Multiple copies of data may be in different data centers in different countries — in some cases, countries without the legal standards required for GDPR compliance. Changing your cloud services and restructuring your business to localize all your data would be a costly and complicated solution to GDPR.

Fortunately, doing it that way is completely unnecessary. General Data Protection Regulation is concerned with protecting data privacy and security, not the data as such. Properly encrypted data can’t be read by unauthorized parties, assuming you handle your encryption keys properly. That means you can use encryption key management to tackle GDPR compliance without making major changes to your infrastructure.

Virtru can help you accomplish this using data localization strategies with our Customer Key Server (CKS). Your encryption keys are stored in Europe in an on-premise server, dedicated key storage hardware, or localized cloud that you control. Then, you restrict any direct access to personal data to Europe-based workers or partners. If offices outside of Europe need access to the data (e.g. for financial accounting), anonymize or pseudonymize it first to reduce the risks of it being compromised, for example by broad government surveillance.

GDPR Compliance — It’s Going to Be Alright

The General Data Protection Regulation isn’t something to take lightly, but it isn’t the end of the world either. By creating a more systematic approach to security and compliance, using data protection strategies like encryption, and localizing your data access, you can achieve GDPR compliance, and position yourself as a champion of consumer security. Use these resources to learn more:

The Simple Guide to GDPR Data Protection Requirements [eBook]
Business Privacy in the Cloud: Imperative for Data Protection
The Complete Guide to Business Privacy [eBook]

Subscribe to Our Newsletter

Connect With Us