There’s been tons of buzz around it for a while, but soon it will be here. The General Data Protection Regulation (GDPR) will take effect May 25, 2018, and will impact every company in any industry around the world that processes the personal data of European Union (EU) residents.
The new law replaces the EU’s Data Protection Directive 95/46/EC. It is designed to enable individuals to better control their personal data, which also means that companies must follow specific protocols to ensure the privacy of employee and other personal data. Different from the older directive, the new GDPR carries severe penalties for noncompliance, reaching as high as four percent of a company’s global revenue, or 20 million euros, whichever is higher. All companies that process data about individuals in the context of selling goods or services to EU citizens will need to be compliant. In a global business world, this means pretty much any company, regardless of where they are headquartered.
The need for data protection is nothing new for CIOs who understand the urgency for intensive data management and protection within a data-driven, digitized business environment, but this new level of regulatory control promises to put their efforts into overdrive. The type of information that is protected includes basic identity information such as name, address and ID numbers, but also web data, health and genetic data, biometric data, racial or ethnic data, political opinions or sexual orientation. This information may be stored within virtually every department throughout an enterprise – from the finance department, to human resources, marketing and sales.
New Roles and Responsibilities
The GDPR defines the key positions that are responsible for ensuring compliance: the data controller, the data processor and the data protection officer (DPO). The data controller determines how personal data is processed and the purposes for which it is processed, and also makes sure outside contractors comply. Data processors may be the internal groups that maintain and process personal data records or any outsourcing firm that performs all or part of those activities. The GDPR holds processors liable for breaches or non-compliance. It’s possible, then, that both your company and processing partner such as a cloud provider, will be liable for penalties even if the fault is entirely on the processing partner.
The GDPR also requires that the controller and the processor designate a Data Protection Officer (DPO) to oversee data security strategy and GDPR compliance. Companies are required to have a DPO if they process or store large amounts of EU citizen data, process or store special personal data, regularly monitor data subjects, or are a public authority.
In addition to new roles, GDPR mandates new responsibilities:
- Increased documentation. To comply with the GDPR, companies will have to identify, inventory, and maintain a record of all the EU-based personal data they collect and process.
- Data protection impact assessments (DPIAs). The GDPR requires organizations to conduct data protection impact assessments for any new processing or changes to processing deemed to represent a high risk to the privacy and protection of EU residents’ personal data.
- Privacy. The GDPR requires privacy and data protection controls to be incorporated into any new or existing systems or processes that involve EU residents’ personal data.
- Security. Under the GDPR, companies will be required to report breaches involving EU resident data to data protection authorities within 72 hours.
Since all personal data resides on the computer network, it’s no easy task for IT to support compliance. Even the best-laid plans can go astray if endpoint devices within different departments, are inadvertently compromising the privacy of personal data.
For example, the Human Resources (HR) department within a global enterprise must be assured that the personal data it holds on employees around the world is kept confidential. Yet what if an administrator within the department inadvertently compromises that data by downloading malware to an endpoint device?
The imperative for IT departments to ensure data privacy really begins with the endpoint device. Having the ability to instantly remediate any issues that could compromise data security on the endpoint and being able to immediately notify affected parties of any breach of data privacy is next to impossible without the end-point perspective.
Automated solutions to gain this endpoint perspective, and consistently ensure that all endpoints are protected and compliant enables companies to:
- Easily protect personal data via continuous monitoring and auto-remediation
- Seamlessly engage with employees to confirm user consent
- Quickly gather the extent of a breach (within 72 hours) related to personal data and stop the spread
- Proactively prevent and report breaches with comprehensive impact assessments
GDPR is clearly changing the way companies treat personal data and requiring a whole new level of digital vigilance. Proactive and secure endpoint monitoring and management not only holds the key to more effective data privacy and easier compliance, but it also improves the end-user experience along the way.
Related webinar: Spare 20 minutes watch a webinar recording with Jean-Michel Mouche, Customer Success Director and Compliance & Security Expert at Nexthink, as he explains the fastest way to get on track for the looming May 25th GDPR deadline.