Privacy is important to all of us but to most Europeans it is even more critical. I was at a conference a while back and the presenter made the comment that European’s trust of companies and governments are colored by the events of WW2 and totalitarian regimes that used personal data to subjugate and terrorize individuals. So it makes sense that they may be more aware and sensitive to privacy issues than most Americans. However, given cybersecurity events over the last few years, Americans are becoming more adamant about their privacy. Privacy regulations (mostly at state levels) are becoming more common and are likely to grow even more.
So what is GDPR all about?
Most people have heard about the “right to be forgotten” part of this regulation but it goes much farther than that. Basically, there are six requirements of GDPR.
- Transparency and Lawfulness: Companies will be required to be clear about how they are using personal information and it must have a ‘lawful basis’ to process the data.
- Limit the use of data to the specific purpose you collected it for and if re-used it must be compatible with the original purpose.
- Minimize the collection and storage of personal data.
- Each person has the right to correct inaccuracies in the data and erase any data about themselves they want.
- Personal data should only be maintained as long as it is needed for the original purpose.
- Companies must ensure the security, integrity, and confidentiality of personal data through technical and organizational measures.
Simple, right? Just remember, I am only touching on the highlights! There are also notification rules and many other aspects.
However, if you are reading this newsletter, you are probably not in the European Union. This regulation has farther reaching aspects. If any of your clients or customers live in the EU, this may apply to you. Also, this regulation has no size stipulations. It applies to companies of all sizes. The fines are also spectacular! Fines can be up to 20Million Euros or 4% of the company’s global annual revenues.
Also interesting is how “personal data” is being defined. It is not just the typical name, SSN, address, etc. It also includes things like online identifiers like IP Addresses, customer feedback, location data, biometric data and CCTV footage. It may even include photos linked to accounts, even if there are no identifiable people in the photo!
The concept of a ‘Controller’ vs a ‘Processor’ are addressed. While most regulations are directed to Controllers (the entity that determines the purpose of the data) this also includes the Processor (entity that simply processes the data for the Controller.)
This regulation looks at the privacy issues of data in a complete and holistic approach. The GDPR addresses things like “privacy by design” or “by default”. In other words, companies should be thinking about privacy as they are designing their systems and controls rather than applying fixes or controls over top of what is in place.
There is plenty of information out there. The home page for the regulation has a lot of good resources: https://www.eugdpr.org/. While there may be some bias, another good resource of information is vendors and software companies. A lot of what I have covered here is covered in more detail in one of Microsoft’s whitepapers, available here: Microsoft GDPR Compliance
Just keep in mind that while this may not impact your company today, with all of the cybersecurity issues out there today and concerns over ID Theft and privacy, this may give us a glimpse of our regulatory future.
LEARN MORE ABOUT OUR RISK ADVISORY SERVICES
Throughout his time at YHB Curtis has provided IT audit and consulting to clients, even while holding the position of the firm’s IT director for several years. Now, as head of the YHB Risk Advisory Services Team, Curtis focuses on assisting organizations in a variety of industries with internal audits and IT-related audit and consulting services. Also, he frequently speaks and gives presentations on SOX compliance, internal controls, and data security.