It’s here but what are the legal
ramifications of the new legislation for businesses
There is a certain similarity between J. R.
R. Tolkien’s The Lord of the Rings trilogy and General Data Protection Regulation (GDPR) coming to force
tomorrow, May 25 2018. As weird as it may sound, the regulation puts in place
standards identical to those of the One Ring – GDPR is here to rule the world
of data protection the same way the One Ring ruled the others.
In real life, this could be directly linked
to unifying the different levels of the data protection legislation in each of
the European Union (EU) countries. Except in this case, the One Ring is
replaced by the single set of data protection rules across the EU. Thus, the
regulation aims to protect any information that relates to “an identified or
identifiable person” – addressing the export of personal data outside of Europe
as well.
WeLiveSecurity spoke with Tomáš Mičo, ESET
Data Protection Officer, to clarify the essentials the regulation brings to
businesses. “In Slovakia, where the cybersecurity firm ESET is based, we’ve
already had, by law the possibility to appoint a Data Protection Officer, so
applying GDPR for businesses inside countries with similar requirements of
legislation shouldn’t have any significant impediments,” he says.
According to Mičo, businesses have already
invested significant time and energy into mapping all the processes and
reviewing all the agreements as recommended by data protection professionals.
“Moreover, as GDPR has so-called ‘downstream’ effect, businesses need to apply
the same principles to all their arrangements including those with third-party
processors and sub-contractors,” explains Mičo.
The main purpose of the new regulation is to
minimize the unnecessary collection of personal data, including steps that
prevent storing data that does not need to be stored, and securing the entire
journey of the personal data in the company. However, the biggest challenges
for businesses lie with the requirements for Privacy by Design, Privacy by
Default, Right to Erasure, Right to be Forgotten and Breach Notification.
The computer security companies around the
globe are rightfully using this opportunity, offering solutions to mitigate the
main risks connected to the regulation – selling encryption, two-factor
authentication and other solutions to close any possible path for cybercriminals
to get to the personal data that must be protected under GDPR.
That’s not all. Although businesses are successfully deploying cybersecurity
solutions to make sure personal data are properly processed and protected
inside your company, there are other legal responsibilities that must be
completed. One of them is to offer an easy-to-understand explanation of data
processing, so customers are transparently informed about their rights
resulting from this new regulation.
“Businesses have to make sure they have
consent, contract or other legal basis for processing all of the personal data
protected by the regulation, for all their end users. For a middle size
business, it can as well mean spending countless hours retroactively contacting
all of them if their legal basis is not GDPR valid – including end users that
businesses gained through third parties or sub-contractors,” adds Mičo.
In addition, individuals have as well the
right to request a detailed listing of all their personal data that is being
processed, and request it from any vendor that works with the personal data of
EU located customers, even if the company is not physically located in the EU.
This is especially hard for all the e-commerce businesses and businesses that
work with cloud services. And that is the reason why the majority of
newsletters in last couple of weeks start with We have updated our privacy
policy.
Moreover, businesses must have the
information about the individual available at any time and keep it protected –
encrypted – to be GDPR compliant. “This way the personal data, even when the
company suffers a breach or is hacked, stay protected,” says Mičo. Perharps the
greatest onus in the Breach Notification requirement, which forces businesses
to have processes in place that will ensure the information about the data
breach will make it to the appropriate data protection authority within 72 hour
after it was discovered.
If nothing else, penalties for non-compliance
are quite a bite to swallow – looking at 2% to 4% of the company’s global
annual turnover, which is an expense no company can afford to take lightly.
A recent survey by IDC,
however, reveals that for noncompliance, “regulators are more likely to focus
on progress toward the goal than penalizing those not quite finished with GDPR
conformity”.
In time, we’ll see if the famous one rule to
rule them all will find them all and and bind them as the legislators have
predicted, or if everyone will meet in an unfulfilled GDPR Land of Mordor.
For more information on GDPR, ESET has a dedicated page to help ensure that you have all the
information needed to cope with GDPR. To read more articles like this one,
please follow WeLiveSecurity.
