GDPR is here. What now?

By Pratteek Bathula, Product Director at Hut Six

What is GDPR?
Everyone’s favourite acronym. If you are a business owner, work in IT or handle customer or employee data, these four letters present a massive shake-up to data protection laws that you need to be aware of or risk unprecedented fines.

The General Data Protection Regulation (GDPR) is a European legislation which came into effect last Friday, May 25, 2018 that governs how businesses gather, process and share personal data of European citizens. The legislation is intended to bring data protection rules up-to-date with the large strides in technology and the drastically different ways businesses leverage data. It is designed to empower private individuals by giving them more control over their personal data and create a set of unified rules by which organisations must comply or face hefty fines.

How does this affect my business?
GDPR will not only have a significant effect on companies registered within the EU, but any company which handles personal data collected within the EU. GDPR applies when personal data is collected from an individual who is located within an EU member state at the time of collection.

Even if your organisation operates a software as a service (SaaS) business model, any personal data relating collected within the EU must be protected in accordance with GDPR. Regardless of where your servers are hosted, there are additional stipulations if you are taking this data outside of the EU.

Depending on the extent of the breach and whether your organisation is found to have appropriate security measures in place, the GDPR fines may be limited to 2% of the global turnover of the preceding financial year or EUR 10 million – whichever is greater. The severity of these fines means it is no longer competitive to be noncompliant.

Who am I?
In the eyes of data protection law, you are either a data “controller” or a data “processor”.

If you decide how and to what extend personal data is collected and processed, you are a data controller. Conversely, if you do not control how or why personal data is collected BUT still work with personal data on another organisation’s behalf you are a data processor. This is often the case if your organisation operates as part of a supply chain or if you are partnered with another organisation which acts as a data controller. GDPR introduces new requirements and liability to these data controllers.

What does that mean?
Data controllers are now required to keep records of all personal data and processing activities whilst offering their customers certain rights over that data.

The liability has shifted upstream such that controllers are not relieved of their obligations when it is their processor handling the data. This means 3rd party liability is a concern when it comes to supply chain partners processing data.

What’s considered personal data?
Personal data is defined as any piece of information associated with or that can be linked to an identifiable person. A person can be identified by many means, for instance, by their:

• Name
• Emails address
• IP address
• Username
• Location data
• Payment information
• Photos
• Videos
• Medical data
  to list but a few!

Simply put, if a data record can be used to identify someone, then all data associated with that record is considered personal data.

I handle a lot of that data. What does this mean for me?
Your organisation needs a comprehensive data policy that documents how you handle data, especially when dealing with partners or their supply chain. Some organisations, if large enough, will have to recruit or source a Data Protection Officer to handle the process.

This is explicitly warranted if your organisation’s core activities consist of processing operations which require regular and systematic monitoring of data subject (end users) on a large scale or if you process data described in articles 9 and 10 of the GDPR regulation.

In addition to all this, GDPR has made it mandatory for an organisation to notify the relevant regulatory authority and any private individuals affected within 72 hours of discovering a security breach, if that breach has significant privacy implications for those individuals.

This seems like a lot of red tape. What’s the point?
Fundamentally the GDPR is designed to increase the data privacy rights of EU citizens. This provides substantial protection of the individual against organisations wrongly using their personal data. Companies must clearly state their terms and conditions, when signing end users up for a product or service, in one page, without resorting to confusing lawyer speak.

How does this affect me, the consumer?
The implementation of GDPR effectively arms you with a whole new set of rights when it comes to organisations collecting, processing and unduly sharing your personal information.

Individuals’ Rights over their own data include:

• The Right to be Informed – you are entitled to fair processing information concerning how your personal data is used;
• The Right of Access – you are entitled to confirmation that your data is being processed and access to that data and any supplementary information;
• The Right to Rectification – you are entitled to have personal data rectified if inaccurate or incomplete;
• The Right to Erasure – colloquially the “right to be forgotten”, you can request deletion of personal data when there is no compelling reason for its continued processing;
• The Right to Restrict processing – you may block or suppress processing of your data;
• The Right to Data Portability – you may obtain and reuse your data for your own purposes across different service providers (so you can change banks and ask your current bank to transfer all personal data to the new one);
• The Right to Object – you are able to contest processing that is based on legitimate interests e.g. performing a task in the public interest and all these are replicated for automated processing.

What steps should organizations take?
Information security is already a business necessity. The GDPR legislation will demand tighter controls and policies, including educating your staff and raising awareness of threats across your organisation.

To your prospective users you will need to rethink exactly what data you need to collect from them and explain in simple terms what you intend to do with that data. You will also need to prove that a user gave their consent, for you to use their data, separately from your standard terms and conditions.

Hut Six are part of the Wesley Clover Innovation Centre based in Newport, Wales. They are a Cyber Security Awareness Training Company that specializes in securing your company by focusing on the major contributor, the human factor. Hut Six runs a GDPR compliance module as part of their curriculum, which comprehensively covers GDPR best practices.

For more useful tips and articles like these, sign up for our Blog.