On May 25 of this year the General Data Protection Regulation will go into effect. Established in April of last year, GDPR is a landmark reorganization of Europe’s approach to digital information. Once it kicks in, it will require technology companies across the globe to rethink the way they do business.
In this blog post, we address a few common questions that we’ve gotten from our customers.
Will GDPR affect my business?
The way the law is written, GDPR will gather all European Union member countries under a single set of rules. These rules will apply to any data controller, data processor or data subject. This means that if your company deals in data, and a single one or zero of that data is sourced from someone living in the EU, you will need to be GDPR compliant.
Note: as of this writing, the United Kingdom is still considered a member of the EU as 2016’s “Brexit” decision has not yet gone into full, legal implementation.
Where Are the Most Likely Violations of GDPR Going to Come From?
The most common GDPR violations today are likely to be the improper privacy protection of user data, an inability to fully comply with “the right to be forgotten” and the improper and non-transparent usage of private data.
GDPR compliance means ensuring that your organization is capable of completely erasing any customer data and/or providing him or her with a dossier of the data you have collected on them upon request.
The way you use acquired data will also be scrutinized for GDPR violations. For example, digital assets like IP addresses and other pseudo-anonymized personal data can now only be obtained if a user specifically agrees to opt in.
What are the Biggest Challenges with Data Management for GDPR?
Non-compliance can happen because of implementation challenges. Historically, data has been collected and stored in a large number of fragmented systems that likely were not been designed this new privacy functionality in mind.
For example, a company might have multiple separate applications or products that were each developed independently by different teams with very little centralized governance. It’s very possible in these scattered systems that at least a portion of this organization’s data repositories have gone without proper documentation or regulatory oversight. In some cases, data may also be redundant and hard to spot without proper tracking methods.
What Makes GDPR Data Controls Challenging to Achieve?
Most traditional environments lack the automation, governance tools and security assessment report tools that prevent human error. This can lead to non-compliance with no malicious intent.
Fully automated GDPR compliance integration can take months, or even years to implement fully. Until then the process has to be managed manually.
For example, you may have teams that need to access multiple systems in order to collect individual data and deliver it to a requesting user or delete it upon request. Understanding, coordinating and executing a request like that is a significant time commitment for an un-automated organization.
What are The Penalties for Violating GDPR?
The penalties associated with GDPR violations are steep and there are different ways to interpret some of the regulations. This sort of enforceable ambiguity makes it vitally important that you stay vigilant in your compliance to prevent any nasty surprises.
Consider the following. Say your company fails to provide notification reports to individuals affected by a breach within the allotted 72-hours. If detected, this could incur a penalty of up to 2% of the company’s entire annual worldwide revenue, or €10 million, whichever is higher.
Alternatively, failing to comply with the GDPR regulations regarding data privacy, private data collection without explicit consent, the deletion of private records, providing collected data to users within 30 days, or the transference of data without consent could lead to a penalty of up to 4% of your company’s annual worldwide revenue, or €20 million, whichever is higher.
Conclusion: Start Preparing Today
The requirements of GDPR are substantial and the penalties for non-compliance are severe. It is therefore vital that organizations get prepared through automation, system evaluation and employee education. The Dome9 Compliance Engine offers a powerful automation framework for assessing and managing compliance with regulatory standards as well as custom security governance requirements around data and infrastructure in cloud environments.
Dome9 is planning to announce more GDPR specific products very soon. Contact us today to find out more.
The Top 12 Threats to Cloud Security
The Definitive Guide to Robust Security
Building a Cloud First Deployment Model – DevSecOps Guide