Understanding the component pieces of the GDPR is crucial to developing a complete plan to adhere to the regulations.
Oct 12, 2017
Over the past year, we’ve seen a massive rise in inquiries on how Delphix can help organizations comply with the EU’s General Data Protection Regulation (GDPR). This is for good reason - no matter where in the world your business operates, if you have personal data on European citizens and the data are leaked or compromised, your organization will be liable for some of the stiffest fines ever seen. This may help to explain why one of the biggest source inquiries, recently, has been from US-based companies. As we live in an increasingly interconnected world, most US-based organizations have European customers, which ultimately means that these companies have to understand and implement changes to support the GDPR as well. We’ve long worked with US-based financial companies (we recently won an innovation award from JPMC, for example) and the GDPR has become top of mind for all of them. One of our financial customers told us, unofficially, that with even just 5% of their business in Europe, the costs for GDPR compliance was high enough to give them serious pause about the future of their EU-based business.
Based on the large number of GDPR projects on which we’ve worked, we are sharing our perspective of the GDPR, its international impacts, and a step-by-step process to properly adhere in a series of blog posts over the next few weeks.
To start, understanding the component pieces of the GDPR is crucial to developing a complete plan to adhere to the regulations. We’ll start by covering the high level sections and then review each in detail over a series of blog posts. It’s important to note that the GDPR outlines both people and process changes and breadth of the directive is such that no one vendor will satisfy all points (nor are all pieces able to be resolved by vendors). In addition to the overview, coming blog posts will identify areas where Delphix’s products and services can help.
The GDPR will take effect on May 25, 2018. The GDPR is applicable to each member of the EU and any organization that does business in the EU (which is notably nearly all large organizations in the U.S.!).
Although many companies have already adopted privacy processes and procedures consistent with the old data protection law (the Directive), the GDPR contains a number of new protections for EU data subjects (identifiable natural person) and threatens significant fines and penalties for non-compliant data controllers and processors once it comes into effect in the Spring of 2018.
With new obligations on data subject consent, data anonymization, breach notification, trans-border data transfers, and appointment of data protection officers, to name a few, the GDPR requires companies handling EU citizens’ data to undertake major operational reform.
Data Breach Notification: The GDPR requires notification to both the supervisory authority as well as affected data subjects (with a caveat related to pseudonymization, but we’ll get there later) when personal data about EU subjects is lost in a data breach.
Data Protection Officer: Organizations much designate a new role, “Data Protection Officer,” to comply with the GDPR - managing compliance, working with the authority and overviewing the organization’s GDPR-related activities.
Consent: The GDPR adds more stringent requirements around organization’s need to acquire consent before using any personal data of a data subject (with clear definitions of how) and to support removal of consent at any time.
Cross-Border Data Transfers: The GDPR explicitly permits personal data transfers, but only to organizations / countries that comply with a set of conditions about personal data protection.
Profiling: The GDPR clarifies how automated processing of personal data can be handled - specifically that the users can opt out of decisions being made solely on the basis of their personal information.
Pseudonymization: The GDPR acknowledges pseudonymization (or data-anonymization, data masking) as an acceptable means to protect / process personal data and encourages its use.
Next in this series of blog posts, we’ll dig into these and see what it actually means to adopt these initiatives.