You are back in the office after the long holiday break and busy catching up. Did you miss the story about the EU’s General Data Protection Regulation (GDPR) receiving final approval? Some are calling it a “milestone of the digital age”.
We’ve been following the GDPR on the Varonis blog over the last two years. If you want to catch up very quickly, read our omnibus post that’s a tasty distillation of our wisdom on this subject. Or if you have some more time, check out our comprehensive GDPR white paper.
With the final draft, a few ambiguities and loose ends were ironed out from the different versions provided by the EU Parliament and the Council. I’ve put together a few key points that should resonate with Inside Out readers. Keep in mind the GDPR will take effect in the later part of 2017.
We have closure on the question of fines: the GDPR has a tiered fine structure. For example, a company can be fined up to 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach (articles 31, 32), or not conducting impact assessments (article 33).
More serious infringements merit a 4% fine. This includes violation of basic principles related to data security (article 5) and conditions for consumer consent (article 7)– these are essentially violations of the core Privacy by Design concepts of the law.
The EU GDPR rules apply to both data controllers and processors, that is “the cloud”. (Refer to our white paper to learn more about this law’s data security terminology.) Therefore huge cloud providers are not off the hook when it comes to GDPR enforcement.
Data Protection Officer
It’s official: you’ll likely need a Data Protection Officer or DPO. You can read the fine print in article 35. If the core activities of your company involve “systematic monitoring of data subjects on a larger scale”, or large-scale processing of “special categories” of data—racial or ethnic origin, political opinions, religious or philosophical beliefs, biometric data, health or sex life, or sexual orientation– then you’re required to have a DPO. In the US, the closest job title to this is a Chief Privacy Officer. In any case, the job function of the DPO includes advising on and monitoring GDPR compliance, as well as representing the company when contacting the supervising authority or DPA.
Data Breach Notification 24 or 72 hours?
And the winner is … 72.
Article 31 tells us that controllers are required to notify the appropriate supervisory authority of a personal data breach within 72 hours (at the latest) on learning about the exposure if it results in risk to the consumer. But even if the exposure is not serious, the company still has to keep the records internally.
According to the GDPR, accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data – the EU’s term for PII—is considered a breach. Note my emphasis on unauthorised.
Based on my understanding of the GDPR, this means that if an employee sees data that’s not part of their job description, it could be considered a breach. Of course, this is not a problem for your company, because your IT department has done a thorough job reviewing file access lists and has implemented role-base access controls.
You can read more about what you have to provide to the data authority in our “What is the EU GDPR” post.
Bottom line: The GDRP notification is more than just saying you have had an incident. You’ll have to include categories of data, records touched, and approximate number of data subjects affected. And this means you’ll need some detailed intelligence on what the hackers and insider were doing.
Data processors have a little more wiggle room: they’re supposed to notify the company they’re doing the work for—the controller– “without undue delay”.
Under what conditions does a company have to tell the subject about the breach?
You can read the details in article 32, but if a company has encrypted the data or taken some other security measures that render the data unreadable, then they won’t have to inform the subject.
For Countries Outside the EU
We’ve been raising the alarms on extra-territoriality for several months now.
With the GDPR finalised, we can say with certainty the law applies to your company even if it merely markets goods or services in the EU zone.
In other words, if you don’t have a formal presence in the EU zone but collect and store the personal data of EU citizens, the long arm of the GDPR can reach out to you.
As many have been pointed out, the extra-territoriality requirement (article 3) is especially relevant to ecommerce companies.
Social media forums, online apartment sharing, artisanal craft sites, or beers of the world clubs: you’ve been warned!
All the permutations of the GDPR and how it can applies is just too complex to cover in a few blog posts. Of course, your Data Privacy Officer is the go-to person for advice, along with outside legal experts.
Speaking of law firms and attorneys, they are understandably all over this.
Thankfully, they do offer some very practical and free information on their public-facing sites.
Here are my own favorite legal advisors:
• Bird and Bird: www.twobirds.com
• Daniel Solove’s Privacy and Security blog: www.teachprivacy.com
• Hogan Lovells:
• BakerHostetler: www.bakerlaw.com