The Worldwide Implications of the EU General Data Protection Regulation
I recently attended a Boston Chapter Meeting of the Cloud Security Alliance (CSA). This meeting was held in conjunction with the local chapter of the International Association of Privacy Professionals (IAPP). The topic? Something that interested everyone in the room, the new EU General Data Protection Regulation (GDPR).
Implications of the GDPR are a concern for almost every organization doing business in the EU that possesses “any information relating to an identified or identifiable natural person (‘data subject’).” While it becomes enforceable on May 28, 2018, the time to prepare for it is now.
At the event, keynote speakers included Elaine Call, Esq., Technology & Privacy Counsel at Cengage Learning, Inc. and Web Hull, Privacy, Data Protection, Security & Compliance Advisor, Global Privacy and Compliance Group. Elaine kicked off the meeting with an introduction to the GDPR and discussed security and cross-border data transfers.
Attendees learned that the EU General Data Protection Regulation replaces the 21-year-old Data Protection Directive (95/46/EC) as the EU’s omnibus data protection law. It replaces 28 national laws, perceived as a benefit for businesses, in that they will only have to deal with one supervisory authority, not 28.
The law’s objectives are to:
- Protect the “Digital Citizen”
- Ensure a single digital market
- New framework: One set of rules for the whole EU and a uniform interpretation mechanism to provide legal certainty and create trust
Attendees also learned some new vocabulary. For instance, the regulation promotes techniques such as anonymization (removing personally identifiable information where it is not needed), and pseudonymization (replacing personally identifiable material with artificial identifiers). The regulation also promotes the use of encryption to protect personal data.
The key takeaways from the CSA discussion on GDPR include:
- The EU GDPR has teeth: Under the GDPR fines imposed can be 20 million Euros, or up to four percent of a company’s global annual turnover, whichever is greater.
- It affects companies worldwide: Companies affected include controllers and processors established in the EU/EEA and companies not established in the EU/EEA, if they offer goods or services within the EU/EEA, irrespective of whether a payment by the data subject is required. The regulation has very broad reach, applying to virtually any company doing business in the EU.
- Staffing: Firms with over 250 staff must employ a data protection officer. The EC want to ensure that large organizations processing a lot of data have someone who takes responsibility for that information, and having a data protection officer role is part of the new law.
- Organizations must be able to report on breaches: The GDPR will require firms to notify data protection authorities, such as the UK’s Information Commissioner’s Office (ICO), of any data loss incidents as soon as possible, which the EC suggests should be within 24 hours “when feasible”.
How to prepare for the EU GDPR
The EU GDPR train has left the station. Now is a good time to assess how you can prevent attackers from gaining access to any information relating to an identified or identifiable person.
It’s important to have answers to the below questions:
- How can IT teams provide unified, granular access control to applications, services and infrastructure, regardless of location, whether on-premises or in the cloud?
- How can you apply the same level of access control scrutiny to devices brought into the environment by third-parties, contractors, or even your own employees?
- How can you make the network ‘invisible’, cloaking the full network and only granting visibility and access to the applications and services that users need to do their job?
- How can you provide logging data to help meet reporting requirements including those associated with the EU GDPR?
Cryptzone’s AppGate® provides a comprehensive, centralized approach to secure access control, providing real-time access on a need-to-know basis. Enterprises leveraging AppGate can improve security, maintain productivity, reduce operational costs and be on their way to meeting the EU GDPR security requirements.