GDPR is a regulation that requires businesses to protect the personal data and privacy of EU citizens for transactions that occur within EU member states. And non-compliance could cost companies dearly. Here’s what every company that does business in Europe needs to know about GDPR.

Companies that collect data on citizens in European Union (EU) countries will need to comply with strict new rules around protecting customer data by May 25. The General Data Protection Regulation (GDPR) is expected to set a new standard for consumer rights regarding their data, but companies will be challenged as they put systems and processes in place to comply.

Compliance will cause some concerns and new expectations of security teams. For example, the GDPR takes a wide view of what constitutes personal identification information. Companies will need the same level of protection for things like an individual’s IP address or cookie data as they do for name, address and Social Security number.

The GDPR leaves much to interpretation. It says that companies must provide a “reasonable” level of protection for personal data, for example, but does not define what constitutes “reasonable.” This gives the GDPR governing body a lot of leeway when it comes to assessing fines for data breaches and non-compliance.

Time is running out to meet the deadline, so CSO has compiled what any business needs to know about the GDPR, along with advice for meeting its requirements. Many of the requirements do not relate directly to information security, but the processes and system changes needed to comply could affect existing security systems and protocols.

What is the GDPR?

The European Parliament adopted the GDPR in April 2016, replacing an outdated data protection directive from 1995. It carries provisions that require businesses to protect the personal data and privacy of EU citizens for transactions that occur within EU member states. The GDPR also regulates the exportation of personal data outside the EU.

[Related: –>How to prepare for the approaching General Data Protection Regulation]

The provisions are consistent across all 28 EU member states, which means that companies have just one standard to meet within the EU. However, that standard is quite high and will require most companies to make a large investment to meet and to administer.

According to an Ovum report, about two-thirds of U.S. companies believe that the GDPR will require them to rethink their strategy in Europe. Even more (85 percent) see the GDPR putting them at a competitive disadvantage with European companies.

Which companies does the GDPR affect?

Any company that stores or processes personal information about EU citizens within EU states must comply with the GDPR, even if they do not have a business presence within the EU. Specific criteria for companies required to comply are:

• A presence in an EU country.
• No presence in the EU, but it processes personal data of European residents.
• More than 250 employees.
• Fewer than 250 employees but its data-processing impacts the rights and freedoms of data subjects, is not occasional, or includes certain types of sensitive personal data. That effectively means almost all companies. A PwC survey showed that 92 percent of U.S. companies consider GDPR a top data protection priority.

When does my company need to be in compliance?

Companies must be able to show compliance by May 25, 2018.

Who within my company will be responsible for compliance?

The GDPR defines several roles that are responsible for ensuring compliance: data controller, data processor and the data protection officer (DPO). The data controller defines how personal data is processed and the purposes for which it is processed. The controller is also responsible for making sure that outside contractors comply.

[Related: –>GDPR requirements raise the global data protection stakes]

Data processors may be the internal groups that maintain and process personal data records or any outsourcing firm that performs all or part of those activities. The GDPR holds processors liable for breaches or non-compliance. It’s possible, then, that both your company and processing partner such as a cloud provider will be liable for penalties even if the fault is entirely on the processing partner.

The GDPR requires the controller and the processor to designate a DPO to oversee data security strategy and GDPR compliance. Companies are required to have a DPO if they process or store large amounts of EU citizen data, process or store special personal data, regularly monitor data subjects, or are a public authority. Some public entities such as law enforcement may be exempt from the DPO requirement.

What will GDPR preparation cost my company?

According to the PwC survey, 68 percent of U.S.-based companies expect to spend $1 million to $10 million to meet GDPR requirements. Another 9 percent expect to spend more than $10 million.

What happens if my company is not in compliance with the GDPR?

The GDPR allows for steep penalties of up to €20 million or 4 percent of global annual turnover, whichever is higher, for non-compliance. According to a report from Ovum, 52 percent of companies believe they will be fined for non-compliance. Management consulting firm Oliver Wyman predicts that the EU could collect as much as $6 billion in fines and penalties in the first year.

If your organization is not in compliance by the May 25 deadline, it will not be alone. Estimates vary, but the consensus is that about half of the U.S. companies that should be compliant will not be on all requirements. According to a survey by Solix Technologies released in December, 22 percent of companies were still unaware that they must comply with GDPR. Thirty-eight percent said that the personal data they process is not protected from misuse and unauthorized access at every stage of its life cycle.

One particularly difficult requirement will be the right to be forgotten, described below. Nearly two-thirds (66 percent) of the Solix survey respondents say they are unsure if they can purge an individual’s personal information forever by deadline.

That leaves a lot of organizations vulnerable to fines. The big unanswered question is how penalties will be assessed. For example, how will fines differ for a breach that has minimal impact on individuals versus one where their exposed PII results in actual damage? The consensus is that the regulators will quickly act on a few companies found to be not in compliance early on to send a message. Then, organizations can make a better assessment of what to expect in the event of a non-compliance finding.

What types of privacy data does the GDPR protect?

• Basic identity information such as name, address and ID numbers
• Web data such as location, IP address, cookie data and RFID tags
• Health and genetic data
• Biometric data
• Racial or ethnic data
• Political opinions
• Sexual orientation

Which GDPR requirements will affect my company?

The GDPR requirements will force U.S. companies to change the way they process, store, and protect customers’ personal data. For example, companies will be allowed to store and process personal data only when the individual consents and for “no longer than is necessary for the purposes for which the personal data are processed.” Personal data must also be portable from one company to another, and companies must erase personal data upon request.

That last item is also known as the right to be forgotten. There are some exceptions. For example, GDPR does not supersede any legal requirement that an organization maintain certain data. This would include HIPAA health record requirements.

Several requirements will directly affect security teams. One is that companies must be able to provide a “reasonable” level of data protection and privacy to EU citizens. What the GDPR means by “reasonable” is not well defined.

What could be a challenging requirement is that companies must report data breaches to supervisory authorities and individuals affected by a breach within 72 hours of when the breach was detected. Another requirement, performing impact assessments, is intended to help mitigate the risk of breaches by identifying vulnerabilities and how to address them.

For a more complete description of GDPR requirements, see “What are the GDPR requirements?”.

What does a successful GDPR project look like?

It’s hard to imagine a company that will be more affected by GDPR than ADP. The company provides cloud-based human capital management (HCM) and business outsourcing services to more than 650,000 companies globally. ADP holds PII for millions of people around the world, and its clients expect the company to be GDPR compliant and to help them do the same. If ADP is found non-compliant with GDPR, it risks not only fines but loss of business from clients expecting ADP to have them covered.

ADP’s global focus and scale in some ways has been an advantage. It already adheres to existing privacy and security regulations, so the leap to GDPR compliance is not as high as it might have been. “We are already familiar with privacy laws in Europe. We are not starting from scratch with GDPR,” says Cecile Georges, chief privacy officer for ADP. “GDPR triggers the need for us to comply not just as a company, but also as a service provider. We help our clients comply with GDPR.”

Despite ADP being better prepared than many other companies, Georges says its GDPR project is large and global. It began about a year ago, but the project builds on earlier work. “We started even before GDPR was discussed,” she says. The company began data flow mapping and privacy assessments on new products several years ago.

Georges sees the early start on data flow mapping as key. “If we had not started the data flow mapping a long time ago, I would be less confident than I am speaking to you now,” she says. “Data flow mapping is required to do inventory of products, and processing PII is a first step to data protection impact assessments that are required. We’ve also implemented privacy by design in our new offers and products.” She adds that ADP supports its “privacy by design” policy with training for its developers.

ADP’s GDPR project pulls in people from many areas of the company, and Georges believes this is necessary for success. “We are involved in the organization, all the operations, and the functional groups. It’s not just a pure privacy or compliance project. It really involves the entire organization and we are coordinating with project managers across the company to make sure we implement the right processes across the organization,” she says.

Mechanisms for securing PII such as encryption are already in place at ADP. “From a security standpoint we came to the conclusion that it’s more about communicating with our clients, making sure they have the right information about what we are doing,” says Georges. “They may have to convey that message to their employees or to their own clients.”

Because ADP is a data processor for other companies, ADP has taken the optional step of defining binding corporate rules around protecting PII. “Like any other compliance project, we will be on time and confirm that we comply. This has to be very clear with our customers,” says Georges. “The fact that we have applied for those binding corporate rules, which is really not required, we hope that our customers understand that we want to make their lives easier and we want to protect their personal data to the standard expected by the EU regulators.”

Georges says she hears from other companies that aren’t yet on track for GDPR compliance. “The clock is starting to tick,” she says. “If a company has not started to look into what they need to do, they first need to understand what it means for them in terms of their business. Understand first to what extent they are affected by the new regulation and then do a gap analysis. That is the starting point of any project to assess what they need to do.

She also encourages companies to take an operational approach. “My recommendation is to have representatives of all the functions in the organization and not consider it a pure privacy or pure legal compliance project,” Georges says. “It would take too much time for operations to understand exactly what they need to do, whereas if you involve them from the beginning they can tell a lawyer or privacy professional, ‘We are already doing this,’ or ‘Technically, we can’t do this, but this is how we can address this requirement.’”

“There are different ways of applying GDPR depending on your business and the tools you have in place. The business people can assess that,” says Georges. “Once they have done the assessment and decided what to do, then they have to document what they are doing.” Georges is referring to the GDPR’s accountability principle, which requires companies to document how they’ve become compliant. “The documentation piece will be key.”

What should my company be doing to prepare for the GDPR?

Set a sense of urgency that comes from top management: Risk management company Marsh stresses the importance of executive leadership in prioritizing cyber preparedness. Compliance with global data hygiene standards is part of that preparedness.

Credit: CSO from IDG