The GDPR deadline is looming large. With fewer than 100 days until May 25, many U.S. companies are still unsure what their responsibilities are under GDPR and what steps they need to take to meet new requirements.
To help you prepare, Threat Stack product marketing manager Hank Schless got together with Paul-Johan Jean, GDPR legal consultant at Sphaerist Advisory to give a high level-summary of GDPR responsibilities for U.S. companies in a recent webinar. You can either stream the archived webinar right now, or read the recap below.
Dispelling GDPR Myths
In the uncertainty that has formed around GDPR, many organizations have developed false impressions about what the legislation entails. Here are the top three myths that have emerged:
Myth 1: GDPR is massive, incomprehensible, and complex.
Reality: Most U.S. and E.U. companies actually welcome GDPR. The legislation represents a simple, clear, and remarkably flexible framework. What it replaces is measurably inferior — a confusing patchwork of regulations that differ between the various E.U. member states.
Myth 2: The GDPR deadline is a hard deadline.
Reality: The May 25, 2018, deadline is not as hard and fast as it may appear. The E.U. Information Commissioner’s Office (ICO) is powerful, but not omnipotent. It is not going to come after companies on May 26, the day after GDPR goes into effect, because it simply doesn’t have the resources to do so. That’s not to say that you should ignore the regulations or procrastinate on fulfilling your responsibilities, but there’s no use panicking about the deadline either.
Myth 3: GDPR doesn’t apply to U.S. companies.
Reality: This is the biggest myth. Many U.S. companies believe that GDPR won’t apply to them, but if you process data from E.U. citizens, you are covered under GDPR one way or the other. More importantly, the E.U. U.S. privacy shield makes it perfectly feasible for the ICO to enforce the dictates of GDPR across the Atlantic.
GDPR may not be as confusing as feared, and the deadline may not be as hard and fast as it seems, but it’s still coming. U.S. companies need to prepare for GDPR no matter what. Even if you feel that you aren’t covered by GDPR, it’s still worth an audit to make sure.
GDPR Overview for U.S. Companies
What are the instances in which GDPR applies to U.S. companies? For one, you don’t need to have a physical E.U. presence. If you offer goods and services in the E.U., or you monitor the behavior of E.U. citizens on the internet, then you are either a “data controller” or a “data processor” under GDPR, meaning that you must abide by its principles. If your customers do the same, then GDPR applies to you as well, albeit indirectly.
Assuming that GDPR applies to you, here’s a quick breakdown of your responsibilities:
- You must have a legal basis for collecting and using data — say, in order to sign a contract.
- Once you have collected said data, there’s a limit to how much you can process it. You can’t go beyond your original reason for collecting it.
- Individual rights of data subjects flow along with data around the world.
- Cross-border transfers are pervasively covered under GDPR, leading to a rise in potential liability.
- Companies must engage in record keeping, and are subject to audits or privacy impact assessments.
- Companies must take appropriate security measures, such as encryption or pseudonymization.
Any organization that touches data belonging to E.U. citizens, including controlling or processing it, is subject to GDPR. Harsh penalties are in store for misuse going forward — up to 4% of global revenue, representing a potential 79x increase in fines. Look for the ICO to make an example of at least one company before 2018 runs out.
What to Do Now
If you didn’t have a GDPR plan already, it’s time to make one. Consult a lawyer, figure out how GDPR applies to you, and put together a plan. Planning for GDPR is a project in and of itself, and it should be taken seriously — even if the conclusion at the end of step one is that GDPR doesn’t apply to you. This is a project for an experienced team of legal experts, and requires executive support. Here are the key components of a successful GDPR audit:
Leadership: A GDPR project not only needs a leader, but an experienced leader. Find an individual who knows the company well, and who has good relationships with business unit leaders. In other words, this is not a project for an intern. Give the GDPR leader a team from IT, HR, and Legal. Provide the group with a clear mandate and let everyone in the organization know that the board and senior management have made this a priority.
- Know Thyself: GDPR focuses on data; categories of data; and categories of data subjects. In other words, you must have a clear picture of your data universe. Many companies don’t realize the full extent of the data inventory they have, or they haven’t thought about it with data compliance in mind. You need to ask your organization a few questions, including:
- Whose data do you store?
- Who has access to the data?
- Where is the data saved, and is it ever deleted?
Performing this assessment should help you gain clarity on how and whether GDPR applies to your organization. As a bonus, you’ll probably find that the exercise will be useful for more than just GDPR compliance.
- Make a Plan: Once you’ve mapped your data universe, it’s time to prepare a compliance plan. This should include your objectives, an audit and review of the results, and performing a gap assessment. Free questionnaires are available online for self-assessment, and more expensive ones if you feel you need a more in-depth look at your responsibilities under the law. Afterwards, you need to review your applicable contracts — with partners, vendors, and employees — to ensure that they meet GDPR standards.For most companies, not all of GDPR’s requirements can be fulfilled at once — and not all will have the same importance. So you will need to prioritize. On the plus side, GDPR is rather flexible. For example, there’s not always a precise technical requirement for each responsibility — just qualifiers that allow companies to protect data to a reasonable extent given their size and budgets. This gives companies additional leeway to get as much done as they can before the May 25 deadline without worrying about achieving perfection on day one.
Dealing With Ongoing Obligations
The May deadline is fast approaching, and if you’re just starting GDPR preparations now, it would be wise to hurry. Fortunately, it should be possible to have at least an outline and a plan created (if not fully executed) before then.
What if you’re hacked on May 26 and your plan isn’t completed? The good news is, if you follow our advice, you’ll at least have evidence for the ICO that indicates your compliance efforts are ongoing. This should be enough to spare you from the regulators’ ire.
One last thing to note is that GDPR compliance is not meant to be static. It also cannot be completely outsourced. Compliance with GDPR is an ongoing journey that companies can’t simply finish and forget about. It needs to be part of how you do business going forward. At the very least, companies will need to invest in tools that help them build a consistent, ongoing audit trail, and develop incident response plans that comply with GDPR’s 72-hour breach notification deadline. GDPR isn’t designed to be complex, and it’s not particularly difficult to comply with, but it does require constant diligence, continuous improvement, and accurate security monitoring.
Final Words . . .
For additional information and guidance on the GDPR, feel free to download the following ebooks prepared by Schellman & Company: