The General Data Protection Regulation (GDPR) has been regarded as the gold standard all over the world since the EU Parliament approved the law in April of 2016. The GDPR carries provisions that require businesses to protect their clients’ personal data and EU citizens’ privacy on all transactions that occur within EU member states. Although adopted in April of 2016, the GDPR is not enforceable until May of 2018. Once the effective date for GDPR comes to pass, businesses who store, transmit, and process the personal data of EU citizens will be held responsible for ensuring those citizens’ data and privacy are protected or face steep penalties for non-compliance.
Where to Start
Any company that stores, transmits, or processes personal information about EU citizens within EU states must comply with the GDPR, even if they do not have a business presence within the EU. Due to this requirement, managing the security of information with regards to the GDPR is more important than ever. A lot of businesses are asking whether GDPR applies to their organization. The bottom line is this: if your company collects personal data or behavioral information from someone in an EU country, your company is subject to the requirements of GDPR. It is important to note that GDPR only applies if the consumer whose data is collected is in the EU at the time of collection.
What to Look For
The following is a list that details the data the GDPR deems a business must protect when performing data collection:
- Basic identity information such as name, address and ID numbers
- Web data such as location, IP address, cookie data and RFID tags
- Health and genetic data
- Financial data
- Biometric data
- Racial or ethnic data
- Political opinions
- Sexual orientation
10 Major GDPR Control Requirements
GDPR as a whole contains 11 chapters and 91 articles. The following are a few of the most impactful requirements from GDPR with which an organization collecting or processing data from EU citizens must comply:
- Companies that process a significant amount of personal data shall assign a Data Protection Officer to advise the company regarding the EU GDPR requirement compliance.
- Companies who process personal data shall do so in a lawful, fair, and transparent manner.
- Companies that process personal data shall limit the processing and only collect the data which is necessary. Furthermore, companies that process personal data shall dispose of the data once its purpose is fulfilled.
- Data Subjects who have their information protected and/or processed by a company have the right to request from the company details about the information the company is collecting and what the company does with that information. Data Subjects also have the right to correct, object to processing, lodge a complaint, or even ask for deletion or transfer of the personal data. Companies shall adhere to these requests if a viable reason is supplied.
- Companies that protect and process personal data beyond the legitimate purpose must receive and document clear and explicit consent from the Data Subject. Data Subjects can withdraw from consent at any time. If a child is under the age of consent (13 or 16 years old, depending on the country), companies must require a parent (or guardian) give consent.
- Companies that protect and process personal data shall ensure privacy and protection controls are implemented by default when designing new systems and processes.
- Companies that protect and process personal data must maintain a Personal Data Breach Register and, based on severity, shall inform the Supervisory Authority and Data Subject (the person about whom data is being collected) within 72 hours of identifying a breach.
- Companies that protect and process personal data shall perform Data Protection Impact Assessments when initiating a new project or product to collect or process personal data, or if there is a change in the way the company collects or processes data.
- Companies that protect and process personal information are ultimately responsible for protecting that information if/when it is transferred to a third party.
- Companies shall ensure their employees have proper training and awareness regarding key GDPR requirements, as well as their responsibilities regarding the protection of personal data and identifying personal data breaches.
How GDPR affects US Businesses
First and foremost, if your organization has clients or members that live and reside or have dual membership in an EU country, you are subject to GDPR.
GDPR does not refer only to financial transactions, however. GDPR can apply if personally identifiable information (PII) is obtained through other methods of data collection, such as a marketing survey. GDPR will only apply if the business collecting data is targeting individuals in EU countries, not if the data collection method is generic marketing. For example, a German user who searches and finds an English-language webpage written for US consumers or businesses and submits information would not be covered under the GDPR. However, if the marketing content is written in that country’s language and contains references to EU users and customers, then the webpage would be considered targeted marketing and GDPR will apply.
Furthermore, for US companies, EU-directed online marketing forms and interactions will have to be adjusted to obtain explicit consumer consent. Companies will be allowed to store, transmit, and process personal data only when the individual provides consent and for “no longer than is necessary for the purposes for which the personal data are processed.” Personal data must also be portable from one company to another, and companies must erase personal data upon request. Once the data is collected, US companies will then have to protect it under the GDPR’s rules.
Most importantly, the GDPR requires all businesses that protect information regarding EU consumers to report any "accidental or unlawful destruction, loss, alteration, unauthorized disclosures or access to personal data” within 72 hours of the discovery. The GDPR defines several roles that are responsible for ensuring compliance with its regulations: data controller, data processor, and the data protection officer (DPO). If a business falls under the GDPR scope, the company must appoint a data protection officer, as defined by GDPR, who holds processors liable for breaches or non-compliance. A company is required to have a DPO if they process or store large amounts of EU citizen data, process or store special personal data, regularly monitor data subjects, or are a public authority.
Does GDPR Mean My US Business Can Be Fined?
The bottom line is YES, EU regulators can fine US companies for GDPR violations. For US companies that have a physical presence in the EU, GDPR will clearly be enforced directly by EU authorities. However, if a business does not have a physical presence in the EU, but the business is knowingly and actively conducting business in the EU and collecting data on EU citizens, EU courts can determine if a US company is violating GDPR regulation. If GDPR violations are identified, actions against any company outside the EU will be issued in accordance with international law.
We have to remember that the US and the EU have a very good relationship, meaning EU and US authorities will work in cooperation to enforce international laws. Additionally, the EU-US Privacy Shield data sharing agreement has been put in place for the EU to issue complaints and fines against US-based companies.
There are not, however, agreed-upon EU-US civil enforcement processes to enforce GDPR (there may not ever be), but the cooperation between the US and EU regarding international law enforcement means that violations of GDPR will be enforced upon US businesses. Inadvertent collection of EU citizens’ personal data may be forgiven if the violation is found to be occasional and “unlikely to result in a risk to the rights and freedoms of natural persons.”
The cost of violating GDPR regulations are very substantial: up to €20 million (approximately $24 million) or 4% of global revenue, whichever is higher.
If your organization stores, transmits, or processes personal data or behavioral information on EU citizens while they are in EU countries, or if you target EU citizens with marketing surveys or data collection, then your organization will be subject to GDPR. If those requirements do not apply to you, you will not be required to comply with GDPR requirements. However, all organizations should pay more attention to the requirements set forth by GDPR, as this new standard will only be a precursor to data and privacy protection standards both in the US and around the world.
Written by: Jon Waldman and Ronald Tortorello
SBS CyberSecurity, LLC
Hacker Hour webinars are a series of free webinars hosted by SBS CyberSecurity. Unlike paid webinars, Hacker Hours are aimed to meet on a monthly basis to discuss cybersecurity issues and trends in an open format. Attendees are encouraged to join the conversation and get their questions answered. SBS will also offer products and services to help financial institutions with these specific issues.