Light Dark
October 3, 2016 By Monique Altheim 4 min read
Data Protection

The new European Union (EU) privacy regulation, the General Data Protection Regulation (GDPR), will take effect in May 2018.

The GDPR is a very large and complex piece of legislation consisting of 173 recitals and 99 articles. In addition to a multitude of rules, the GDPR contains exemptions to the rules and exceptions to these exemptions. The GDPR is truly the new elephant in the room for any large, multinational organization.

While the GDPR builds on the data protection framework currently in force in EU member states, it tweaks some existing rules and adds a significant number of new obligations for organizations, as well as new rights for individuals. It also expands the territorial scope of its application to organizations established outside the EU as well as the material scope of its application for data controllers, only to both data controllers and data processors.

Read the Interactive Solution Brief: Ready, Set, GDPR

A Comprehensive Regulation

GDPR requirements apply to all business units, be it HR, marketing, product development, records management, vendor management, accounting or information security. They apply to the entire life cycle of personal data within those business units, from the moment of collection to the moment of deletion or archiving.

The GDPR addresses multiple privacy and security issues throughout the various life cycle stages of personal data. Most of these reiterate past rules, but some are new requirements. To be compliant with the GDPR, organizations need to know the answers to questions such as:

  • Does your organization have a legal basis for collecting and using personal data in each distinct processing unit?
  • Are the requirements for data minimization met?
  • Are secondary uses of the collected personal data compatible with its primary use (e.g., is data that was collected for fraud detection reused for marketing purposes)?
  • Does the organization exercise due diligence to make sure the collected data is accurate?
  • Does the organization adequately notify the data subject of the fact that personal data is being collected and used? Does it comply with the requirement to notify data subjects of a laundry list of additional information?
  • Is there a process in place to respond to the data subjects’ requests for access to or erasure of data within the prescribed time period?
  • Is the IT department ready to provide data portability?
  • Is adequate information security in place for the data subjects’ personal data, whether it is stored as structured or unstructured data and whether that data is at rest, in motion or in use?
  • Is there a data breach response protocol in place?
  • Are the many accountability and data governance requirements (e.g., documentation of processing activities, allocation of adequate resources, training of employees, ongoing risk assessments, data protection impact assessments and internal audits) in place?
  • Does the organization comply with the requirements for cross-border data transfers?

Reduced to Tiers

The GDPR introduced a tiered fine system for violations of its many compliance requirements. Some violations will incur fines up to 20 million euros or 4 percent of the company’s global annual turnover, whichever is higher. Examples of regulations that could incur high fines include:

  • Right of access, rectification and erasure;
  • Right to data portability; and
  • Cross-border transfers of personal data to a recipient in a third, non-EU country.

The fines will be somewhat smaller — up to 10 million euros or 2 percent of global annual sales — for less severe violations. Information security violations, for example, fall under this lower tier of fines.

The GDPR is a regulation with real teeth, and many organizations are looking for ways to become compliant by the May 2018 deadline.

The Elephant and the Blind Men

Unfortunately, many organizations seem to have adopted a siloed mindset regarding GDPR compliance. Both organizations offering GDPR solutions and organizations to which the GDPR is applicable tend to focus on one or two items, such a data breach response or data security.

The focus on information security is understandable, and security is certainly a key component of the GDPR’s comprehensive data protection framework. One must keep in mind, however, that other data protection requirements, such as providing right of access, rectification and erasure, or compliance with the cross-border data transfer restrictions, incur the largest fines in cases of violations.

By focusing only on one or two areas of GDPR compliance, organizations are acting like the blind men in the famous tale of the elephant and the blind men. This ancient story goes like this:

An elephant comes to town and a group of blind men decide to learn what it is like. They go to check out the elephant and each one feels a different body part. One blind man feels the elephant’s ear and declares, “An elephant is like a big fan.” Another blind man feels the elephant’s leg and says, “No way, an elephant is like a tree trunk.” Another blind man holds the trunk and says, “Nope, an elephant is like a thick snake.”

Then, a man with good eyesight takes the blind men to feel all the other parts of the elephant. The blind men, who before had only a limited understanding of the elephant, now realize that the elephant is composed of many parts.

So it is with the elephant-like GDPR. If organizations only focus on one part, they are acting like the blind men, who believed they understand what an elephant is by touching just one area. The blind men do not see the elephant as a whole. By focusing only on certain components, organizations risk noncompliance with many important aspects of the GDPR.

Preparing for the GDPR

Organizations must prepare for the GDPR not only at the information security data level, but also in terms of the multiple internal business processes, privacy requirements and internal governance requirements.

Ensuring comprehensive, cross-functional compliance with the multiple requirements of the GDPR may seem like a daunting task. However, a useful first step is to conduct a GDPR risk or readiness assessment. The assessment should:

  • Review all the organization’s business and governance policies and processes and compare them to the GDPR requirements.
  • Identify the organization’s potential risks for noncompliance in all assessed areas.
  • Create a road map for remediation of the identified compliance gaps.

A comprehensive and detailed assessment should identify all key data protection risks and pinpoint the remediation required to produce GDPR-compliant methods for handling personal data.

Read the Interactive Solution Brief: Ready, Set, GDPR

 |  |  |  | 
Monique Altheim
Managing Consultant Global Privacy, IBM

More from Data Protection
November 2, 2023

Defense in depth: Layering your security coverage

2 min read - The more valuable a possession, the more steps you take to protect it. A home, for example, is protected by the lock systems on doors and windows, but the valuable or sensitive items that a criminal might steal are stored with even more security — in a locked filing cabinet or a safe. This provides layers of protection for the things you really don’t want a thief to get their hands on. You tailor each item’s protection accordingly, depending on…

November 1, 2023

What is data security posture management?

3 min read - Do you know where all your organization’s data resides across your hybrid cloud environment? Is it appropriately protected? How sure are you? 30%? 50%? It may not be enough. The Cost of a Data Breach Report 2023 revealed that 82% of breaches involved data in the cloud, and 39% of breached data was stored across multiple types of environments. If you have any doubt, your enterprise should consider acquiring a data security posture management (DSPM) solution. With the global average…

October 25, 2023

Cost of a data breach: The evolving role of law enforcement

4 min read - If someone broke into your company’s office to steal your valuable assets, your first step would be to contact law enforcement. But would your reaction be the same if someone broke into your company’s network and accessed your most valuable assets through a data breach? A decade ago, when smartphones were still relatively new and most people were still coming to understand the value of data both corporate-wide and personally, there was little incentive to report cyber crime. It was…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature