By Christopher Salone, MBA, Security Consultant, The Bonadio Group
A lot of buzz has been generated in the world of compliance, for good reason, regarding the recent implementation of the EU General Data Protection Regulation (GDPR). The new regulation went into effect in May 2018 and was designed and intended to clear the haze around data privacy laws across Europe, with the protection and empowerment of the individual citizen in mind. While it is included in the articles of the GDPR that most of the policies and rules of the new regulation will not apply to small businesses, some important exceptions apply. Organizations that fall under the umbrella of GDPR will need to comply with GDPR to avoid paying hefty fines, which can be up to 20 million euros. The time is now for your business to become familiar with GDPR and take the right steps to ensure compliance.
Under Article 30 of GDPR, a small business is defined as an organization with fewer than 250 employees. Any small businesses that meet these criteria will not be directly bound to comply with GDPR. However, all businesses are required to be GDPR compliant if their data processing could affect the rights and freedoms of individuals living within the EU on a regular basis, if they process personal data on a regular basis, or if they process data that is covered by Article 9 of the GDPR. Specifically, Article 9 of GDPR states that “Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.”
While on the hot topic of consent, another big initiative of the GDPR is the right of the individual to withdraw consent as easily as they gave it. This is defined in Article 17 as the right to erasure or ‘right to be forgotten.’ An individual, at any given point, has the right to request that their data be erased without any undue delay. An organization must adhere to the request to remove the individual’s data from their records under the condition that the personal data is no longer necessary to process and the organization has no other legal ground for the processing of the data.
As a small business, even if your organization does not directly process data from individuals that warrants compliance with GDPR, you need to stay on your toes. If your company utilizes vendors and other third parties, it is important for you to ensure that they are compliant with GDPR, if applicable. Their compliance with GDPR is important to your business because any sanctions taken against the third party may disrupt the services they provide to you. This means that your business needs to make sure that contracts with third parties include all necessary requirements to ensure compliance with the GDPR.
With all of this information in mind, it may feel like your business is walking on eggshells with regard to GDPR compliance. Here are some first steps to consider to gain a better understanding of the regulation and how you can prepare:
- Research and learn about GDPR - Many online resources cover GDPR compliance and the hundreds of pages that make up the regulation. The official EU Commission website offers a convenient, user-friendly approach to the different facets of GDPR.
- Appoint a Data Privacy Officer - No matter the size of your organization, GDPR states that you must appoint a Data Privacy Officer (DPO) if you process data of an individual as outlined in Article 9, specifically if the data processed poses specific threats to an individual’s rights and freedoms (such as monitoring of individuals or processing of sensitive data or criminal records). The DPO’s main responsibility is assisting the organization in all issues related to the protection of personal data. The DPO can be a current staff member or someone hired from outside the organization.
- Organize, document, and track data - With the assistance of your DPO, it will be beneficial to consider all the ways that your organization may collecting data from individuals. You will need to condense the information and organize it so it becomes readily available to refer to when checking procedures such as proof of consent, as well as individuals’ requests to be erased.
- Consider adding GDPR to your organization’s Security Awareness Training - No matter how many employees are within your organization, it is important that key individuals become well equipped to help the organization ensure GDPR compliance.
- Incorporate GDPR into your organization’s policies and procedures - Having a plan that is in writing and that your organization can rely on is a good step to ensure compliance with GDPR. For example, within GDPR it is stated that if a data breach were to occur, an organization has to notify the supervisory authority without undue delay, and at the latest within 72 hours after having become aware of the breach. It would be good practice to include the appropriate steps to report a breach in your organization’s incident response plan.
Since GDPR is intended to provide the individual with more control over the way their data is handled, small businesses need to comply in the same regard as their larger counterparts do. This is just one regulation that small organizations need to keep their eye on. With the prevalence of cloud computing, while GDPR may be within your scope of compliance, it is important to know that you may have multiple US based privacy areas of concern as well. Depending on which industry you work in and the service you provide, data privacy regulations such as the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act (GLBA) may require similar actions to GDPR. The overarching rule is that the legal residence of the data owner is key and drives the State privacy and data security requirements that need to be complied with, no matter where the business is located.
EU Commission website:
Article 9 of GDPR
Article 17 of GDPR
Article 30 of GDPR
Recital 30 of GDPR