The European Union (EU) adopted a new law in 2016 called the General Data Protection Regulation, or GDPR for short. It affects every company with customers residing in the EU. It comes into effect on May 25th 2018, which is just over a week away. But what does it mean, and should companies be worried?

What is the GDPR?

Firstly the GDPR addresses a number of key areas around the privacy of data for EU citizens, in relation to the storage, processing and handling of personal data. Personal data includes data that can identify an individual directly. This can include the following:

Name
Address
Contact Information
Date of Birth
Health Records
Photographs
Resumes
Driver’s Licence

Below is a very short and simple video introducing the GDPR legislation:

I’ve simplified and summarised the key points of the GDPR legislation below:

The customer has to give consent to the processing and usage of personal data. This can affect businesses who record calls as a matter of practice.
Each EU country will appoint an independent supervisor authority who will handle customer complaints relating to the storage and usage of their personal data.
Storing of personal data must be done in a way that does not automatically identify the data subject. This means techniques like encryption, tokenisation and masking need to be understood and how they can be applied to the data.
Companies have a maximum of 72 hours to declare that they have had a data breach.
Customers have the right to request erasure of their data. This means that businesses, including cloud providers, need to ensure they are using the appropriate security controls to remove that data. This can include using crypto-shredding, overwriting and encryption techniques.
Customers are also able to transfer their personal data from one system to another.
Automated decision-making, using techniques such as rules based scoring and artificial intelligence, is also under scrutiny. Customers have the right to question and fight such decisions.

The overall effect of the GDPR is to provide improved protection for EU citizens and to unify the laws across the EU. This puts onus on those businesses, including the cloud providers to ensure that data is processed fairly and in accordance with the law. There are a number of sanctions that can be enforced, depending on the nature of the breach:

Written warnings.
Periodic data protection audits.
Fines of up to €20m or 4% of revenue in the event of an infringement on the most significant provisions.

So what should companies do? Firstly they need to seek legal advice from an expert in European Union law to understand the potential impacts and next steps. Next steps are to perform an audit of their business processes and how they store data to understand their current state. Then they need to perform some analysis on the law, with their legal expert to interpret the law and create a series of overarching requirements. These requirements then need to be solidified into a series of solutions.

Here is a great example of how market-leading SaaS cloud provider Xero, are approacing their GDPR obligations in relation to their financial accounting package:

It’s very important to ensure that the IT, security, legal and operations departments are all working together closely to work through the issues and implement the solutions.

Want to know more about how you can secure your data and ensure you are following the latest best practices? Consider taking a Certified Cloud Security Professional certification, leading to an ISC2 examination. I’d be glad to coach you through your questions and help expand your knowledge of all things security.