Can you avoid the headaches, costs, and resources needed to comply with the European GDPR regulation?
Aiming to territorially expand the protection of the data rights and privacy of people living in a European Union country, the new EU General Data Protection Regulation (“GDPR” or “the Regulation”) is one of the first global privacy laws affecting organizations all over the world.
Even though your business, nonprofit or governmental entity is US based, you may be subject to GDPR compliance requirements - and fines for non-compliance - taking effect on May 25th 2018.
As the enforceable date moves closer, US based businesses need to take a serious look at whether or not they are responsible for becoming GDPR compliant. To help you make the determination about the necessity to commit budget, time and resources for compliance, it’s important to dive into the Regulation’s Material Scope and Territorial Scope.
GDPR Material Scope
The Regulation applies to any organization that processes any personal data of an EU data subject, regardless of where the processing occurs.
The Regulation defines processing as:
“…any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”
In comparison to the majority of the privacy laws that are currently in effect, the Regulation applies a much broader approach to what constitutes ‘personal data’. In general, most organizations view personal data to be sensitive in nature; information such as Social Security Numbers, Credit Card Numbers, or Protected Health Information (“PHI”).
However, GDPR refers to personal data as:
“…any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.
Essentially the Regulation’s requirements apply to any information that can be reasonably traced back to a specific EU data citizen.
GDPR Territorial Scope
As stated earlier, GDPR is effectively the first global privacy law. The Regulation explicitly states that it applies to the processing of personal data of EU data subjects “regardless of whether the processing takes place in the Union or not”.
It is important to note that this does not necessarily mean that processing of all EU personal data is automatically covered by the Regulation. The Regulation provides instances of where such processing would be covered.
The first instance is that the processing of covered personal data is performed by an organization established within the Union. This means that the organization’s operations are within the EU, thus any personal data processed will be covered by EU law.
The second instance is that the processing of covered personal data is performed by an organization located outside the Union, but where the processing relates to either:
“a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
b) the monitoring of their behaviour as far as their behaviour takes place within the Union.”
In essence, the Regulation applies to both EU and non-EU organizations if they process covered personal data of EU citizens.
Controller vs. Processor
If your organization meets the criteria above, the Regulation views your organization as a ‘Controller’.
Controllers are organizations that interface with the data subjects, are responsible for (1) the collection of personal data from the data subjects, (2) establishing the purpose of the processing, and (3) ensuring the rights of data subjects are protected.
However, the Regulation identifies two types of covered organizations - controllers and processors. Here’s the other shoe drop: processors must be GDPR compliant also.
Processors are third parties used by controllers to perform a portion of the processing of covered personal data. Controllers are responsible for ensuring that processors provide assurance that the data subject’s rights and protections reside within their portion of the processing.
What this means is that even though an organization may not directly offer services to the EU, or meet the territorial scope requirements, they can still be required to become compliant as a processor. If your organization provides services to a data controller involving the processing of covered personal data, your organization is required to demonstrate compliance with GDPR in order for your data controllers to be able to effectively maintain their compliance.
Why GDPR Compliance Important to U.S. Businesses?
U.S. Businesses who process personal data obtained from data subjects within the Union that fail to be compliant with the Regulation face significant penalties that can include administrative fines of up to 20 million Euros or 4% of their total worldwide annual turnover of the preceding financial year, whichever is higher.
U.S. Businesses who are not compliant and provide services involving the processing of personal data to other organizations could potentially face losing business with international clients. This would be caused by the inability to support the GDPR efforts of their clientele, who are explicitly required to ensure the compliance of any processors utilized.
Freed Maxick Can Help You Become GDPR Compliant
Our team of privacy and security control experts will work with you and your organization to review your overall compliance with GDPR. By conducting a thorough examination of your organization’s privacy practices, we can help you navigate GDPR, identify weaknesses in your current processes, and advise you on the most effective and efficient ways to both achieve and maintain compliance.
Connect with us today by completing and submitting your request for a complimentary compliance assessment review, or email Peter.Schnorr@freedmaxick.com.
More Insights and Guidance on Risk Management Issues - Click here.View full article
After years of preparation and debate, On May 25th 2018, the European Union’s General Data Protection Regulation (“EU GDPR” or “GDPR”) will go into effect and be fully enforceable.
The law’s primary objective is to protect all EU citizens’ data and privacy, as well as promoting standardization of responsibilities of in scope data controllers and processors. The regulation does not seek to impede the free movement of information in an effort to not adversely affect the EU economy.
The EU GDPR replaces Data Protection Directive 95/46/EC. Prior to GDPR, each EU member state controlled implementation and enforcement of data protection laws. Key changes from the Directive include an increase to the territorial scope and the strengthening of the data subject’s rights.
The EU’s authoritative bodies designed and passed GDPR in an effort to harmonize enforcement across the union. Due to the GDPR’s status as a regulation, as opposed to a directive, member states no longer individually decide how to implement and enforce the law. Alternatively, the Regulation explicitly states how it must be implemented and enforced.
Major changes from the Directive to the GDPR, include an increase in the territorial scope of the law. In terms of material scope, the Regulation applies to:
‘the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.
This means the regulation applies to any processing of personal data of EU citizens, whether in an automated or manual fashion. By personal data, the law means any information relating to an identified or identifiable natural person. This data includes, but is not limited to:
- Identification numbers
- Location data
- Online identifiers, such as an IP address
- Physical, physiological, genetic, mental or any other health information
- Economic, cultural or the social identity of the natural person
The old Directive was only applicable to persons or entities located within the EU. However, one of the major changes of the GDPR is that the Regulation now applies to any person or entity that processes EU citizen data, regardless of the location of the person or entity.
The Regulation applies to entities outside of the Union if the processing of personal data is related to one of the following options:
- the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
- the monitoring of their behaviour as far as their behaviour takes place within the Union.
If you, or your organization, are responsible for either the offering of goods and services or the monitoring of the behavior of EU citizens that involves the processing of their personal data, your organization will be subject to this Regulation.
Data Processing Principles
The Regulation requires that all processing of covered personal data follow established principles including:
- Lawfulness, fairness and transparency – the data is collected and processed only when the data subject has given appropriate consent, it is necessary for the performance of a contract, is necessary for compliance with a legal obligation, or is vital to protect the interests of the data subject or the public
- Purpose limitation – the information is collected solely for the purpose established and agreed upon by all parties
- Data minimization – limited to what is necessary to complete the agreed upon processing
- Accuracy – the data is ensured to be accurate, and where necessary, kept up to date
- Storage limitation – the data is kept no longer than what is necessary for the purpose for which the personal data is being processed
- Integrity and confidentiality – the data is processed in a manner that ensures appropriate security of the personal data
GDPR Impact on US Companies
Under GDPR, organizations are accountable for reporting their covered processing activities to the applicable authorities, as well as being able to demonstrate their compliance with the Regulation. To be GDPR compliant, organizations must provide evidence of:
- Data protection by design and by default
- The creation and maintenance of a record of processing activities
- Security of the processing
- Data protection impact assessments and prior consultation
- The establishment of a data protection officer
- Codes of conduct and certification
GDPR’s Severe Fines and Penalties for Non-compliance
So why is this important to US Businesses?
Outside of the desire to keep one’s customer’s personal data safe and private, US Businesses who are not compliant with this Regulation may face significant penalties: administrative fines up to 20 million Euros, or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
Freed Maxick Can Help Your US Business Become GDPR Compliant
Our team of privacy and security control experts will work with you and your organization to review your overall compliance with GDPR. By conducting a thorough examination of your organization’s privacy practices, we can help you navigate GDPR, identify weak areas in your current processes, and advise you on the most effective and efficient ways to achieve and maintain GDPR compliance.
More Insights and Guidance on Risk Management Issues - Click here.View full article
As organizations across all industries continue to increase their investment in Information Technology (IT), they’re relying more and more on IT to perform day to day operations. IT is vastly integrated into the backbone of almost every organization by assisting with, or even performing critical processes in an automated fashion. Due to the inherent dependence on information assets, funding related to IT Disaster Recovery and Business Continuity Planning has also increased.
An IT Disaster Recovery Plan (DRP) documents the procedures and processes that an organization will follow in the event that critical technologies experience an outage. The DRP enables the organization to continue performing regular operations without the technology, while getting the technology up and running as quickly as possible. By conducting a Business Impact Analysis (BIA), an organization can improve their current IT Disaster Recovery Plan or efficiently create a new one from scratch.
The 3 Steps of a Business Impact Analysis
A Business Impact Analysis is a fundamental piece of an effective and comprehensive Disaster Recovery Plan. My recommended approach for developing a BIA is built upon the following three steps:
Develop a Comprehensive Understanding of the IT Environment
In order for an organization to implement a holistic IT Disaster Recovery Plan, it is essential that the organization have a comprehensive understanding of the various information assets utilized to achieve the organization’s mission.
As part of the BIA, an organization is required to obtain a thorough understanding of the IT environment. This is accomplished by meeting with each individual business unit and determining which technologies are essential for them to perform their day to day responsibilities. By cataloging the entire IT environment, organizations are then able to ensure that their IT Disaster Recovery Plan properly includes every system necessary to maintain operations and achieve its goals.
As an ancillary benefit, during this portion of the exercise, an organization may discover potential cost savings by identifying unnecessary or duplicate technologies.
Identify the Critical Technologies and Processes
Once the organization has cataloged the technologies that make up the IT environment, they must then rank the technologies based upon criticality for achieving the organization’s mission and performing day to day operations. There are various ways to assess criticality, but it is important to ensure that the assessment is completed in manner that allows the users of the analysis to consistently compare technologies across the organization.
An organization can achieve this goal by establishing uniform criteria by which a technology is assessed. For example, an organization should determine how technologies affect day to day operations (i.e. operationally, financially, legally, etc.) and then use a qualitative means for measuring how critical the technology is to that part of operations. An example of this would be a simple scale of 1 to 5, with 1 being no effect at all, and 5 being absolutely necessary.
After all of the data from this portion of this exercise has been aggregated, the organization can qualitatively determine which technologies are the most and least critical for sustaining operations and achieving its mission. This allows them to confidently assign which technologies have a recovery priority in the event of a system outage.
Establish Clear Recovery Time Objectives and Recovery Point Objectives
With critical technologies identified, in conjunction with business unit leads, users of the BIA will be able to easily identify appropriate Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs):
- Recovery Time Objective (RTO) – The targeted duration of time a system can be unavailable and must be restored before unacceptable impact to operations occurs.
- Recovery Point Objective (RPO) – The maximum targeted period in which data might be lost or unrecoverable due to system unavailability.
This can be easily done using the qualitative results of the BIA. The information assets that have a higher criticality score will inherently have smaller RTOs and RPOs and will need to be recovered as soon as possible. Technologies that score low and have larger RTOs and RPOs will not have to be recovered as quickly. Once these have been established, the plan can be updated to clearly establish the order for system recovery and identify how long they have for recovery before a system has negative, drastic impact on operations.
The BIA should also identify technologies and processes that have robust downtime procedures. Downtime procedures are established procedures an organization develops and executes when a technology or system experiences an outage. This allows the underlying process the technology was supporting to continue operating while the organization works to get the system back online (i.e. a fall back paper-based model). Even if a technology is identified as critical, if the organization has already implemented strong downtime procedures, it will allow the system to have a larger RTO and RPO than a similarly ranked system that does not.Talk to Freed Maxick About Disaster Recovery Plans and Business Impact Analysis
Organizations of all sizes and from all industries, can benefit greatly from conducting a Business Impact Analysis. The analysis will ultimately allow the organization to identify all of the critical technologies in use, and determine the priority in which they are recovered. Having these two invaluable pieces of information could ultimately save an organization from going under in the event of an IT disaster.
For a complementary review of your situation and an assessment of how to bring a Business Impact Analysis into your IT Disaster Recovery Plan, contact me at Peter.Schnorr@freedmaxick.com or connect with me on LinkedIn.