The European Union’s (EU’s) General Data Protection Regulation (GDPR) goes into full effect May 25, 2018, and it impacts any company, worldwide, that processes or stores personal data of EU residents. The new rules grant people more rights regarding how companies handle their personally identifiable information (PII), and it imposes heavy fines for non-compliance and data breaches--up to 4 percent of a company’s yearly revenue. The GDPR also requires that companies report data breaches within a 72-hour window.
Even if you don’t do business with the EU, it’s likely to have impact on global security standards going forward. Consequently, companies working in the EU or with GDPR-impacted data are quickly trying to come into compliance ahead of time. For security teams, this means making sure that PII is adequately protected and that the proper reporting processes are in place.
As Brian Vecci, Technology Evangelist for Varonis says, “Most companies aren’t prepared at all. You’ve got companies sitting in the midwest of the United States, that because someone from the EU signed up for their newsletter, are suddenly subject to one of the most onerous privacy regulations ever. That’s what I so grand about the GDPR. It cuts across all verticals. It doesn’t just impact financial organizations, or hospitals. If you have PII from one of the 28 member states, then it impacts your organization.
For good or bad, GDPR does not define any specific data protection controls that an organization must follow. Each organization is allowed to determine, for itself, the necessary security controls for the collected data, confidentiality and risk.
Olivier Van Hoof, Pre-Sales Manager of Europe for Collibra says GDPR starts with data governance, “You’ve got to put a data governance platform in place before you can really begin to secure the data. It’s a lot more than just technically securing the data. Most organizations are beginning by looking at their business processes first, then looking at the logical processes that collect the data, and then to the physical data itself. GDPR is also about understanding that the data is really owned by the individual. You’re really just hosting the data.”
What does GDPR mean by “personal” data?
The definition of personal data under the GDPR is very broad, far more so than most other country’s current or previously existing personal data protections. It includes any information relating to a specific individual, whether that data is private, public, or professional in nature. It applies not only to names, addresses and financial information, but anything that could identify an individual (e.g., IP addresses, logon IDs, biometric identifiers, geographic location data, video footage, customer loyalty histories, social media posts and photos). If it is identifiable to a specific individual, it’s included.
Sign up for CIO Asia eNewsletters.