Companies that collect data on citizens in European Union (EU) countriesl need to comply with strict new rules around protecting customer data. The General Data Protection Regulation (GDPR) sets a new standard for consumer rights regarding their data, but companies will be challenged as they put systems and processes in place to maintain compliance.\n\nCompliance will cause some concerns and new expectations of security teams. For example, the GDPR takes a wide view of what constitutes personal identification information. Companies will need the same level of protection for things like an individual\u2019s IP address or cookie data as they do for name, address and Social Security number.\n\nThe GDPR leaves much to interpretation. It says that companies must provide a \u201creasonable\u201d level of protection for personal data, for example, but does not define what constitutes \u201creasonable.\u201d This gives the GDPR governing body a lot of leeway when it comes to assessing fines for data breaches and non-compliance.\n\nTime is running out to meet the deadline, so CSO has compiled what any business needs to know about the GDPR, along with advice for meeting its requirements. Many of the requirements do not relate directly to information security, but the processes and system changes needed to comply could affect existing security systems and protocols.\n\nWhat is the GDPR?\n\nThe European Parliament adopted the GDPR in April 2016, replacing an outdated data protection directive from 1995. It carries provisions that require businesses to protect the personal data and privacy of EU citizens for transactions that occur within EU member states. The GDPR also regulates the exportation of personal data outside the EU.\n\nThe provisions are consistent across all 28 EU member states, which means that companies have just one standard to meet within the EU. However, that standard is quite high and will require most companies to make a large investment to meet and to administer.\n\nWhy does the GDPR exist?\n\nThe short answer to that question is public concern over privacy. Europe in general has long had more stringent rules around how companies use the personal data of its citizens. The GDPR replaces the EU\u2019s Data Protection Directive, which went into effect in 1995. This was well before the internet became the online business hub that it is today. Consequently, the directive is outdated and does not address many ways in which data is stored, collected and transferred today.\n\nHow real is the public concern over privacy? It is significant and it grows with every new high-profile data breach. According to the RSA Data Privacy & Security Report, for which RSA surveyed 7,500 consumers in France, Germany, Italy, the UK and the U.S., 80% of consumers said lost banking and financial data is a top concern. Lost security information (e.g., passwords) and identity information (e.g., passports or driving license) was cited as a concern of 76% of the respondents.\n\nAn alarming statistic for companies that deal with consumer data is the 62% of the respondents to the RSA report who say they would blame the company for their lost data in the event of a breach, not the hacker. The report\u2019s authors concluded that, \u201cAs consumers become better informed, they expect more transparency and responsiveness from the stewards of their data.\u201d\n\nLack of trust in how companies treat their personal information has led some consumers to take their own countermeasures. According to the report, 41% of the respondents said they intentionally falsify data when signing up for services online. Security concerns, a wish to avoid unwanted marketing, or the risk of having their data resold were among their top concerns.\n\nThe report also shows that consumers will not easily forgive a company once a breach exposing their personal data occurs. Seventy-two percent of US respondents said they would boycott a company that appeared to disregard the protection of their data. Fifty percent of all respondents said they would be more likely to shop at a company that could prove it takes data protection seriously.\n\n\u201cAs businesses continue their digital transformations, making greater use of digital assets, services, and big data, they must also be accountable for monitoring and protecting that data on a daily basis,\u201d concluded the report.\n\nWhat types of privacy data does the GDPR protect?\n\nWhich companies does the GDPR affect?\n\nAny company that stores or processes personal information about EU citizens within EU states must comply with the GDPR, even if they do not have a business presence within the EU. Specific criteria for companies required to comply are:\n\nA new survey conducted by Propeller Insights and sponsored by Netsparker Ltd. asked executives which industries would be most affected by GDPR. Most (53%) saw the technology sector being most impacted followed by online retailers (45%), software companies (44%), financial services (37%), online services\/SaaS (34%), and retail\/consumer packaged goods (33%).\n\nWho within my company will be responsible for compliance?\n\nThe GDPR defines several roles that are responsible for ensuring compliance: data controller, data processor and the data protection officer (DPO). The data controller defines how personal data is processed and the purposes for which it is processed. The controller is also responsible for making sure that outside contractors comply.\n\n[Related: -->GDPR requirements raise the global data protection stakes]\n\nData processors may be the internal groups that maintain and process personal data records or any outsourcing firm that performs all or part of those activities. The GDPR holds processors liable for breaches or non-compliance. It\u2019s possible, then, that both your company and processing partner such as a cloud provider will be liable for penalties even if the fault is entirely on the processing partner.\n\nThe GDPR requires the controller and the processor to designate a DPO to oversee data security strategy and GDPR compliance. Companies are required to have a DPO if they process or store large amounts of EU citizen data, process or store special personal data, regularly monitor data subjects, or are a public authority. Some public entities such as law enforcement may be exempt from the DPO requirement.\n\nAccording to the Propeller Insights survey, 82% of responding companies say they already have a DPO on staff, although 77% plan to hire a new or replacement DPO prior to the May 25 deadline. That hiring doesn\u2019t stop with the DPO. About 55% of the survey\u2019s respondents reported that they had recruited at least six new employees to achieve GDPR compliance.\n\nHow does the GDPR affect third-party and customer contracts?\n\nThe GDPR places equal liability on data controllers (the organization that owns the data) and data processors (outside organizations that help manage that data). A third-party processor not in compliance means your organization is not in compliance. The new regulation also has strict rules for reporting breaches that everyone in the chain must be able to comply with. Organizations must also inform customers of their rights under GDPR.\n\nWhat this means is that all existing contracts with processors (e.g., cloud providers, SaaS vendors, or payroll service providers) and customers need to spell out responsibilities. The revised contracts also need to define consistent processes for how data is managed and protected, and how breaches are reported.\n\n\u201cThe largest exercise is on the procurement side of the house\u2014your third-party vendors, your sourcing relationships that are processing data on your behalf,\u201d says Mathew Lewis, global head of banking and regulatory practice at legal service provider Axiom. \u201cThere\u2019s a whole grouping of vendors that have access to this personal data and GDPR lays out very clearly that you need to ensure that all of those third parties are adhering to GDPR and processing the data accordingly.\u201d\n\nClient contracts also need to reflect the regulatory changes, says Lewis. \u201cClient contracts take a number of different forms, whether they are online click-throughs or formal agreements where you make commitments to how you view, access, and process data.\u201d\n\nBefore those contracts can be revised, business leaders, IT, and security teams need to understand how the data is stored and processed and agree on a compliant process for reporting. \u201cA pretty sizable exercise is required by the technology groups, the CISO, and data governance team to understand what data fits within the firm, where it\u2019s being stored or processed, and where it\u2019s being exported outside the company. Once you understand those data flows and the impact on the business, you can start to identify the vendors you need to be most focused on both from an information security perspective, how you manage those relationships going forward, and how you memorialize that in the contract itself,\u201d says Lewis.\n\nThe GDPR might also change the mindset of business and security teams toward data. Most companies see their data and the processes they use to mine it as an asset, but that perception will change, says Lewis. \u201cGiven GDPR\u2019s explicit consent and firms needing to be much more granular in their understanding of data and data flows, there\u2019s a whole set of liabilities that now exist with the accumulation of data,\u201d says Lewis. \u201cThat\u2019s quite a different frame of mind both for legal and compliance, but maybe more important for the way the business thinks about the accumulation and usage of that data and for information security groups and how they think about managing that data.\u201d\n\n\u201cData is leaving the firm in all kinds of ways,\u201d says Lewis. \u201cWhile the CISO and the technology groups need to be able to track all of that, you also need to put protection in place.\u201d Those protections need to be spelled out in the contract so the outside firms understand what they can and cannot do with the data.\n\nLewis notes that by going through the process of defining obligations and responsibilities, it prepares a company to handle GDPR compliance operationally. \u201cIf one of your vendors says, \u2018You were hacked last night,\u2019 did they know who to call and how to respond as part of meeting the regulatory requirements,\u201d he says.\n\nThe 72-hour reporting window that the GDPR requires makes it especially important that vendors know how to properly report a breach. \u201cIf a vendor was hacked and you\u2019re one of thousands of clients, do they notify your procurement department or an account person or someone in accounts receivables? It could come in all kinds of ways,\u201d says Lewis.\n\nYou want a clearly defined path in the contract for the information to get to the person in your organization responsible for reporting the breach. \u201cA regulator is not going to say you shouldn\u2019t have had a breach. They are going to say you should have had the policies, procedures, and response structure in place to solve for that quickly,\u201d says Lewis.\n\nLarger companies might have thousands of contracts to update. Complicating that challenge is that it needs to be done late in the compliance process. Before you can define responsibilities and responsibilities, you must know exactly what data you have, where and how it is processed, and the data flows. \u201cThat\u2019s left a lot of institutions racing toward the deadline trying to complete the technical and operational issues and having to play catch-up on putting the right contract in place to enforce that. A lot of firms have not done any renegotiation of contract terms.\u201d\n\nThat begs the question: What happens if the contracts aren\u2019t all in place by the May deadline? Lewis sees several risks to not completing the contracts:\n\nWhat happens if my company is not in compliance with the GDPR?\n\nThe GDPR allows for steep penalties of up to \u20ac20 million or 4% of global annual turnover, whichever is higher, for non-compliance. However, most of the fines imposed so far have been relatively small. \n\nAccording to GDPR Enforcement Tracker, the EU has issued 282 fines as of May 29, 2000. The vast majority of those fines are in the low thousands and tens of thousands euro range. The largest fine has been against Google, imposed in January for \u20ac50 million, according to DLA Piper's GDPR Data Breach Survey from January 2020. That fine was issued for lack of transparency and valid consent. \n\nRegulators have admitted that they do not have the resources to handle the volume of reported breaches they've received, so it will take time for identifiable precedents to be established. Adding to that uncertainty is the perceived inconsistency of applying fines among the different ICOs. "Ask two different regulators how GDPR fines should be calculated and you will get two different answers. We are years away from having legal certainty on this crucial question," said Patrick Van Eecke, chair of DLA Piper's international data protection practice, in the company's report.\n\nFor now, the ability to show a good-faith effort to comply should protect companies from harsh penalties. In a speech in 2018, Liz Denham, the UK information commissioner, had this to say to organizations concerned about GDPR fines:\n\n\u201c\u2026I hope by now you know that enforcement is a last resort.... Hefty fines will be reserved for those organizations that persistently, deliberately or negligently flout the law. Those organizations that self-report, engage with us to resolve issues, and demonstrate an effective accountability arrangement can expect this to be a factor when we consider any regulatory action.\u201d\n\nWhich GDPR requirements will affect my company?\n\nThe GDPR requirements will force U.S. companies to change the way they process, store, and protect customers\u2019 personal data. For example, companies will be allowed to store and process personal data only when the individual consents and for \u201cno longer than is necessary for the purposes for which the personal data are processed.\u201d Personal data must also be portable from one company to another, and companies must erase personal data upon request.\n\nThat last item is also known as the right to be forgotten. There are some exceptions. For example, GDPR does not supersede any legal requirement that an organization maintain certain data. This would include HIPAA health record requirements.\n\nSeveral requirements will directly affect security teams. One is that companies must be able to provide a \u201creasonable\u201d level of data protection and privacy to EU citizens. What the GDPR means by \u201creasonable\u201d is not well defined.\n\nWhat could be a challenging requirement is that companies must report data breaches to supervisory authorities and individuals affected by a breach within 72 hours of when the breach was detected. Another requirement, performing impact assessments, is intended to help mitigate the risk of breaches by identifying vulnerabilities and how to address them.\n\nFor a more complete description of GDPR requirements, see "What are the GDPR requirements?".\n\nWhat does a successful GDPR project look like?\n\nIt\u2019s hard to imagine a company that will be more affected by GDPR than ADP. The company provides cloud-based human capital management (HCM) and business outsourcing services to more than 650,000 companies globally. ADP holds PII for millions of people around the world, and its clients expect the company to be GDPR compliant and to help them do the same. If ADP is found non-compliant with GDPR, it risks not only fines but loss of business from clients expecting ADP to have them covered.\n\nADP\u2019s global focus and scale in some ways has been an advantage. It already adheres to existing privacy and security regulations, so the leap to GDPR compliance is not as high as it might have been. \u201cWe are already familiar with privacy laws in Europe. We are not starting from scratch with GDPR,\u201d says Cecile Georges, chief privacy officer for ADP. \u201cGDPR triggers the need for us to comply not just as a company, but also as a service provider. We help our clients comply with GDPR.\u201d\n\nDespite ADP being better prepared than many other companies, Georges says its GDPR project is large and global. It began about a year ago, but the project builds on earlier work. \u201cWe started even before GDPR was discussed,\u201d she says. The company began data flow mapping and privacy assessments on new products several years ago.\n\nGeorges sees the early start on data flow mapping as key. \u201cIf we had not started the data flow mapping a long time ago, I would be less confident than I am speaking to you now,\u201d she says. \u201cData flow mapping is required to do inventory of products, and processing PII is a first step to data protection impact assessments that are required. We\u2019ve also implemented privacy by design in our new offers and products.\u201d She adds that ADP supports its \u201cprivacy by design\u201d policy with training for its developers.\n\nADP\u2019s GDPR project pulls in people from many areas of the company, and Georges believes this is necessary for success. \u201cWe are involved in the organization, all the operations, and the functional groups. It\u2019s not just a pure privacy or compliance project. It really involves the entire organization and we are coordinating with project managers across the company to make sure we implement the right processes across the organization,\u201d she says.\n\nMechanisms for securing PII such as encryption are already in place at ADP. \u201cFrom a security standpoint we came to the conclusion that it\u2019s more about communicating with our clients, making sure they have the right information about what we are doing,\u201d says Georges. \u201cThey may have to convey that message to their employees or to their own clients.\u201d\n\nBecause ADP is a data processor for other companies, ADP has taken the optional step of defining Binding Corporate Rules around protecting PII. \u201cWith the implementation of Binding Corporate Rules as a data processor, we hope that our customers understand that we want to make their lives easier and we commit to protect their personal data in accordance with the standards required in the EU, regardless of where the European data is processed, accessed, or hosted\u201d says Georges.\n\nGeorges says she hears from other companies that aren\u2019t yet on track for GDPR compliance. \u201cThe clock is starting to tick,\u201d she says. \u201cIf a company has not started to look into what they need to do, they first need to understand what it means for them in terms of their business. Understand first to what extent they are affected by the new regulation and then do a gap analysis. That is the starting point of any project to assess what they need to do.\n\nShe also encourages companies to take an operational approach. \u201cMy recommendation is to have representatives of all the functions in the organization and not consider it a pure privacy or pure legal compliance project,\u201d Georges says. \u201cIt would take too much time for operations to understand exactly what they need to do, whereas if you involve them from the beginning they can tell a lawyer or privacy professional, \u2018We are already doing this,\u2019 or \u2018Technically, we can\u2019t do this, but this is how we can address this requirement.\u2019\u201d\n\n\u201cThere are different ways of applying GDPR depending on your business and the tools you have in place. The business people can assess that,\u201d says Georges. \u201cOnce they have done the assessment and decided what to do, then they have to document what they are doing.\u201d Georges is referring to the GDPR\u2019s accountability principle, which requires companies to document how they\u2019ve become compliant. \u201cThe documentation piece will be key.\u201d\n\nWhat should my company be doing to stay GDPR compliant?\n\nIf your organization is not confident of its regulatory compliance status, and you have determined a significant risk from non-compliance, following these steps can get you on the right path.\n\nSet a sense of urgency that comes from top management: Risk management company Marsh stresses the importance of executive leadership in prioritizing cyber preparedness. Compliance with global data hygiene standards is part of that preparedness.\n\nInvolve all the stakeholders. IT alone is ill-prepared to meet GDPR requirements. Start a task force that includes marketing, finance, sales, operations\u2014any group within the organization that collects, analyzes, or otherwise makes use of customers\u2019 PII. With representation on a GDPR task force, they can better share information that will be useful to those implementing the technical and procedural changes needed, and they will be better prepared to deal with any impact on their teams.\n\nConduct periodic risk assessments: You want to know what data you store and process on EU citizens and understand the risks around it. Remember, the risk assessment must also outline measures taken to mitigate that risk. A key element of this assessment will be to uncover all shadow IT that might be collecting and storing PII. Shadow IT and smaller point solutions represent the greatest risk for non-compliance; ignore them at your own peril.\n\nAnd there are a lot of them. According to Matt Fisher, IT thought leader and senior vice president at Snow Software, more than 39,000 applications are known to hold personal data. \u201cThe iceberg effect poses a serious risk to organizations\u2019 GDPR compliance as many are focused on the 10% of applications holding personal data that are visible at the water\u2019s surface,\u201d he says. \n\nFisher cites the change in how organizations allocate their IT and technology spend, with business units expected to own about half of it by 2020. \u201cAs IT teams lose sight of the applications in use across the organization, they lack overarching visibility into the applications that could threaten GDPR compliance,\u201d he says.\n\n\u201cGetting started [on the risk assessment] is the biggest obstacle,\u201d Fisher says. \u201cAs a first course of action, organizations must get a full picture of their entire IT infrastructure and inventory all applications in their estates. This, coupled with specific insight about which applications can process personal data, dramatically minimizes the scope of the project as well as the time spent on it. Suddenly, the impossible becomes possible.\u201d\n\nHire or appoint a DPO if you haven't already done so: The GDPR does not say whether the DPO needs to be a discrete position, so presumably a company may name someone who already has a similar role to the position as long as that person can ensure the protection of PII with no conflict of interest. Otherwise, you will need to hire a DPO. Depending on the organization, that DPO might not need to be full-time. In that case, a virtual DPO is an option. GDPR rules allow a DPO to work for multiple organizations, so a virtual DPO would be like a consultant who works as needed.\n\nCreate and maintain a data protection plan: Most companies already have a plan in place, but they will need to review and update it to ensure that it aligns with GDPR requirements. Review and update periodically.\n\nDon\u2019t forget about mobile: According to a survey of IT and security executives by Lookout, Inc., 64% of employees access customer, partner, and employee PII using mobile devices. That creates a unique set of risks for GDPR non-compliance. For example, 81% of the survey respondents said that most employees are approved to install personal apps on the devices used for work purposes, even if it\u2019s their own device. If any of those apps access and store PII, they must do so in a GDPR-compliant manner. That\u2019s tough to control, especially when you factor in all the unauthorized apps employees use.\n\nDocument your GDPR compliance progress: \u201cWith the clock ticking, organizations must demonstrate that they are making progress against completing the Record of Processing Activities (RoPA)\u2014article 30 of the GDPR regulation which is centered around taking inventory of risky applications\u2014to avoid being an easy target for regulators,\u201d says Fisher. \u201cEstablishing the RoPA, is the essential piece to focus on at this stage in the game as it enables organizations to identify where personal data is being processed, who is processing it and how it is being processed.\u201d\n\nImplement measures to mitigate risk: Once you\u2019ve identified the risks and how to mitigate them, you must put those measures into place. For most companies, that means revising existing risk mitigation measures. \u201cUpon taking inventory of applications and completing the RoPA, the GDPR team can now spot and investigate any risks associated with the data and determine the appropriate level of security deemed necessary to protect that data,\u201d says Fisher.\n\nIf your organization is small, ask for help if needed. Smaller companies will be affected by GDPR, some more significantly than others. They may not have the resources needed to meet requirements. Outside resources are available to provide advice and technical experts to help them through the process and minimize internal disruption.\n\nTest incident response plans: The GDPR requires that companies report breaches within 72 hours. How well the response teams minimize the damage will directly affect the company\u2019s risk of fines for the breach. Make sure you can adequately report and respond within the time period.\n\nSet up a process for ongoing assessment: You want to ensure that you remain in compliance, and that will require monitoring and continuous improvement. Some companies are considering incentives and penalties to ensure that employees follow the new policies. According to a survey by Veritas Technologies, 47% of respondents will likely add mandatory GDPR policy observances to employee contracts. Twenty-five percent might withhold bonuses or benefits if a GDPR violation occurs, and 34% say they will reward employees for complying with GDPR.\n\nDo all of this with an eye to improving your business: According to a survey by Varonis Systems, 74% of respondents believe that complying with GDPR requirements will be a competitive advantage. Compliance will boost consumer confidence. More importantly, the technical and process improvements necessary to meet GDPR requirements should enable efficiencies in how organizations manage and secure data.