The General Data Protection Regulation (GDPR) is now just three months away from taking effect. Many businesses, however, have been slow to act. A large number remain ignorant about how this new legislation will directly affect their companies. Here’s a look at the GDPR requirements that organizations must follow, and how encryption plays a role in helping meet those requirements.
The GDPR is a set of regulations that is intended to give European Union (EU) citizens and residents more control over how organizations use their information. It establishes a baseline level of personal rights and data protection that all EU citizens and residents (known as “data subjects”) can enjoy.
In particular, the GDPR requires that organizations notify individuals about how they process their personal data, and justify their reasons for collecting and storing this data. As soon as an organization cannot prove a direct business need for holding onto an individual’s data, they must delete it.
By treating data privacy as a fundamental right of EU citizens and residents, the GDPR represents a shift in mentality from how organizations have traditionally handled personal information. It restores power and control back to the data subjects, and places the responsibility on organizations themselves to protect and respect their information.
Although the EU Parliament passed the GDPR in April 2016, the measure won’t be enacted until May 25, 2018. However, with 11 chapters and 261 pages to sift through, reading the full text of the GDPR and understanding its effects will be a challenge for most organizations. The sooner you start planning for the GDPR, the better your business will be able to handle the transition.
The GDPR may be an EU regulation, but it has repercussions for companies and organizations worldwide. Even if you’re based in the US, the GDPR most likely applies to you. Any organization that does business with (and uses the personal data of) EU citizens and residents must comply with the terms of the GDPR.
What’s more, the penalties for GDPR noncompliance are steep. Organizations that fail to meet the GDPR requirements could face fines of up to 20 million euros (roughly $25 million USD) or four percent of their annual global revenue—whichever is greater.
These fines and penalties aren’t just for mishandling consumers’ data, however. Even if you have top-notch data security practices, you’re still obligated to report any data breaches to the affected individuals within 72 hours of discovering the breach.
Unfortunately, many organizations remain woefully unprepared for the GDPR to take effect. Fifty-nine percent of US employees have never even heard of the regulation. As the deadline draws nearer, management consulting firm Oliver Wyman predicts that the top 100 companies on the London Stock Exchange could face annual GDPR fines of up to £5 billion ($7 billion USD) if they fail to take action.
Even if you don’t think you can meet the deadline in May, it’s beneficial to start right now. The EU’s Office of the Data Protection Commissioner (ODPC) will enforce the GDPR. Organizations who make real efforts toward GDPR compliance, the ODPC has stated, will be treated more leniently than those who flagrantly violate the regulation.
Preparing for the GDPR in advance will give you a competitive advantage when you do business with partners and vendors. Now that EU customers have new expectations for their data, other companies will start to pointedly ask whether you’re GDPR compliant.
Becoming GDPR compliant will also be useful for understanding your internal data processes. You’ll have a better sense of what information is available to you, what you do with it, where you store it, and how long you keep it. Ultimately, with your data in a centralized location, preparing for GDPR compliance can help make your organization more efficient.
Although there are no explicit GDPR encryption requirements, the regulation does require you to enforce security measures and safeguards. The GDPR repeatedly highlights encryption and pseudonymization as “appropriate technical and organizational measures” of personal data security.
Encryption is a powerful technique for data security. It converts or encodes messages and information into an unintelligible format in such a way that only authorized parties can access it and those who are not authorized cannot. In order to perform this conversion, encryption software uses one or more cryptographic keys. Each key is a string of characters, such as letters and numbers, that converts/encrypts the original information, called plaintext, into an encrypted format called ciphertext. Ciphertext can only be read if decrypted. Encryption keys are also used to convert/decrypt ciphertext back into readable plaintext.
Because encryption renders information unreadable and unusable to people without a valid cryptographic key, GDPR encryption strategies can be extremely beneficial to your organization in the event of a data breach. Remember the requirement to notify affected customers within 72 hours? By encrypting your data, you won’t have to comply with this obligation. No information has technically been “breached” if the data is unintelligible to the attacker.
In combination with other measures, encryption can be a highly effective technique for GDPR compliance. If you’re already in the market for an encryption solution, we have some suggestions for the most important encryption features to look for when making your final decision.
To learn more about the GDPR and the implications for your organization once it goes into effect on May 25, read our new GDPR white paper.