The General Data Protection Regulation (GDPR) is a regulation by which the European Commission intends to strengthen and unify data protection for individuals within the European Union (EU). It also addresses export of personal data outside the EU. The regulation was adopted on April 27 2016 and enters into application May 25 2018 after a two-year transition period. Unlike a Directive, it does not require any enabling legislation to be passed by governments.
Why the GDPR Extends Beyond the EU
The GDPR has global reach because not only companies with a physical presence in Europe will be subject to its requirements – the broad terms of the regulation mean that any company with a website offering goods or services (including cloud services) to citizens of the EU may be subject to the regulation. The regulation does not apply to the processing of personal data for national security activities or law enforcement.
What’s Different from Previous Regulations?
This is a significant change from the previous law, which most courts generally agree only maintains jurisdiction over companies with an established business in a particular state. The law will impose significantly greater fines for data breaches (up to 4% of annual global revenue), require Privacy Impact Assessments (PIAs), privacy and security “by design,” inventories and data mapping of personal information across your business systems, and mandatory appointments of Data Protection Officers (DPOs). You also need to prove that your organization is doing all of these things. This is not a small undertaking – it will require a major shift for many companies, including those that already have a privacy program.
GDPR obligations set forth many scenarios where better connection between the Chief Privacy Officer (CPO), Chief Information Security Officer (CISO), IT, and Chief Information Officer (CIO) will be needed. At a high level, increased obligations include:
- Tighter data protection principles (consent, transparency, notice)
- Profiling rules
- Privacy by Design
- Breach notification – to Data Protection Authorities (DPAs) and individuals
- Direct obligations and liability for processor
- Accountability – privacy program
- Internal record of processing
- Appointment of a DPO
GDPR expands the definition of personal information to be any information related to a natural person, or “data subject,” that can be used to directly or indirectly identify the person. It can be anything from a name, photo, email address, bank details, posts on social networking websites, medical information, or a computer IP address. Sensitive personal information (while not clearly defined) may include data about medical conditions, religious or political affiliation, or data that could be used to discriminate against an individual.
What are Organizations Around the World Doing to Prepare?
AvePoint also has a number of resources to help our customers with the IT, security, and data protection requirements related to the GDPR. You can learn all about them by visiting our GDPR page.
About the AvePoint/CIPL GDPR Benchmark Report
The objective of the survey was to help organizations benchmark and prepare their GDPR implementation as well as change management programs. Our questions focused on key change areas and topics of the GDPR that relate most to everyday business and compliance concerns.
The survey respondents totaled 223, with predominantly multinational organizations. According to respondents, 93% of organizations operate in Europe, more than half operate in the US, and less than half operate in South America and Asia. The telecommunication and technology companies were the most highly represented of the total respondents, followed by insurance and financial services, as well as pharmaceutical and healthcare sectors. The survey respondents were a mix of both controllers and processors with slightly more controllers (57%controllers, 43% processors). Finally, organizations’ annual revenue size ranged from less than $1 million to more than $100 billion.
The survey reveals that most companies have started the process of assessing the impact of GDPR on their operations, devising an organization-wide implementation plan, and evaluating the need for additional resources. We observed the following key trends:
- GDPR Impact: Respondents believe that the aspects of the GDPR that will have the largest impact on their organizations are the requirements for a comprehensive privacy management program, use and contracting with processors, as well as data security and breach notification. As expected, senior management is most concerned about the GDPR’s enhanced sanction regime and the data breach notification requirements, as well as how the regulation will impact their data strategy and ability to use data.
- GDPR Readiness: Organizations appear to be in varying stages of preparation for the GDPR. While most have appointed a DPO, many organizations are either increasing resources in preparation or in the process of considering additional resources to meet the increased obligations under the GDPR.
- Compliance Technology Tools and Software: Currently, organizations do not appear to use widely or have access to technology tools and software to aid with data privacy compliance tasks. Only a minority of organizations use technology to automate and industrialize their DPIAs, data classification and tagging policies, data processing inventories, and delivery of the new data portability right.
- Joined up Approach to GDPR Implementation: Because of interdependences between data privacy compliance, IT systems and infrastructure, and organizations’ data strategy, GDPR implementation should be a company-wide change management program, with a concerted effort from senior leadership, including the DPO, CISO, CIO, CDO and GC.
Below are some interesting stats from our report:
Security Design Assessment (SDA):
- 59% conduct SDA on new IT systems, and 41% conduct SDA on existing IT systems
- But 3 out of 4 organizations do it manually
Data Protection Impact Assessment (DPIA):
- More than 50% conduct DPIAs for projects involving high risk to individual privacy, or large scale processing of sensitive data with both automated and manual methods.
- Only over a third (36.3%) of organizations have a framework and procedures for identifying and classifying different risks to individuals.
- Less than a quarter of organizations use in-house or commercial automated system for DPIAs.
Privacy by design:
- Less than half (40.5%) incorporate Privacy by Design for new projects, and 42.4% do it in some instances only.
“Less than one third (32.9%) of organizations tag sensitive data.” – via The GDPR Benchmark Report by @AvePoint_Inc
Data Lifecycle Management:
- Nearly 40% do not know how data is treated or processed throughout its lifespan.
- More than 40% are data processors who need to evaluate how to maintain records of all processing activities.
- Almost a half have internal data inventory or record of processing.
- 60% have inventories of international data transfers.
- But a fifth do not have any data inventories.
- A quarter do not have internal records of processing with information required by GDPR.
To receive a full copy of the report please visit AvePoint.com/GDPR.