Given that companies and institutes are increasingly storing sensitive data, the EU has decided to improve privacy safeguards for its citizens and strengthened its legislation.
From May 25, 2018, onwards, every entity that handles information on EU citizens must comply with the General Data Protection Regulation (GDPR).
What are the requirements of GDPR?
GDPR contains a broad set of stipulations, many of which are largely present in current national privacy laws. In many cases, it refines or extends rules that are already well-known to local companies. Here is a non-exhaustive list:
Privacy by design: Privacy protection must be integrated in the design of new environments. A Privacy Impact Assessment (PIA) should always be carried out to chart the risks.
Consent: Users must give explicit consent to the handling of their personal data in advance and must be able to withdraw it easily. The relevant procedure must be made clear to them.
Right to access: Everyone has the right to see which of their personal details an organization is storing. Organizations must make this information available free of charge.
Data portability: In view of the right to access, organizations must make the data transferable, so that a consumer can easily switch to another service provider.
Right to be forgotten: If someone wishes that their personal data no longer be used by an organization, the data should be erased (without prejudice to the legal obligation to store data for a certain duration).
Increased scope: GDPR imposes obligations on all organizations that process personal data belonging to EU citizens, even if they are based outside of Europe.
Penalties: Fines for each violation of GDPR can, in the most extreme cases, amount to up to four per cent of global turnover or €20 million.
Breach notification: As Dutch privacy law has required since 2016, data breaches must be reported to the authorities within 72 hours.
Data protection officer (DPO): It is mandatory for public authorities, and for entities that process special personal data and personal data on a large scale, to appoint a DPO.
What does this mean for you?
Owners of digital platforms almost always handle personal data. This includes contact forms on a website, the possibility to subscribe to a newsletter, or IP addresses recorded in logs. And if you handle personal data, you must comply with GDPR. The following steps can help in this:
a. Carry out a Privacy Impact Assessment (PIA) to see if you in fact handle personal data and the risks this represents, if any. There is a range of publicly available templates for this.
b. Chart the information flows, so you know which personal data is processed where. Don’t forget to take into account your suppliers.
c. If you handle personal data, consider whether you should appoint a data protection officer (DPO). Check that consent and users’ rights are safeguarded.
d. Make sure you keep an active documentation, so that actions and measures taken can be checked by management and supervisors even if you have not appointed a DPO.
a. Decide which technical and organizational measures you must take to ensure an appropriate security level. Use tools such as security standards or guidelines for this purpose.
b. Implement these measures. Make sure they are realized not only within the organization but also by suppliers via processor agreements.
c. Make sure that the measures are properly implemented and effective, for example through security scans or security audits. This maintains a continuous improvement cycle.
a. If things go wrong, analyze them and formulate an appropriate response. Take measures to reduce impact as early as possible: temporarily turn off the online environment and display an error page to users.
b. Report data breaches to the authorities, and, if necessary, the affected persons, in time. Gather evidence and consider reporting any digital break-in or attack to the police.
c. Use your experiences to learn and to further improve the security of personal data. Adjust your actions based on the results.
Start the necessary preparations as soon as possible – after all, you must be ready by May 25, 2018. Implementing the roadmap is not in itself very complicated; it is mainly a matter of rolling up your sleeves and getting started. It is recommended to carry out both top-down (via the roadmap) and bottom-up (starting from the technology) plans. Some bottom-up quick wins include:
• Retracing the security settings of the environment. This includes things like administrator access rights and firewall settings. If you are working in the cloud, you can use programs such as AWS Inspector or Azure Secure Center.
• Implementing additional technical security measures. If you work in the cloud, you can do this quite easily by activating Azure WAF or AWS WAF, which provide added protection for your environment.
• Starting with security scanning for insight into the current state of affairs. You can then fix any vulnerabilities you find, making the environment less prone to cyberattacks.
• Periodically checking cookies (and similar technologies), as these are often used to track and profile users. Ensure that permission is requested from users before cookies are deployed. These actions have the added value of helping comply with cookie legislation.
• Logging more information and storing it in a central location. This makes it easier to analyze interferences, and also provides a basis for security monitoring in your environment. It also makes it easier to collect evidence in case of an attack.
Tomorrow's winners respect today's laws
My advice is to begin implementing GDPR-related measures as soon as possible. You should see this not as a burden but as an opportunity. If you do it well, you will not only avoid fines, but will also project dependability to your clients. Tomorrow’s winners (article in Dutch) respect today’s privacy laws!