Takeaways About GDPR

Circle May 25 on your calendar. That’s when the EU’s General Data Protection Regulation (GDPR) takes effect. And yes, GDPR is living up to its advanced billing as a Very Big Deal.

GDPR, which puts strict new requirements on how enterprises collect and use personal data, also applies to customer information that gets processed outside of the 28 member nations of the European Union.

Few people are more familiar with the impact of the looming changes in data-collection and handling practices than Ilias Chantzos. A former legal and policy officer in the Directorate General Information Society of the European Commission, Chantzos joined Symantec in 2004 to build its government affairs program.

We recently caught up with Chantzos to help gauge the ramifications of this turning point in the history of privacy and data regulation.

Q: Who is subject to the GDPR?

Chantzos: The GDPR regulates information governance within an organization, on top of addressing the protection of individual personal data. GDPR is applicable to all organizations within the European Union and can apply also to organizations outside the EU when certain conditions are met. For instance, if a company has a website that targets a European market, though there is no presence in the EU, the GDPR applies. It is critical to remember that GDPR applies when personal data are transferred outside of Europe and that GDPR does not just concern the data of customers but also of employees or business contacts (suppliers, partners).  You can determine how GDPR impacts your organization here, by taking this Symantec GDPR quiz to find out.

Q: What are the requirements around breach notice?

Chantzos: Data protection regulators have included security requirements in privacy legislation. GDPR makes those requirements much more detailed and stringent. Personal data needs to be effectively protected from malicious or accidental incidents that affect the confidentiality, integrity, availability or authenticity of the data. In case of a data breach organizations are expected to discover the breach and may be required to notify the data protection authority within 72 hours since its detection. Further notification of the individuals affected by the breach may also be required.

Q: What does the GDPR say about data transfers? What is the impact of shadow IT, where users are running rogue applications?

Chantzos: A company is expected to provide the same level of protection to personal data collected that are GDPR relevant irrespectively of where that data resides or where they get transferred. This includes data transfers that happen outside the European Union or the use of cloud computing or applications that employees or partners bring into the IT environment of an organization that is outside what the IT department has vetted and approved. The GDPR expects that the organizations will exercise accountable usage of technologies in a way that allows them to demonstrate compliance with GDPR and meet their privacy obligations.

Q: What is the risk of non-compliance with the GDPR?

Chantzos: This is a frequently asked question. All organizations want to better understand their GDPR risk and a lot depends on their business models and their level of compliance maturity. The penalties of non-compliance are several and apply to all organizations covered by GDPR – regardless of their global location. The GDPR foresees remedies such as the ability of a data protection authority to forbid a particular type of processing all the way to administrative fines up to twenty million Euros, or four percent of annual worldwide turnover (whichever is higher). The penalties however don’t take into account the detrimental impact to reputation and brand that such decisions may have on companies. On top of what the GDPR delivers, countries around the world in regions like Asia Pacific and America are currently considering or developing regulations that mirror the standards set in the GDPR for data protection.

Privacy law has been with us for a while. In Europe, there has been harmonized privacy legislation since 1995. In that sense GDPR is an evolution not a revolution. For organizations that have already significant compliance experience with privacy and cyber security requirements the GDPR will be a step up. However, for those with less experience it will create significant challenges and will require them to revisit their business processes.

If you found this information useful, you may also enjoy: 

• Article 84 of the GDPR Concerning Penalties
• GDPR for Dummies
• IDC Assessment