General Data Protection Regulation The European Union Legislative Process

What may not be immediately obvious to parties based outside of the EU is that this new regulatory regime applies to all companies worldwide that trade in the EU and deal with EU customers online. If you have customers or partners that operate within the EU’s borders, you need to learn about GDPR today and start taking steps quickly to bring your business into compliance with it, or face heavy economic penalties that could adversely affect your company’s ability to profitability conduct business there.

Imagine being fined €10 million or 2% of your annual global revenue, whichever is greater, for failure to comply with GDPR.

GDPR’s focus is on protecting the individual privacy rights of EU citizens, and compared to previous EU privacy legislation greatly expands the definition of what constitutes personal, private data to include not just financial, government and medical records, but also genetic, cultural, and social information. Businesses must now gain the explicit consent of an individual before using their personal data, and must also honor their “right to be forgotten”, i.e., to have all personal data held by the business to be deleted at the user’s request.

Businesses must also meet a number of new requirements to demonstrate their ongoing compliance with GDPR, appointing one individual responsible for the company’s GDPR issues (the so-called “Data Protection Officer”), reporting on any and all data breach incidents, and storing personal data within the physical confines of the EU. The latter reflects the EU’s concerns that countries outside the EU do not have similarly high standards for the data privacy of individual citizens, and that data stored outside the EU is at greater risk of surveillance by government intelligence agencies and criminal actors.

Understanding GDPR Through the Lens of Sarbannes-Oxley (SOX)

For IT professionals of a certain age, the challenges presented by GDPR compliance may be reminiscent of the USA’s Sarbanes-Oxley Act (SOX) from the early 2000s. Like GDPR, SOX was a strict new regulatory regime imposed on all types and sizes of companies. Although it was imposed unilaterally by the United States for businesses operating within its borders, it represented such a huge market that companies around the world were affected. Like the EU with GDPR, the US created an aggressive timeline for compliance and enforced its regulations with hefty fines. And just as GDPR is doing now, SOX created a lot of confusion and anxiety among the businesses under its scrutiny, particularly around the costs of compliance.

In other respects, IT professionals in 2017 and 2018 have it easier than their early-21st-century counterparts. For instance, businesses have access to better technology today to support reporting requirements, proving to authorities that they have the requisite policies, controls, and procedures in place to support GDPR compliance. Governance, risk management, and compliance (GRC) control frameworks have evolved significantly over the last decade, as has the discipline of policy lifecycle management. Thanks in part to regulations like SOX the 1995 EU Data Protection Directive, companies have a better handle on privacy impact assessment and data access governance. Greatly improved, more automated tools for data breach monitoring, reporting and mitigation are now available.

But the world has also evolved since the days of SOX in ways that complicate GDPR compliance. Data storage has increased massively in speed, volume, diversity of media (including cloud storage) and complexity.

The universe of IT security threats to data, from both criminals and state actors, has likewise gotten exponentially more sophisticated and threatening.

GDPR compliance has implications for privacy impact assessment, data access governance, and data breach notification and resolution, topics which we will not address here. This paper instead focuses on GDPR compliance specifically as it relates to the secure storage and protection of active data, including data archiving and deletion.

GDPR General Terminology To understand GDPR as it relates to data storage and data protection, it is useful to understand the following basic terminology:

GDPR compliance has implications for privacy impact assessment, data access governance, and data breach notification and resolution, topics which we will not address here. This paper instead focuses on GDPR compliance specifically as it relates to the secure storage and protection of active data, including data archiving and deletion.

  • Personal data breach “A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.” Businesses must report every data breach incident to “the supervisory authority”within 72 hours of becoming aware of it.
  • Processor A commercial business like a cloud service provider that acts as a contractor to a controller, i.e., another business serving EU citizens that captures sensitive data on individuals. Examples include application hosters, storage providers, and providers of cloud services like backup
  • Right to be forgotten The right of every EU citizen “to have his or her personal data erased and no longer processed.” Individuals may request the deletion of all of their personal data stored on a controller’s servers. There remains some ambiguity on this particular issue. Does a request to be forgotten also require removal of data from backups (problematic in serial backup media like tape)? What happens when a right to be forgotten request conflicts with a business’s data retention policies for archiving and legal purposes?
  • Controller A business operating within the EU — or outside of the EU but dealing with EU residents — that captures sensitive data about EU residents in the course of its operations. Examples include: a business accepting online orders, addressees, and payment card information from consumers; a healthcare provider that maintains patient records. (See below for help in determining whether your business functions as a processor or a controller.)
  • Data subject A citizen of the EU who is identifiable by their personal data. This may include a consumer making an online purchase, a patient of a healthcare system, a citizen accessing online government services, a user of social media applications: any individual providing personal information to use some service
  • Personal data “Any information relating to an identified or identifiable natural person.” This is more broadly defined by the EU than other governments and includes the EU citizen’s name, email address, social media posts, physical, physiological, or genetic information, medical information, location, bank details, IP address, cookies, cultural identity

Questions, Concerns or Suggestions?