Your GDPR Questions Answered
The General Data Protection Regulation (GDPR) aims primarily to give control back to EU citizens and residents over their personal data while standardizing the regulatory environment of international business. It becomes enforceable on May 25, 2018. Our CISO, Sean Atkinson, shared some information about GDPR compliance in a webinar. This blog post addresses some questions that were raised by webinar attendees.
What’s required by the GDPR?
The GDPR comprises several requirements, such as:
- Mandatory breach notifications: Requiring a fast response or facing large fines
- The “Right To Be Forgotten”: The right for an EU citizen to have his personal data removed from a network, necessitating the “ability to be found”
- Consumer profiling restrictions: Personal data should not be used without consent
- Right to Rectification: Users have a right to update personal data and correct inaccuracies
…and more. Check out our GDPR infographic for more details.
Which organizations are required to comply with GDPR?
GDPR compliance is required in most cases when an organization collects personal data, special personal data, or web data from EU citizens. Even if your organization is not based in the EU, if you collect information from EU citizens, GDPR will likely apply to your data collection processes.
What does GDPR mean for data warehousing and analysis? Is it no longer possible to store and analyze historical data?
Data can still be managed, stored, and analyzed. What organizations need to do is articulate the need to do that using Personal Identifiable Information (PII), Personal Data, or Special Personal Data. For example, an organization may need to use data to improve a service, or as a requirement to provide a product or service it offers. Organizations must explain to end users how their information is being used and for how long.
If your organization is outside the EU and not marketing to EU customers, do you still need to comply with GDPR? What if an EU citizen may be using your products or services outside of the EU?
In most cases, if your organization maintains EU citizen data, GDPR does apply. However, if your organization:
- can monitor and maintain that data was collected outside of the EU from an EU citizen, and
- the individual in question is not going back to the EU,
- nor is your organization communicating with them while they are in the EU,
then GDPR does not apply. Keep in mind that it may be difficult to confirm from where information is gathered. For complete guidelines, GDPR Article 3 and Recital 23 address territorial scope.
One such example would be a foreign exchange student from the EU studying in the United States. The university may gather information about this student in the U.S. If the student later returns to the EU and provides updated information as part of their account management process (phone number, address, etc.), and is contacted by an alumni outreach program, GDPR would apply.
What are the obligations of the DPO (Data Protection Officer) in non-EU based companies?
GDPR requires entities regulated by GDPR to designate a DPO within their organization. The biggest difference in the non-EU DPO is the territorial scope and the risk assessment. The territorial scope is used to gauge if any activity outside of the EU will incur or require communication with a person in the EU after the initial gathering of information. A risk assessment will review the lifecycle of data gathered as well as subsequent updates, communications, etc. to those whose territory may change over time. The condition of allowing EU citizens to make updates to their personal data will need to be contemplated as EU persons move in and out of territorial scope.
Regardless of location, all DPOs should understand how their organization collects data and maintains user privacy by performing a risk review that not only looks at GDPR compliance on May 25, 2018 but also at the entire data lifecycle. As users may move in and out of territorial scope, in some cases the risk-averse will class all as requiring GDPR protections, regardless of where they are when data is collected.
How can CIS help?
CIS offers a multitude of resources to help organizations improve their security and start on the path to compliance.
CIS Controls™: Prioritized security best practices and policy guidance to help organizations reduce their threat surface and defend against the vast majority of cyber attacks.
CIS Hardened Images: Pre-configured virtual images compliant with the CIS Benchmarks™ recommended configuration settings, available on AWS Marketplace, Google Cloud Platform, and Microsoft Azure.
CIS SecureSuite® Membership: Helps organizations rapidly implement secure CIS Benchmark recommendations with CIS-CAT Pro (configuration assessment tool) and remediation kits (GPOs for Windows and shell scripts for Linux).