A Practical Guide for GDPR Compliance A Practical Guide for GDPR Compliance • Being non-compliant with GDPR will be very expensive. In addition to other financial consequences, there are two tiers of regulatory fines, the more expensive of which is a fine of up to €20 million or four percent of the annual worldwide turnover for the organization, whichever is higher. However, there is a need for continual compliance with the GDPR, since a failed audit can have damaging financial consequences. Consult Hyperion has estimated that European financial firms alone may face GDPR-related fines of $5.3 billion in the first three years after the GDPR becomes effectiveii. ABOUT THIS WHITE PAPER This white paper was sponsored by Quest. Information about the company is provided at the end of this paper. WHY IS THE GDPR IMPORTANT? The General Data Protection Regulation (GDPR) is the newly harmonized European-wide regulation that mandates the protection of data about people living in the European Union, by every organization that controls or processes data on people in the EU, regardless of where that organization is located around the world. Its correct name is Regulation (EU) 2016/689, and it updates, replaces, and extends the protections previously afforded through the earlier 1995 directive on data privacy (Directive 95/46/EC). Protections for personal data of individuals involved in criminal proceedings are excluded from the GDPR; the protection regime for such circumstances are outlined in a complementary directive (Directive (EU) 2016/680), and is beyond the scope of this paper. The new GDPR is important, for several reasons: • It almost certainly applies to you. If your organization controls or processes data on people living in the European Union – even if your organization is not located in the EU – it applies. • It has a significant bite, in the form of sky-high regulatory fines for non-compliance. If you meet the test of applicability for the GDPR, you cannot opt out of complying. • It touches every data process in organizations that collects or processes personal data on people, and it covers both direct and indirect data identifiers in every data system. • It forces organizations to know and understand their data from a 360-degree perspective. Organizations that process EU citizen data will need to know where it is being processed, who is processing and storing it, and demonstrate the ability of “erasure” on it no matter where it lives. • It demands greater transparency with people on how their data is collected and processed, and introduces notification requirements when personal data is breached. There are reputational consequences of getting this wrong, particularly in light of the fact that during the previous 12 months, 47 percent of the organizations surveyed for this white paper have suffered a breach of customers’ or other personal data, employees’ personal data, corporate intellectual property, or other sensitive or confidential information. • There is now no cost associated with requests from data subjects, which means that it is now more likely that many more individuals will be making demands about the information that is held about them. • You are running out of time. GDPR was signed into law just over a year ago (via publication in the EU Official Journal in early May 2016), and will be enforced starting May 25, 2018. If your organization controls or processes data on people living in the European Union – even if your organization is not located in the EU – [the GDPR] applies. The earlier Directive on data privacy came into force in 1995, just as the Internet was beginning its adoption trajectory. One of the driving reasons for the new GDPR was to strengthen data protection requirements in light of an increasingly global and interconnected ©2017 Osterman Research, Inc. 2 A Practical Guide for GDPR Compliance world, and the regulators took an interesting path. Instead of regulating territorially on organizations within the EU, it shifted the focus to where data subjects reside. This subtle shift means GDPR applies to the personal data of data subjects in the EU (territorially), but has borderless applicability to organizations. The test is no longer whether your organization is in the EU, but rather whether your organizations collects or processes the personal data of people who are in the EU. Specifically: • Article 23 lists key tests of applicability for organizations not located in the EU. The primary test is that "the processing activities are related to offering goods or services to such data subjects irrespective of whether connected to a payment." However, "mere accessibility" to an organization`s website or email address is not sufficient to establish the intent of offering goods or services; whereas factors such as the use of a currency generally used in a member state, and listing customers located in the Union on your website, does ascertain that intention. • Article 24 offers a second key test of applicability: when an organization controls or processes data for monitoring the behavior of people that happens within the EU. Specific actions include tracking on the internet, "profiling" based on past actions, and "analyzing or predicting ... personal preferences, behaviors and attitudes." If your organization does this for people within the EU, GDPR applies regardless of where you are located. • With the UK`s vote in 2016 to leave the European Union, there has been some discussion about the applicability of GDPR. There are two answers. First, the Data Protection Act is the UK law for data protection, and if the UK does leave the Union, the GDPR will not apply to data subjects and personal data within the UK. Second, the GDPR does apply to Europe, and any UK firm that wants to sell into the EU Single Market will have to comply with GDPR requirements. Individual firms can upgrade their data protection approaches to the GDPR mandates, in addition to whatever regulatory reform is undertaken in the UK to provide equivalent data protection standards. In closing, GDPR is coming fast, it almost certainly applies to your organization, and the consequences of getting it wrong are severe. Equally, however, are the positive consequences of getting it right, including a strong foundation for working with businesses in Europe, a clear understanding of consumer preferences, and strong internal data protection and security controls that foster trust with customers and partners alike. ON THE PRIVACY OF PERSONAL DATA IN THE EU "Privacy" of personal data has been an essential concept in European law since 1995, when the Directive on data privacy was introduced. As a directive, however, it did not directly mandate data privacy protections for EU Member States, as each State had the freedom to include the recommended privacy protections in their own laws. This freedom led to nuances and differences in data privacy regulations across Please complete the form to gain access to this content Access Now Related Resources How to Boost Clients' End User Device Security in New Flexible Workforce Environments Tackling Annual Summer Reimaging A Three Step Approach to Keeping Your Network Safe from Ransomware (ATT) A Three Step Approach to Keeping Your Network Safe from Ransomware (REG) Reversing Office 365 Tenant Sprawl (REG) Reversing Office 365 Tenant Sprawl (ATT) Access Hoarders, Group Sprawl and Permission Creep: Cleaning up AD (Registered) Access Hoarders, Group Sprawl and Permission Creep: Cleaning up AD (Attended) Data Growth and the MSP Moving Workloads to the Cloud - Attended SharePlex Q3FY20 - Zero impact database migration SharePlex Q3FY20 - Moving Your Databases to the Cloud DPM Q3FY20 - Managing Cross-Platform Database Environments DPM Q3FY20 - Accelerate Database Efficiency with SQL Performance Investigator (PI) DPM Q3FY20 - DBAs Face New Challenges: Trend in Database Administration SharePlex Q3FY20 - Simplify Your Database Migrations and Upgrades SharePlex Q3FY20 - Active-Active Replication: Considerations for High Availability DP Q3FY20 There is a Right Way to Go "All-in" on the Cloud MPM Q3FY20 - What's New in SharePoint 2019 MPM Q3FY20 - Surviving Common Office 365 Security Pitfalls — Is Your On-Premises AD the Weakest Link? MPM Q3FY20 - Office 365 and Email Migration: Eight Lessons Learned
A Practical Guide for GDPR Compliance • Being non-compliant with GDPR will be very expensive. In addition to other financial consequences, there are two tiers of regulatory fines, the more expensive of which is a fine of up to €20 million or four percent of the annual worldwide turnover for the organization, whichever is higher. However, there is a need for continual compliance with the GDPR, since a failed audit can have damaging financial consequences. Consult Hyperion has estimated that European financial firms alone may face GDPR-related fines of $5.3 billion in the first three years after the GDPR becomes effectiveii. ABOUT THIS WHITE PAPER This white paper was sponsored by Quest. Information about the company is provided at the end of this paper. WHY IS THE GDPR IMPORTANT? The General Data Protection Regulation (GDPR) is the newly harmonized European-wide regulation that mandates the protection of data about people living in the European Union, by every organization that controls or processes data on people in the EU, regardless of where that organization is located around the world. Its correct name is Regulation (EU) 2016/689, and it updates, replaces, and extends the protections previously afforded through the earlier 1995 directive on data privacy (Directive 95/46/EC). Protections for personal data of individuals involved in criminal proceedings are excluded from the GDPR; the protection regime for such circumstances are outlined in a complementary directive (Directive (EU) 2016/680), and is beyond the scope of this paper. The new GDPR is important, for several reasons: • It almost certainly applies to you. If your organization controls or processes data on people living in the European Union – even if your organization is not located in the EU – it applies. • It has a significant bite, in the form of sky-high regulatory fines for non-compliance. If you meet the test of applicability for the GDPR, you cannot opt out of complying. • It touches every data process in organizations that collects or processes personal data on people, and it covers both direct and indirect data identifiers in every data system. • It forces organizations to know and understand their data from a 360-degree perspective. Organizations that process EU citizen data will need to know where it is being processed, who is processing and storing it, and demonstrate the ability of “erasure” on it no matter where it lives. • It demands greater transparency with people on how their data is collected and processed, and introduces notification requirements when personal data is breached. There are reputational consequences of getting this wrong, particularly in light of the fact that during the previous 12 months, 47 percent of the organizations surveyed for this white paper have suffered a breach of customers’ or other personal data, employees’ personal data, corporate intellectual property, or other sensitive or confidential information. • There is now no cost associated with requests from data subjects, which means that it is now more likely that many more individuals will be making demands about the information that is held about them. • You are running out of time. GDPR was signed into law just over a year ago (via publication in the EU Official Journal in early May 2016), and will be enforced starting May 25, 2018. If your organization controls or processes data on people living in the European Union – even if your organization is not located in the EU – [the GDPR] applies. The earlier Directive on data privacy came into force in 1995, just as the Internet was beginning its adoption trajectory. One of the driving reasons for the new GDPR was to strengthen data protection requirements in light of an increasingly global and interconnected ©2017 Osterman Research, Inc. 2 A Practical Guide for GDPR Compliance world, and the regulators took an interesting path. Instead of regulating territorially on organizations within the EU, it shifted the focus to where data subjects reside. This subtle shift means GDPR applies to the personal data of data subjects in the EU (territorially), but has borderless applicability to organizations. The test is no longer whether your organization is in the EU, but rather whether your organizations collects or processes the personal data of people who are in the EU. Specifically: • Article 23 lists key tests of applicability for organizations not located in the EU. The primary test is that "the processing activities are related to offering goods or services to such data subjects irrespective of whether connected to a payment." However, "mere accessibility" to an organization`s website or email address is not sufficient to establish the intent of offering goods or services; whereas factors such as the use of a currency generally used in a member state, and listing customers located in the Union on your website, does ascertain that intention. • Article 24 offers a second key test of applicability: when an organization controls or processes data for monitoring the behavior of people that happens within the EU. Specific actions include tracking on the internet, "profiling" based on past actions, and "analyzing or predicting ... personal preferences, behaviors and attitudes." If your organization does this for people within the EU, GDPR applies regardless of where you are located. • With the UK`s vote in 2016 to leave the European Union, there has been some discussion about the applicability of GDPR. There are two answers. First, the Data Protection Act is the UK law for data protection, and if the UK does leave the Union, the GDPR will not apply to data subjects and personal data within the UK. Second, the GDPR does apply to Europe, and any UK firm that wants to sell into the EU Single Market will have to comply with GDPR requirements. Individual firms can upgrade their data protection approaches to the GDPR mandates, in addition to whatever regulatory reform is undertaken in the UK to provide equivalent data protection standards. In closing, GDPR is coming fast, it almost certainly applies to your organization, and the consequences of getting it wrong are severe. Equally, however, are the positive consequences of getting it right, including a strong foundation for working with businesses in Europe, a clear understanding of consumer preferences, and strong internal data protection and security controls that foster trust with customers and partners alike. ON THE PRIVACY OF PERSONAL DATA IN THE EU "Privacy" of personal data has been an essential concept in European law since 1995, when the Directive on data privacy was introduced. As a directive, however, it did not directly mandate data privacy protections for EU Member States, as each State had the freedom to include the recommended privacy protections in their own laws. This freedom led to nuances and differences in data privacy regulations across
