What You Need to Know about GDPR

GDPR, the European Union’s General Data Protection Regulation, goes into full effect in May 2018. Yet many organizations aren’t ready to comply – or even thinking they need to comply.

We gathered the common myths and misperceptions about this data protection law and compiled the answers you need to better understand the requirements and support your compliance efforts.  comply with GDPR requirements.

My organization is in the US, so GDPR doesn’t apply to me.

This is the biggest misconception out there. GDPR doesn’t apply based on the geography of your enterprise. Rather, the data regulation is based on the location of your users or customers. So if you exchange emails with EU residents or have site visitors, customers, users, etc., who reside there, you must comply with the regulations. Read the full text of the GDPR regulation. And if you don’t take adequate measures and something goes wrong, you may be subjected to hefty fines.

What is “personal data” anyway?

The GDPR defines “personal data” as “any information relating to an identified or identifiable natural person...who can be identified, directly or indirectly... by reference to an identifier.” This includes personally identifiable information, personally identifiable financial information and personal health information, plus:

• Name
• Identification numbers
• Location data
• Physical, genetic and mental information
• Cultural and social data

Previously collected personal data that’s been completely anonymized and cannot be re-identified to an individual is excluded.

“Children merit specific protection,” the regulation’s authors wrote, “as they may be less aware of the risks, consequences, and safeguards concerned and their rights in relation to the processing of personal data.” Specific protections apply to organizations using minors’ personal information for marketing, creating personality or user profiles, or offering services/products directly to young people. 

GDPR strengthens data security with new permissions for gathering, accessing and using all this personal data, too. You need to post your policy for data collection and use simple language and enable affirmative or express consent. Article 4(11) states that consent must be “by a statement or by a clear affirmative action”, and prohibits making consent a condition of participation. The days of auto opt-out are over.

I’ve never had a data breach before, I’m sure I’ll be fine.

“You mean, ‘I haven’t had a data breach yet’,” says Mimecast expert Dan Sloshberg. “All businesses are being targeted by cybercriminals. If you hold valuable data – personal data, IP, customer data and others – you are a target. Small businesses with 250 or fewer employees are being targeted too. In fact, 43% of cyber attacks target smaller organizations, up from 18% in 2011.”

Also at risk: nonprofits, healthcare organizations, and educational institutions including K-12 school districts, colleges, and universities. Learn more about data breach prevention.

Email remains the number-one attack vector with over 90% of attacks starting in your inbox – and it frequently includes a massive amount of personal data.

“Email was never built to be inherently secure, therefore, it’s a weak link and open to exploit,” Sloshberg cautions. “Email security is key, but this protection must go beyond spam and virus controls.”

Ultimately, whether or not you invest GDPR compliance comes down to risk. “Some organizations may be willing to take on greater risk than others,” Sloshberg says. “The key criterion is to determine what the potential fallout would be if the worst does happen – you suffer a breach and personal data is stolen. What would it cost to clean up versus protect against in the first place? Can you put a price on the reputational damage that will occur? What impact will that have on business operations and finances?” Understanding your cyber resilience capability is critical.

What do I really need to lock down?

Because GDPR focuses on the protection of personal data, and not just data privacy, compliance requires more concerted effort.

You must be able to:

• Demonstrate GDPR compliance across organizational and technological operations, including specific requirements for data processors and data controllers (see Articles 24 and 28).
• Establish a legal basis for processing personal data, based on six categories outlined in Article 6. You must be able to defend the processing and be able to comply with any request to stop processing when consent is withdrawn or was found to never have been given.
• Produce a record of processing activities. Article 30 requires that processors and controllers must be able to document how each piece of data was processed, including how and why it was processed, who sees the data after processing and more.
• Announce breaches within 72 hours of discovering them, except in a handful of exempt situations outlined in Article 33 of the data protection act. Requirements for alerting affected individuals are listed in Article 34.
• Appoint a data protection officer. Organizations that process personal data and/or sensitive personal data on a regular and systematic basis must have a designated professional in charge of data protection. See Articles 37-39 for details.

How do I even start preparing for GDPR?

The challenge is putting in the right processes and technology to protect and manage personal data when budget and IT skills and resources are generally tighter than ever before. Learn more about creating an action plan by downloading the GDPR Readiness Kit.

Because email is an easy target, email security is a good starting point. Your plan must include advanced protection against email security threats like ransomware and impersonation attacks, which use malicious links designed to steal credentials, weaponized attachments to drop malware behind the firewall or deploy social engineering to trick targets into divulging sensitive data. Sloshberg recommends deploying a cloud email service,  which updates automatically based on new threats.

You also need to look at your email archives, since GDPR has requirements for locating personal information quickly. “Once found, data must be easy to export and even delete if requested,” he explains. “Cloud archiving provides the scale and speed needed to deliver on these requirements. A native cloud solution designed for speed, accuracy, and ease of access is key.”