There’s been a lot of confusion—and frankly, a lot of vendor hype—about the European Union’s (EU) General Data Protection Regulation (GDPR). There is no doubt that GDPR is a very far-reaching legal initiative that will significantly change the way that many private and public sector organizations treat personally identifiable information (PII) and respond to data breaches. On the other hand, it’s safe to say that a majority of readers of this blog post work for organizations that will not be directly affected by GDPR. But the really tough question is, “How do you know if you’re naughty or nice in the eyes of Santa’s GDPR elves?”
To summarize the salient facts concerning GDPR, the regulation was enacted in 2016 and will come into full effect on May 25, 2018. Main provisions include the principle that EU residents own their personal data. This includes a requirement for organizations to secure explicit permission from individuals to collect, process, transact, or store PII. Individuals also have the right to demand that an organization stop using their personal data and purge it from their systems—known as “the right to be forgotten.” Subject organizations must also publicly report data breaches touching PII within 72 hours after their discovery.
Much of the confusion and concern over GDPR results from the fact that, as with any new government regulation, it’s not clear which organizations are impacted by it and what changes impacted organizations need to make in their operations to comply with the regulation. And while, as it would seem obvious, GDPR applies to businesses domiciled in the EU, non-EU-based businesses can also fall under GDPR requirements.
Fortunately, the law firm of White and Case has published a flowchart, reproduced below, that gives a pretty good indication of whether your organization might be subject to GDPR. The balance of this post walks through some of more important questions the flowchart poses.
Do you possess PII from anywhere in relation to any individual, or any internationality? If not, you and your organization are off the hook.
Is your organization established in one or more EU member states? “Established” means either headquartered or maintaining a physical presence in the EU. “Yes” means your organization is fully subject to GDPR. While a “No” answer leads to additional qualifying questions, after this point any subsequent “Yes” answers lead to additional decision point questions.
Does your organization offer goods and/or services to EU residents? Just because an EU resident walks into your business in the U.S. or orders goods online for delivery to an EU address does not automatically subject your organization to GDPR. If, however, you actively engage with EU customers or stakeholders by setting up an EU domain name, accept EU member currencies (Euros, Kroner, Pounds, Zloty, etc.), or communicate in local languages, you likely fall under the jurisdiction of the GDPR.
Does your organization monitor the behavior of EU residents? This is a particularly tricky question as many organizations track leads, use website cookies, or employ a customer relationship management (CRM) database to collect data on EU residents, including PII, that could fall under the auspices of GDPR. Additional complexity is added when a Software-as-a-Service (SaaS) provider is added to the mix; if they collect, process, and store PII, then it is unclear whether the organization engaging them for the service or the SaaS provider itself is liable. In general, the organization collecting and using the data will be liable, but for greater certainty on this point, organizations should ask any SaaS providers with which they engage about how their offerings relate to GDPR.
The long and short of it is that if you can unambiguously answer “No” to key questions, GDPR most likely does not apply to you. If your “Yes” answers lead to full or partial applicability of GDPR to your organization, however, then you should contact a qualified lawyer or IT consultant to assess your exposure to GDPR.
If you find yourself staring into the possibility of meeting GDPR requirements next May, what then? You should first perform an audit to document what PII your organization receives from others and/or collects on its own behalf, and how that data is used, processed, stored, transferred, or shared with others. Next, you should review your cybersecurity posture—technologies and processes—to determine if your organization can meet the 72-hour data breach reporting requirement in GDPR.
In addition to the above workflow, White and Case also published a GDPR handbook that offers a deeper investigation. If you determine that your organization is impacted by GDPR, you can also check our eBook “Data Security Under GDPR: How to Prepare for the Inevitable” for guidance.
The advent of GDPR should not be a cause for panic. In most cases, non-EU businesses can breathe easier about their exposure to the regulation. Nonetheless, GDPR does reflect growing public concern about data privacy and reduced tolerance for cybersecurity fails by organizations serving EU citizens. Even if GDPR doesn’t apply to you, it’s a good idea to bear in mind what it portends as we head into 2018 and as the public becomes more discerning and demanding about how their PII is treated.
Read more on how to best prepare your organization for the General Data Protection Regulation (GDPR).
We do not explicitly endorse Case and White as counsel for any matters related to GDPR or cybersecurity. Neither do they explicitly endorse Fortinet. But we think we know useful information when we see it.