Understanding the European Union's General Data Protection RegulationGDPR Video
What is the GDPR?
The European Union passed the General Data Protection Regulation (GDPR) on April 27, 2016. The new data privacy law replaces a directive from the 1990s and goes into effect on May 25, 2018, encompassing the 28 EU countries, including the United Kingdom. It applies to EU-based organizations as well as any businesses not located in the EU but that offer goods or services within the EU or monitor the behavior of data subjects in the EU. For example, a U.S.-based company doing business indirectly in the EU through distribution, but collects relevant personal data of channel partners and end users would be subject to the regulation.
Under the GDPR, data protection is by design and default, meaning that:
- Each new service or business process that makes use of personal data must take protection of that data into consideration
- The strictest privacy settings automatically apply once a customer acquires a new product or service
Consequences of GDPR
GDPR empowers supervisory authorities to assess fines and penalties that are effective, proportionate, and dissuasive. There are two tiers of maximum fines according to the GDPR, with assessment based on the severity of the infraction:
- 2% of the organization's revenue or €10M, whichever is higher
- 4% of the organization's revenue or €20M, whichever is higher
Individuals or businesses can also seek monetary damages in court from the organizations collecting their data (controllers) that violate their rights as well as from companies that actually process the data (data processors). With May 25, 2018, fast approaching, organizations are scrambling to ensure they are GDPR compliant.
Security Implications of GDPR and the Fortinet Security Fabric
The regulations require organizations to report data breaches within three days of their detection. Within the context of the GDPR, a data breach is the loss or compromise of personal data. A challenge many organizations face is that the time between the initial intrusion of the malware and the detection of the loss of data often spans weeks or months, thus creating a window of opportunity. This allows bad actors to distribute malicious code and botnets laterally and to gain a much deeper foothold across an organization's systems and data. However, the regulation also provides that if "the personal data breach is unlikely to result in a risk for the rights and freedoms of natural persons," it does not have to be reported.
Through its advanced threat prevention and detection capabilities, the Fortinet Security Fabric gives organizations the ability to close this window of opportunity. This reduces the possibility of a data breach in the first place, minimizing it to the point where it does not have to be reported and moreover the occurrence of a corresponding fine.
With deep visibility into the infrastructure, including data, the Fortinet Security Fabric enables organizations to know where their data resides, as well as who and what are accessing it. As a result, in the event of an inspection of a data breach, they can demonstrate that they have the robust privacy protections in place and have the ability to verify secure storage, use, and removal.