The GDPR, One Year In
The EU’s General Data Protection Regulation – or GDPR – has now been in force for a year. Because of the ongoing impact, it has on business, this first anniversary is a good opportunity to step back and reexamine GDPR in terms of why it exists and what it calls for, as well as look at a couple of notable non-compliance cases that have already been brought to serve as a reminder – and a warning.
What is GDPR?
GDPR is a European Union regulation designed to protect “the fundamental rights and freedoms of natural persons.” In particular, it aims to uphold those rights by protecting the personal data of EU citizens: How personal data is collected, what is collected, how it is processed, and how it is secured are all components of GDPR, and all incumbent upon businesses to properly manage.
In addition to the business requirement to properly manage data collection and processing, GDPR also grants certain rights to individuals. Among others, the rights granted include:
- The right to be informed of data collection
- The right to specifically consent — or not — to data collection and processing
- The right to access personal data
- The right to amend incorrect personal data
- The right to restrict processing of personal data
- The right to portability of personal data
Further, individuals also have the right to the erasure of their data – which is more commonly known as “the right to be forgotten.” GDPR affords individuals this right in a variety of circumstances, including when an individual simply withdraws consent for a company to have and process their data, but also provides some limited constraints on this right for data that are held pursuant to legal, public health, or other issues.
What does GDPR Compliance Entail?
On the business side, GDPR breaks down organizations’ data handlers into two distinct categories: Controllers, and Processors.
The controller can be thought of as a kind of manager and compliance officer – a sort of Chief GDPR Officer if you will. It’s the controller’s job to assess what data is collected and for what purpose, and to further assess the various risks and possibilities that the personal data under their control could be breached or mishandled and thus violate GDPR. With those understandings in place, it’s then incumbent on the controller to implement all of the measures, both organizationally and technically, that are necessary to protect the data – and thus the persons whose data it is – in accordance with GDPR. Finally, along with implementing and overseeing all of the data safeguards, it’s also a requirement of GDPR that the controller is able to prove compliance.
If all of that sounds very managerial, it is. Every organization will of course be different, but controllers might be managers of data-focused IT departments, at the lowest level, or anything on up to a C-level executive.
A processor, as the name suggests, is the entity that actually works with the data. Some companies process their own data entirely in-house, while others will outsource data processing to a third party. Each organization manages data processing differently, based on its unique organizational and business needs. Regardless of whether the processor is internal or external, though, GDPR places them under the direct authority of the controller, and they must be able to guarantee and to demonstrate to the controller that they are capable of meeting all GDPR requirements.
All work done by a processor for a controller must be governed by a contract or other formal agreement that codifies the nature, purpose, and duration of the processing work. Additionally, there are several other requirements that processors must meet:
- They can only process data at the request of the controller
- They must have a commitment to confidentiality
- They must ensure that they can document compliance
- They must assist the controller in allowing for the exercise of the individual rights discussed above
- They must either delete or return the data to the controller at the conclusion of the specified processing
GDPR and Data Security
Both controllers and processors of data are bound by GDPR to ensure that security measures to protect data are in place at risk-appropriate levels, where the risks that must be assessed include loss, alteration, and unauthorized access to or disclosure of data. GDPR acknowledges the fact that new threats will always be emerging, and that the state of the art will also be evolving. It thus does not attempt to prescribe specific technical measures that must be taken – but it does lay out some general requirements:
- Personal data should be pseudonymized and encrypted, where possible
- Controller and processors should always maintain the confidentiality, integrity, and availability of their data
- Availability should be quickly restorable in the event of systems failures
- There should be ongoing testing and assessment of data security, both technically and organizationally
Who must comply with GDPR?
GDPR applies when an organization – either a controller or processor – is in the EU. Just as importantly, though, it also applies in most instances when a person subject to data collection and processing is located in the EU – which is why many companies in America and elsewhere around the world have had to become GDPR-compliant as well.
The Cost of Non-Compliance with GDPR
For situations of non-compliance, GDPR distinguishes between damages and penalties – and in keeping with its principle that personal data privacy is an essential right, it takes them both very seriously. Persons who have been damaged by violations of the GDPR are entitled to receive full and effective compensation for all damages – with the additional requirement that “the concept of damage should be broadly interpreted… in a manner that fully reflects the objectives of this Regulation.”
And aside from owing damages to individuals, violators of GDPR are also subject to administrative fines and penalties. The baseline penalty for serious violations is 20,000,000 EUR, but can go as high as 4% of annual turnover if the violator is part of an “undertaking.” It’s a little complicated because it’s a little vague — but essentially an undertaking means that if the violator is under the control of, for example, a large parent company, then the 4% maximum fine can be assessed against the combined turnover of the violator and the parent company.
Notable Non-Compliance Violations of the GDPR
The biggest fine assessed to date is the 50,000,000 EUR fine that was levied against Google for its failure to truly gain informed consent from individuals before collecting and processing their data to be used for ad targeting, among other purposes. Although Google did have an “I consent” checkbox, the French supervisory agency that levied the fine felt that, given the complexity of Google’s operations and data processes, individuals could not truly understand what they were consenting to – and thus GDPR was violated.
You might also notice that the 50,000,000 EUR fine exceeds the 20,000,000 EUR maximum referred to above – and that’s because Google EU is owned and controlled by Alphabet, Google’s holding company, and is, therefore, part of an undertaking. Theoretically, at least, the French authority could have gone as high as 4% of all of Alphabet’s annual turnover, which would be in the billions – so Google should be happy that the fine was only 50,000,000 EUR.
The second-largest fine to date was a 400,000 EUR fine levied against a Portuguese hospital that did not have proper data security protocols and procedures in place.
For example, there were more “doctor” accounts with access to patient records than there were doctors at the hospital – 300% more, in fact. Doctor accounts also had access to all patient records in the hospital database, regardless of whether those records were relevant – and to make it worse, 9 IT employees in the hospital also had full access to all patient data.
GDPR: One Year On
A year has passed since GDPR became law. In that time, we’ve seen companies around the world implement the controls necessary to comply, and we’ve seen enforcement actions against companies that haven’t. For many organizations, complying with GDPR has forced them to take a hard look at their internal processes, with new ways of thinking and acting.
That said, the basic fundamentals of data security have not changed. Obviously, the Portuguese hospital violated the GDPR requirement that unauthorized access be guarded against. But more than a GDPR violation, allowing blanket account access to privileged information is a violation of basic cybersecurity principles, which stress that access to data should be granted only to the right person, at the right time, and in the right circumstances – a process known as Privileged Access Management, or PAM. We view access to data as a privilege, not a right – and just like GDPR, we also understand that privacy is an essential right that organizations must protect. That’s why we build tools that help companies provide that privacy and remain in compliance seamlessly and efficiently – and be able to demonstrate that compliance – with GDPR and many other international and sector-specific IT security regulations.