A Year Since GDPR, Are You Compliant Yet?

“Hurry up. The discount sale is almost up!”

How often have you received an email like this one? And how often do you not recognize the name of the company behind this email?

Businesses thrive on personal data to get the word out. Marketing emails, sales calls, all of them are from people who want to reach out to you with a hope that you would be interested in their business. This isn’t a bad thing. It is how you get acquainted with companies you weren’t aware of before, and it is how they sustain themselves too.

The question, rather than why they reach out to you, should be, how did they get to know about you? How did they receive this data? It’s not like you go on the streets, screaming your email ID and numbers. Even if you are hibernating from socializing with the world outside your four walls, if you have an internet connection and sign up for websites, then tag, you’re it.

Now, let’s come back to your data. It is important to understand that this data, be it your email address, phone number, or even sensitive information like your social security number, state ID number, all of these are yours, and solely yours. Any information of yours, which is required by businesses, do need your consent for utilization. In theory, this has been the understanding, but with limited regulations around it.

But the landscape of data is changing. Data breaches are happening by the minute. In accordance with this and the topic of consent came General Data Protection Regulation (GDPR). By now, all of us have heard of this term looming around. In this read, let’s discuss what GDPR is all about, it’s repercussions, and what you should be doing to be compliant if you aren’t already.

What is GDPR?

GDPR is the new European Union privacy regulation enforced from May 25th, 2018. It defines how you must handle the data of EU citizens. Be it in the EU or outside the union and the hefty fines it levies when one fails to comply with this regulation.

Some of the terms defined under GDPR which help understand it are:

• Personal data’ is any information that is related to an individual or as they say, ‘data subject.’ This information can be linked or even linkable information. This is a big difference from the US definition of personal data, which is PII. Under GDPR, even cookies, IP addresses, behavior data, sexual preference, bills are all personal data and cannot be utilized unless the user consents to it (more on consent later).
• ‘Processing’ the data refers to the operations and actions carried out on the personal data.
• ‘Controller’ is the “natural or legal person, public authority, agency or other body which, alone or jointly with others,” defines the purpose and how the processing of data has to take place.

GDPR revolves around these three terms primarily.

It explicitly describes how you must manage the data of EU citizens. It questions business how information is stored, why it is stored, and importantly, what is stored.

This is not a legal guide to GDPR, but this will help you in understanding it further and how you can stay in the clear from any fines. Because the implications of going astray from GDPR is no joke, you can be slapped with a penalty which is equivalent to 4% of your annual turnover of the previous year, or $20 million, whichever is greater. Among the first giants to receive this was Google, with a fine of $57 million!

If you thought that was a huge number, British Airways was fined with $230 million and Marriott £99.2 million U.S. $124 million under GDPR.

A year late to the party—by December 2018, only 50% of the companies believed they were GDPR ready.

Although the word was out by 2016, which gave businesses two years worth of time to be prepared and compliant—whether it was lack of awareness, clarity, or seriousness—in 2018, companies were still trying to fit the pieces together and have been scrambling to stay compliant.

Let’s try to solve that; after all, knowledge is power.

What are the citizen rights under GDPR?

1. The right to access: by this, the data subjects are entitled to obtain answers to questions like why is the information required, to whom has it, or will it be disclosed. They can even receive access to it. The controller must provide it with a nominal administrative cost if needed.
2. The right to be informed: by this, the individuals are entitled to know when and what data you want to utilize, the important word here, is consent. They must know beforehand you want to use their data, even if it is an email address, and must agree to you using it.
3. The right to be forgotten: the individual can dictate when and how you must forgo their data.
4. The right to rectification: any data that an individual wants to be corrected, it is well within their rights to demand it.
5. The right to data portability: they can demand their information be transferred for their use or even from one controller to the other without any friction from anybody.
6.  The right to restrict processing: this means if you have individuals data, they can still demand that you don’t process it in any way—you can even store it.
7. The right to object: at any given time, the individuals can stop the processing of their information in any way, they must also be aware that this is well within their rights before you even utilize their data.
8. The right to be notified: if and when there is a data breach, the individuals whose data you possess must be notified of it. The timeframe given by GSPR is within the first 72 hours of your awareness of the situation.

Now that you can know what their rights are let’s understand what principles you must be in line with. A simple message to opt-out of any marketing emails is not enough. Strenuous efforts have to be made for you to stay in accordance with it.

Principles of GDPR

1. You have to be lawful, fair and transparent
   This is essentially the essence of GDPR. You have to act lawfully, utilize the data with the same ideology. The purpose of data processing must be fair and transparent. The individual must be aware of the data being used and of all their rights to have this data removed.
2. The data processing must be limited to the purpose
   If you require an individual’s email and name for a blog subscription, then that’s all the data you can acquire. Anything more than this, signifies you are acting against the principle, if you do need more, it must be justifiable. The data you collect has to be purpose-driven.
3. Data minimization
   The data you acquire, in line with the previous principle, must be acquired to the bare minimum. In case there is a breach, the hackers would only get the minimum information you possess. It is a win-win.
4. The data has to remain accurate
   The information you possess about the individuals has to be factually correct. If they demand it be corrected, then you have to oblige to the change or delete within 30 days.
5. Limiting the storage of data
   This states that you maintain a timeframe up to which the data is stored, which is usually as long as the individual is your customer.
6. Integrity and confidentiality have to be maintained
   This deals with how well you secure the data. Methods like encryption, and pseudonymize the data you have is essential and a no-brainer in this case.

The $20,000 question, are you compliant?

Now that you know what are the rights within the EU citizens, and what principles you must adhere to, can you answer this question? Are you compliant, or are you one data breach away from being fined?

If you aren’t, you can take a deep breath because there are several solutions using which you can ensure you are. And no, the answer isn’t cutting all ties with the citizens of EU or dumping your current data, although that’s one way to look at it.

• The simple step of defining privacy policy can be a place where you can start. Define what your policies are, how do you store and utilize data, take the first step.
• The simple tick box, which gives power to the user to either agree to marketing emails from you or not, is an essential aspect of being compliant. The fact that their data can be stored shouldn’t just be implied. It has to be explicitly stated.
• International standards like ISO/IEC 27001 are GDPR are GDPR approved tools to ensure you are regulated. Such certifications allow you to upgrade your security with stringent policies.

Privacy by design with Identity Management

The term privacy by design means that privacy is not an add on in your organization, but it is deep-rooted into your architecture and functionalities.

Article 25 of the GDPR says, “the data has to be the least privilege protected by design and by default. And you can’t do that without first understanding where it is and who can access it.”

There is no better way to understand who-has-access-to-what besides an Identity Management solution. The IAM domain revolves around this principle of making security a core aspect of the business.

• Authenticate everything and everyone: Everyone who wants access to your ecosystem must be authenticated. Not just by a simple password, but with multiple levels. These levels also must be upgraded based on the risk associated with the resource access, and by comparing a login request to the preset level of the individual’s behavior. Tools like multi-factor authentication, adaptive MFA, are your answers.
• Role-based policies: any access to your applications, resources like files, and documents must be streamlined and defined adequately. These can be determined based on the roles, governed regularly, and the access must be removed once the person is no longer associated with you.
• Access certification: these campaigns of certification must be carried out regularly. This ensures that no ‘orphan account’ is left for a hacker to take over, leaving you vulnerable.

GDPR is definitely a stringent regulation with severe repercussions, but the end of the day, it is to ensure that the upper hand lies with you and your users and not a bad actor. After GDPR, the California Consumer Privacy Act (CCPA) was signed in June 2018. More so, businesses have spent $8 billion on GDPR prep. This is a start to make security the prime focus in businesses, not only to avoid fines but to remain secure as well.

Remaining compliant with regulations like GDPR not only shows that you can handle personal data, but it shows that you care enough to obtain the trust of individuals to handle their data.

Stay GDPR compliant, stay trustworthy.

Preethi Anchan