The General Data Collection Regulation: 10 questions and answers
The European Union’s General Data Protection Regulation, or GDPR, has some North American companies so worried about compliance that they’ve temporarily suspended the accounts of 500 million Europeans. Companies should be cautious but not afraid of GDPR, says Alex Shan, chief executive officer with Canadian IT service provider Jolera Inc. Many companies may already be complying with elements of GDPR, while others simply need to improve their data collection, breach response and security game.
What is GDPR asking companies to do?
AS As of May 25, 2018, it places obligations on companies that collect and process personal data from EU residents.
What’s got companies so worried?
AS The administrative fines for infringement are pretty scary — up to 10 million euros or two per cent of worldwide income. However, you’d have to be grossly negligent with personal data and failed to follow reporting requirements before even triggering a discussion about fines.
How much effort would it take for Canadian companies to comply with GDPR?
AS Many factors would impact the effort, such as type of industry, data collected, how permission to collect data is obtained and how stored data is protected. For companies that meet the requirements of Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) or the U.S. Health Insurance Portability and Accounting Act, some elements of these regulations are already consistent with GDPR provisions.
If I want to check my company’s compliance with GDPR, what’s the best place to start?
AS Read the GDPR. It’s written in plain language. Second, consult with your security and privacy teams to ascertain areas of data collection and usage risks in your organization. Finally, consult with a GDPR expert and legal counsel to ensure you have your bases covered.
What are the two most important requirements of GDPR?
AS The first is to collect and use only data for which the individual gives consent, and to seek that consent in a transparent fashion. The second is to use data only for the purposes agreed to by the individual. You must also offer customers a transparent method to withdraw consent and erase their data, where there are no legal grounds to keep it.
How can a company’s data policy help to keep data secure?
AS The most secure data is data you never collect and store. The GDPR requires that you collect only personal data you need to perform the service or conduct research agreed to by customers — and to store that data for only as long as you need it. If you’re conducting aggregate research on users, do you need to store names, addresses or phone numbers? The more unnecessary data you collect, the greater your potential liability.
How can a company protect data it needs to store longer?
AS Employ a robust data security posture, making it hard for intruders to access your network via the internet and WIFI and through user actions. Install a network firewall, then monitor and control incoming and outgoing network traffic to identify and stop unusual or malicious activity. Also protect laptops, computers and smart phones.
Blanket data with layers of protection including restricting access to staff that need to use the data. Use data encryption and file integrity monitoring.
Finally, train employees to protect data in their care and to recognize scams and fraudulent links that might expose data to theft.
While you can achieve a degree of protection using passive controls, adding a human element to supervise network traffic can make the difference between fending off a cyber attack and allowing bad actors to achieve their goals.
If customers consent to sharing their data with third parties, what is my liability for the security of that data?
AS You should share data only with downstream parties who share your respect for the security of that data. Otherwise, you could be held responsible for anything that happens to that information.
What if a customer’s data has been breached?
AS GDPR has reporting requirements and timelines that a company must adhere to in case of a personal data breach. There are guidelines and thresholds for reporting to the data controller, the supervisory authority and the individual. Technology is an integral part of collecting the necessary information to inform the communications required when a personal data breach occurs.
What does the future look like for regulations such as GDPR and PIPEDA?
AS It’s likely that best practices from each regulation will evolve into more global regulations. In the meantime, don’t let GDPR scare you. It offers companies a chance to see what they’re already doing right and address areas where they can do better.
The information provided in this article are the opinions of the individual interviewed only and is provided for informational purposes only. It should not be used to determine how GDPR might apply to you and your organization or be considered as legal advice. Organizations and individuals seeking advice on how GDPR may apply to their organization should consult or seek advice from a qualified legal representative.
GDPR OFFERS COMPANIES A CHANCE TO SEE WHERE THEY’RE DOING THINGS RIGHT AND ADDRESS WHERE THEY CAN DO BETTER