by Jesse Lyons, Solutions Consultant at G2 Tech Group
Unless you’ve been living under a rock, observing a complete news blackout or enjoying a glorious vacation on a deserted tropical island, you know there’s been a lot of focus lately on data privacy and the responsibilities companies have in data privacy and security.
Mark Zuckerberg’s Congressional testimony and the whole Cambridge Analytica saga are likely the pieces of the story you’re most familiar with, but you may also have heard recently about GDPR. Not sure what it is, why it matters or if you should care? We’re here to help with our GDPR 101 and FAQ.
What is GDPR?
GDPR—or the General Data Protection Regulation—is a new European Union technology regulation establishing clear requirements for the protection of personal data and the responsibilities different entities have for protecting privacy. GDPR replaces the previous Data Protection Directive, which dates back to 1995. Obviously a lot has changed in the technology world in the last 23 years, and the Data Protection Directive was widely viewed as needing to be updated. GDPR seeks to provide that update and to establish, as it says, “a strong and more coherent data protection framework in the [European] Union.”
What does GDPR require?
That’s a longer answer than we can give in an FAQ, but the short is that there are four main requirements that GDPR addresses:
- The Right to Data Portability
- The Right to Be Forgotten
- Privacy by Design
- Data Breach Notification
GDPR requires both controllers (companies that are responsible for users’ data) and processors (service providers, such as AWS) to implement appropriate Technical and Organizational Measures (TOMs) to protect customers and their private data. GDPR outlines four key TOMs as part of that protection:
- Pseudonymisation and encryption of personal data
- Ensure ongoing confidentiality, integrity, availability, and resilience of processing systems and services
- Ability to restore availability and access to personal data in a timely manner in the event of a physical or technical incident
- Process for regularly testing, assessing, and evaluating the effectiveness of TOMs
We’ll go into more detail on all of this in upcoming articles.
What data is considered personal data?
All the obvious things you would consider to be personal data (name, address, personal health info, etc.), plus some other things like IP address, political opinions and web cookie data. Bottom line: if you’re collecting almost any information about your users/customers, GDPR matters.
Whom does GDPR cover?
Not surprisingly, the law itself spells this out in detail, but the general answer is that GDPR covers all organizations established within the EU, that have an EU presence or that process the data of individuals residing within the EU. In the reality of the connected world we live in today, GDPR impacts many companies. Do not allow yourself to think that you don’t need to worry about GDPR simply because you’re a US company!
GDPR does provide some accommodations for small companies (fewer than 250 employees), and it encourages EU member states to “take account of the specific needs of [small companies] in the application” of GDPR. Time will tell exactly what “taking account” of those needs means.
When does GDPR go into effect?
The law itself went into effect in April 2018. Companies must be in compliance with its requirements by May 25, 2018. Time to get on it!
How do I get in compliance with GDPR?
If you’re on AWS, you’re off to a good start: AWS has been on top of GDPR’s requirements for processors, and all relevant AWS services meet those requirements.
But that’s only a start: GDPR places some significant responsibility on data controllers as well, and that means both that your technology infrastructure needs to be architected with privacy and encryption in mind and that your company establishes policies and best practices that are consistent with GDPR’s standards and requirements.
Can I read the whole regulation?
Sure! But it’s not a quick read.
We’ll be digging in some more on GDPR in the next few blogs. In the meantime, if you have any questions about GDPR or other compliance issues (such as HIPAA), give us a call or just fill out the form below. We’d be happy to talk!
If you’re interested in more information, check out the second part of this series: The Core Principles of GDPR, Data Privacy & Compliance.