[BreachExchange] What are the GDPR requirements?

[Audrey McNeil]

http://www.csoonline.com/article/3203264/compliance/what-are-the-gdpr-
requirements.html

Last April, the European Parliament adopted the General Data Protection
Regulation (GDPR). It carries provisions that require businesses to protect
the personal data and privacy of EU citizens for transactions that occur
within EU member states. The GDPR also regulates the exportation of
personal data outside the EU. Companies that do business in EU countries or
process the personal data of EU citizens must be in compliance by May 25,
2018. (For more detail on what the GDPR means to U.S. businesses, see
“General Data Protection Regulation (GDPR) requirements, deadlines and
facts.”)

The provisions are consistent across all 28 EU member states, which means
that companies have just one standard to meet within the EU. However, that
standard is quite high and will require most companies to make a large
investment to meet and to administer.

The GDPR contains 99 articles that define its requirements and rights
granted to EU citizens, GDPR operations and structure, and penalties. The
articles that will have the most significant impact on business are:

Article 5, processing and storing personal data: All personal data must be
processed lawfully and transparently, and only for the purpose specified to
the individual. That data may be stored “in a form which permits
identification of data subjects for no longer than is necessary for the
purposes for which the personal data are processed.” All personal data must
be processed securely to protect against unlawful access, loss or damage
“using appropriate technical or organizational measures.” Those measures
are not defined, but presumably if the data is lost or stolen, a company
could be considered not in compliance.

Articles 6, 7 and 8, consent: All processing of personal data must be done
lawfully, by which is meant that each individual must give consent to use
their personal data. The data collected must also be necessary to complete
a task or transaction initiated by the individual, with the exception of
public authorities.

Article 15, right to access:  EU citizens have the right to know upon
request what personal data a company is using and how it is being used.

Article 17, right to be forgotten and to data erasure: EU citizens can
expect companies to stop processing and to delete their personal data upon
request.

Article 20, right to data portability: EU citizens may transfer their
personal data from company to company upon request.

Articles 25 and 32, data protection: Companies must be able to provide a
“reasonable” level of data protection and privacy to EU citizens. It’s not
clear what the GDPR governing body will consider reasonable.

Articles 33 and 34, reporting data breaches: Companies must report data
breaches to supervisory authorities and individuals affected by a breach
within 72 hours of when the breach was detected.

Article 35, impact assessments: Companies must conduct data protection
impact assessments to identify risks to EU citizens. Those assessments also
must describe how the company is addressing those risks.

Articles 37, 38 and 39, data protection officers: Some companies must
appoint a data protection officer (DPO) to oversee data security strategy
and GDPR compliance. Companies required to have a DPO process or store
large amounts of EU citizen data, process or store special personal data,
regularly monitor data subjects, or are a public authority. The
International Association for Privacy Professionals (IAPP) estimates that
28,000 DPO roles will need to be filled.

Article 50, international companies: International companies that collect
or process EU citizen data must comply with the GDPR.

Article 83, penalties: Companies may be fined up to €20 million or 4
percent of global annual turnover, whichever is higher.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170629/4309ec5f/attachment.html>