GDPR: Why You Need to Consider the Personal Data That Lies Outside of Your Organization
January 4, 2018
In 2010, reports emerged that the Information Commissioners’ Office (ICO) could now fine organizations up to £500,000 ($677,000) under the Data Protection Act. Eight years later and that cap has proven woefully insufficient in acting as a deterrent to organizations’ lax attitude towards data protection. In May 2018, organizations could be fined up to four percent of their revenue or €20 million ($24 million) – whichever is greater.
While the potential fines under GDPR have attracted the headlines, our new report, GDPR: A Path to Compliance, distills some of the key changes coming and provides a framework with practical advice of how to minimize compliance challenges when the legislation (and fines) comes into force in May 2018. GDPR isn’t new, it’s been in the works since at least January 2012 when the European Commission proposed an update to data protection regulation. As the number of breaches continues to increase (albeit not necessarily publicly reported), this issue has only become more important.
The “D” in GDPR is focused on data, and so Information Technology plays a critical role. While there must be an effort to understand what sensitive data sits within the organization, organizations must also look beyond the perimeter to understand how and where EU citizen personal data is exposed.
First of all, organizations need to consider what is meant by “personal data” – this definition has broadened significantly under the EU Data Protection Directive:
“‘Personal data’ shall mean any information relating to an identified or identifiable natural person (‘Data Subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.”
In reality, this means that personal data extends to far more than before – even IP addresses and browser cookies are considered to be personal data. Organizations need to be aware of what personal data they hold, either as a Controller (data about your own customers and employees) or Processor (data that you process on behalf of other organizations).
Given this broad definition, how can organizations go about becoming GDPR compliant? Our paper sets out four key stages GDPR compliance: discover, define, deliver, and detect. Within each of these stages, we provide advice and the key resources that organizations can turn to.
GDPR compliance cannot be achieved easily with a shiny new widget or product. Instead, a well-thought-out program that addresses data loss management will help organizations demonstrate a high level of compliance to a regulator and minimize the commercial and reputational risks associated with a regulatory failure.
With the scope of personal data expanded, organizations cannot simply protect their data at the boundary. Download our report to find out how to manage your data exposure in line with GDPR.