What is GDPR and how is it influencing cybersecurity best practices both in Europe and worldwide? We sat down with Lee Kim, JD, CISSP, CIPP/US, FHIMSS; director of privacy and security at HIMSS for a deep dive into the topic so we can understand how its wide-reaching impact is driving transformative workflow changes for organizations worldwide.
General Data Protection Regulation (GDPR) is a globally applicable regulation that applies to the processing of personal data of data subjects (natural persons) who are in the European Union (EU). The controller, for purposes of GDPR, dictates the manner and means of processing of personal data, whereas the processor carries out the processing instructions from the controller.
A controller may be a natural person (a human being) or legal person (such as a company or association), public authority, agency or other body which—alone or jointly with others—determines the purposes and means of the processing of personal data. A processor may be a natural or legal person, public authority, agency or other body. However, it is important to know that the GDPR applies to organizations not based in the EU that target individuals in the EU, either by offering goods or services to them or by monitoring their behavior.
An example is a start-up company that is established in the United States without any business presence or establishment in the EU. The start-up company offers an online application for tourists. The U.S. start-up company, through its online application, offers services to individuals in the EU. Thus, the processing of the data subjects’ personal data is within the scope of the GDPR.
The regulation seeks to both harness and govern the exchange of personal data. Responsible use, disclosure and transparency of personal data is essential. The implementation of GDPR has prompted organizations worldwide to take a closer look at how customer and/or client data is handled and governed within the organization. Organizations must now deeply understand how personal data is managed and transacted internally, and across other organizations.
While many organizations are familiar with the concept of taking an inventory of IT assets, it is an even more complex challenge to take an inventory of the personal data that is flowing in and out of one’s organization. Organizations that need to comply must have a data map or similar resource which indicates where and how personal data is collected and processed consistent with organizational best practices.
Personal data is information relating to an identified or identifiable natural person, and with this information, you can directly or indirectly identify that person. As a result of the regulation’s global reach, organizations must acknowledge and respect the rights of the individuals (the data subjects) and their personal data or risk being fined for non-compliance.
Yes. It may apply to you if you handle personal data of data subjects who are in the EU—regardless of whether the processing of data occurs in the EU or not. However, in order for GDPR to apply, a non-EU-based entity must target data subjects who are in the EU by offering goods and services or track or monitor the behavior of EU data subjects.
Under the regulation, personal data belonging to any individual in the EU may not be used for just any reason. There must be a lawful basis for processing the personal data of the data subject, including, but not limited to: consent from the data subject or for situations in which processing of the personal data is necessary for performance of a contract.
The advent of GDPR has prompted entities worldwide to refine their privacy and security strategies, best practices and internal programs—with respect to the handling of personal data—in order to accommodate this policy change for customers and clients within the EU. By taking steps to be compliant, organizations need to understand which data they have, who has access to it and which applications and systems are involved with the transfer of that data.
GDPR compliance efforts involve an alignment of policies and procedures across the entity, clear lines of communication and organization-wide support for compliance. Because of the potential fines for non-compliance, entities are taking all necessary steps to avoid a breach, or any incident that may involve the improper handling of personal data.
Watch Ron Roozendaal, chief information officer at the Dutch Ministry of Health, Welfare and Sport, talk with HIMSSTV about how the regulation gives patients a deeper stake in their own data .
1. There is no quick and easy solution to becoming compliant. It is a rigorous process and you need to inventory your data, and map and track your data flow. Your organization must proactively develop a systemic plan for achieving robust security and privacy protection of personal data. It is an organization-wide effort to become compliant.
2. Follow your organization’s policies and procedures and update as needed. Processing personal data using unauthorized resources (such as shadow IT) may move your organization farther away from a state of compliance.
3. Take GDPR seriously. Fines for non-compliance are set forth in two tiers. The lower tier is 10 million euros or up to 2% of the total worldwide annual turnover of the preceding financial year and an upper tier of 40 million euros or up to 4% of the total worldwide annual turnover of the preceding financial year.
The positive impact is that regulations are leading the way for strong data protection programs worldwide. Many countries are studying the regulation’s impact and evaluating whether to implement their own GDPR-like laws and regulations, further emphasizing that data protection must be a shared responsibility with public and private sectors.
These changes are an important reminder of data’s growing value as a business asset. Like all valuable assets, taking steps to secure that asset could be monumental for your company’s future.
December 9–10 | Boston, Massachusetts
Get the latest updates on cyber threats, explore how to maximize your existing technology investments, hear best practices on creating a security-first culture; take away strategies to fill the gap in finding talented staff and learn how to create a resilient security framework.