Judging from the nearly 50 questions we received after our webinar on how organizations can enhance their security practices to comply with GDPR, security and IT professionals are very interested in learning how the regulation will impact their organization.
Questions ranged from the essential (how much can a company be fined under GDPR), to the practical (what type of language should be included in a consent policy) to the meta (does GDPR consider a ransomware attack a data breach).
Shlomi Avivi, Cybereason’s vice president of security and the person making sure that we comply with GDPR, answered some of the questions in this blog. And don’t forget to listen to our webinar to learn how your security practice can be enhanced to meet GDPR’s requirements.
COMMON GDPR QUESTIONS
Who's enforcing GDPR? What are the penalties for non-compliance?
GDPR is a European Union initiative. Each member state handles enforcement and will have a regulatory body called a supervisory authority that will be in charge of auditing and enforcement. Penalties can be a fine up to €20 million or 4 percent of a company’s annual revenue, whichever is higher. The supervisory authority decides the fine’s amount based on the circumstances and the violation level.
If a company is breached and personal data on E.U. citizens is exposed, how can a company be fined under GDPR?
GDPR penalties can be a fine up to €20 million or 4 percent of a company’s annual revenue, whichever is higher. The latter is the steeper penalty and the assumption is that it will be levied in severe cases when a company has totally disregard data privacy. Since GDPR doesn’t go in effect until May 25, 2018, enforcement of the regulation has yet to be seen.
On average companies take nearly 200 days to detect a breach? How does the GDPR handle this?
GDPR refers to the time between detecting a breach to the time of notifying impacted parties about it. However, part of the security for privacy concept is about being able to detect breaches and have best-practice tools and processes in place to do so.
Are personal emails also considered private information?
Yes, since they can be linked to a specific person.
Where can we find the actual IT and data requirements or controls for GDPR?
GDPR does not detail exactly which controls should be put in place. GDPR requires them to be "appropriate" and leaves room for judgment on what appropriate means. This is where the CISO can come into play and perform a risk assessment and create a risk mitigation plan composed of security controls in various layers.
Is there required GDPR training for staff and management?
Yes. The DPO’s responsibilities include creating GDPR awareness and training employees about data privacy and GDPR’s rules around it.
Where can we find the GB PVR regulations?
You can find it here: http://data.consilium.europa.eu/doc/document/ST-5419-2016-INIT/en/pdf
What documentation do we need to prove that we’re GDPR compliant?
You need privacy policies that show how privacy is part of the ongoing business processes, data flow diagrams and internal policies that show how data-related queries can be submitted and addressed.
Does GDPR compliance differ based on the number of employees a company has?
GDPR doesn't differentiate between the size of organizations. It does mention that organizations can comply with the regulation by using service providers instead of handling compliance in house.
For other parts of GDPR, the size of the operation is what matters, not how many people a company employs. For example, there are some requirements that do not apply to organizations that lack a significant and broad data-based operation.
Does GDPR require appointing a DPO or is that a suggestion?
GDPR requires appointing a DPO when an organization performs data processing on a large scale, processes certain types of data (detailed in the regulation) or processes data on an ongoing basis as opposed to a one-time process.
Does the data protection officer (DPO) have to be physically located in an EU member state?
GDPR does not require the DPO to be located in the EU.
My company is based in the EU and has a large office in India. Employees in the Indian office can view the personal data of EU citizens. How can our Indian office comply with GDPR?
You need to understand where the EU citizen’s data flows in your systems. where it's stored and how it's protected. Perform a detailed gap analysis to understand the necessary next steps.
GDPR QUESTIONS – CUSTOMER COMMUNICATION
How do we explain to our customers that their data is being shared with a shipping company so we can deliver the products that they purchased on our website?
What type of language should be included in a consent policy?
GDPR QUESTIONS – DATA OWNERSHIP
How does it work if company A has a contract with company B. Company B has a contract with company C. So company C may have some data from company A, but only via company B. Is company B required to respond to any GDPR questions from company A since there is no formal relationship between companies A and C?
Look at it as a chain of obligations. Company A, as the data controller, is obligated under GDPR to make sure that its vendors comply with the regulation. Company B is a vendor and is obligated to company A; company C is a vendor with relations to company B and is obligated to it. Eventually, company A is the one the supervisory authority sees and its company A's responsibility to make sure it chooses the right vendors.
How do we negotiate with third-party data processors on protecting data under GDPR?
You should require them to meet GDPR requirements as part of your vendor management process.
What happens if some of the data is processed outside the EU?
At the moment, the GDPR states that in order to avoid legal issues of monitoring and enforcement, the data should be held within the EU, or in a territory that has been approved by the EU. The process of approving such a territory is described in the GDPR but has not yet been done. Remains to be seen if the EU would grant approval and to which territories.
How can U.S. companies determine if they have the data of EU citizens in their IT environment?
Data mapping needs to be done. How this is carried out depends on the company, the nature of the data and where it comes, among other factors.
Could you explain the data flow process a bit more?
Data flows are processes that the data undergoes in your organization. An example is email address data that’s collected by system A and resides in database B as part of the company’s Web-based e-commerce service. From there, the data is transferred to system C for performance usage analytics. Reports that include this data are available to these person X,Y,Z in the company.
GDPR Questions – everything else
Is a ransomware attack classified as a data breach?
If you can prove that no data left the organization and, therefore, no data was exposed, but only made unavailable, a ransomware attack isn’t considered a data breach. However, this can be very tricky and hard to prove. You would need some sort of data loss prevention controls in place.
For marketing, does this mean the end of badge scans at international conferences like Black Hat, Microsoft Ignite or CES?
It means that an organization will have to provide consent for what it’s going to do with a person’s data. At this point, this is only applies to EU residents.
If we’re a U.S. data controller, have EU citizen data and experience a breach, would we notify the FBI, a state attorney general or Europol?
There are rules around what supervisory authority should be notified based on criteria like the situation, the organization and where the processing occurs. Check with lawyers with expertise in the field of GDPR compliance.
Does the right to be forgotten also apply to companies, allowing employees to ask their employer to delete data on them?
As a data processor, you deal with the data controller (the company that is your customer). The data controller is the one that needs to answer the individual person's request.