Getting Ready for GDPR – What Will Change And How to Prepare

The EU General Data Protection Regulation or GDPR for short is the most important change in data privacy regulation in the last 20 years. This change is set to drastically switch how businesses in the EU (and external businesses that deal with data of EU citizens) look at data in general.

The deadline for complying with these new laws is May 25th, 2018 which is the date when GDPR will start harmonising data privacy laws across the European Union and forever change how companies collect, store, delete, alter and otherwise process the personal data of EU citizens.

How One AI-Driven Media Platform Cut EBS Costs for AWS ASGs by 48%

How One AI-Driven Media Platform Cut EBS Costs for AWS ASGs by 48%

The official document is a lengthy one that may confuse even the most experienced data specialists. That’s why we’ve made sure to emphasise the most important points in this article to make sure you’re ready for the era of GDPR which is upon us.

Flag of the European Union featuring a blue background with a circle of twelve gold stars.
Image Source

Who Will GDPR Affect?

The GDPR replaces the previous Data Protection Directive from 1995 and other than the new laws it lays out it expands them by making sure it is applied by all companies, regardless of the company’s location, who are controlling the personal data of data subjects in the EU.

GDPR is also aimed at companies that have more than 250 employees but it is also applicable to companies that have fewer than 250 employees but their data processing impacts the rights and freedoms of data subjects or includes sensitive personal data. This generally means GDPR affects almost all companies which can be seen in this survey that states 92% of US companies are considering GDPR as a top data protection priority.

To factually understand who specifically GDPR affects it is important to know what is the difference between a data controller and a data processor.

Data controller:

The data controller is a company or person that determines the purposes for which, and the way in which personal data is processed and they are the ones highly affected by GDPR which means they are subject to a number of requirements under the EU law. Data controllers have their own data processors.

Data processor:

Data processor is a company or person that processes personal data on behalf of the data controller. It is important to know that this excludes all the data controllers employees. A good example of a data processor is a data analytics provider because it is a separate business that controls the data of their users (data controllers). Data processors are also affected by GDPR but not as much as data controllers since a lot of regulations are already set in motion by the so called ‘data processing agreements’.

The same organization can be both the data processor and the data controller and two separate organizations can be the processors of the same data.

GDPR covers both personal and sensitive personal data. Personal data translates to a piece of information that can be used to identify a person (examples: name, address, IP address etc.). Sensitive personal data encompasses religious and political views, sexual orientation, genetic data and more.

What Will Change

Many of the GDPR’s main concepts and principles are included or are similar to the ones in the DPA (Data Protection Act) which means that if companies are already complying with the DPA laws they have a very solid foundation to build upon.

The main driver of how awareness of data security in companies will change is the short timelines that are being put into place. GDPR requires companies to send a notification to each of the countries representatives within 3 days of a data breach with the accompanying full report that contains the correct data of citizens that were impacted by that breach. Previously, it would take at least 2 months to get to the bottom of a typical breach.

Companies also need to allow their data to be portable which means that their users or clients can have their data erased or moved to another company.

Security teams are going to be drastically influenced by GDPR since there will be a need to reengineer new processes. These new processes are in most cases going to have to include DPOs (data processing officers). DPO will be responsible for everything related to data and this person will be the main point of contact between the company and country officials.

In a recent survey by Ovum it is very apparent businesses are getting seriously concerned about the data privacy regulatory landscape. Here are some of the most important findings:

  • Two-thirds of businesses expect to have to change in their global business strategies to accommodate new data privacy regulations
  • Over half of businesses think they will be fined due to the pending General Data Protection Regulation (GDPR) in Europe
  • More than 70% of businesses expect budgets to rise to meet new data sovereignty regulations
  • The U.S. is the least trusted country for respecting privacy rights, lagging behind China and Russia

The Fines

One of the most worrying factors of GDPR is the increase in the level of monetary penalties. This, coupled with the Ovum report, means that these fines are not to be taken lightly.

Smaller offences will result in fines up to €10 million or 2% of a firm’s global turnover (whichever is greater). Companies with more serious consequences will be fined up to €20 million or 4% of a firm’s global turnover (again, whichever is greater).

An article by The Register states that 2016’s ICO fines in UK would have been 79 times higher under the GDPR. Meaning 2016’s £880,500 in fines would have been GDPRs equivalent of £69 million.

How to Prepare

The Information Commissioners Office (ICO) has prepared a guide with 12 steps every company should take to comply with the GDPR laws. Here’s a shorter version:

1) Awareness

The decision makers and key people in any organization should be aware that the law is changing to the GDPR. This will help evade last minute preparations before May 25th, 2018.

2) Information you hold

Every piece of personal data held by a company should be documented. This includes its location, where it came from and who you share it with and why.

3) Communicating privacy information

All privacy notices should be reviewed. When collecting personal data a company should provide notice to the people it comes in contact with, and privacy notices requirements will change under GDPR.

4) Individuals’ rights

Companies should check their procedures to ensure that they cover all the rights individuals have, the GDPR includes the following rights:

  • The right to be informed
  • The right to access
  • The right to rectification
  • The right to erasure
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • The right not to be subjected to automated decision making including profiling

5) Subject access requests

Companies should update their procedures on handling access requests. If an organization handles a large number of access requests they should consider the logistical implications of having to deal with requests more quickly.

6) Lawful basis for handling personal data

Companies should identify their lawful basis for their processing activities in the GDPR, document it and update their privacy notice to explain it.

7) Consent

Companies should record how they seek, record and manage consent and whether they need to make any changes. Read this detailed guidance to learn more about consent.

8) Children

Companies should start thinking about whether they need to put systems in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity.

9) Data breaches

Companies should make sure they have the right procedures in place to detect, report and investigate a personal data breach in time. Failure to report a data breach in time will result in a fine.

10) Data protection by design and data protection impact assessments

Previously it was just a good practice to adopt a privacy by design approach and to carry out a Privacy Impact Assessment (PIA) as a part of it. In GDPR, however, privacy by design is now becoming a legal requirement and is referred to as Data Protection Impact Assessments or DPIAs for short.

11) Data protection officers (DPOs)

Most companies should hire a DPO as a someone that takes responsibility for data protection compliance. Companies must hire a DPO if they’re:

  • A public authority
  • An organization that carries out the regular and systematic monitoring of individuals on a large scale
  • An organization that carries out the large scale processing of special categories of data, such as health records, or information about criminal convictions

12) International

If an organization operates in more than one EU member state it should be determined what is their lead data protection supervisory authority and this should be documented.

Conclusion

GDPR is coming soon and the impact of this change will be big. In this time of change there’s a lot going on – currently there’s information that a lot of companies in digital media are trying to switch responsibility from one to another – clients want agencies to assume risks, agencies insist publishers assume them, and publishers do the same to tech vendors.

The businesses that are most liable for fines are the data controllers as they are the source of consumer data. Some examples of data controllers are publishers and advertisers that operate websites.

If you’re having issues with getting ready for the GDPR or you would like someone to do it for you our team at GlobalDots speacializes in data security and GDPR compliance – feel free to contact us and request a free consultation!

Latest Articles

Three Ways CISOs Can Combat Emerging Threats in 2025

73% of CISOs fear a material cyberattack in the next 12 months, with over three-quarters convinced AI is advancing too quickly for existing methods to combat it. But what can CISOs do to prepare for the coming wave – and access the resources they need to deal with this evolving threat landscape? To find out, […]

11th November, 2024
How Optimizing Kafka Can Save Costs of the Whole System

Kafka is no longer exclusively the domain of high-velocity Big Data use cases. Today, it is utilized on by workloads and companies of all sizes, supporting asynchronous communication between even small groups of microservices.  But this expanded usage has led to problems with cost creep that threaten many companies’ bottom lines. And due to the […]

Itay Tal Head of Cloud Services
29th September, 2024
Migrating Volumez RedHat VMs into Amazon Linux 2 for higher effective discounts rate of Saving Plan

A cloud data infrastructure company relied on extensive use of multiple instance types to test its products. But this made it difficult to optimize costs – a fact which had begun to impact their ability to scale the business.   The GlobalDots team helped the company identify and implement a new infrastructure configuration that both saved […]

Itay Tal Head of Cloud Services
19th September, 2024
How Yuki Achieved SOC 2 Compliance 6x Faster

Overview A fast-growing Snowflake optimization platform was missing out on customers because they didn’t have the right data security compliance. Through multiple consultations and extensive vendor-testing, the GlobalDots team selected a solution to provide both tech and human support, helping the company achieve SOC 2 compliance within just 3 months – and win new customers […]

Itay Tal Head of Cloud Services
16th September, 2024

Unlock Your Cloud Potential

Schedule a call with our experts. Discover new technology and get recommendations to improve your performance.

    GlobalDots' industry expertise proactively addressed structural inefficiencies that would have otherwise hindered our success. Their laser focus is why I would recommend them as a partner to other companies

    Marco Kaiser
    Marco Kaiser

    CTO

    Legal Services

    GlobalDots has helped us to scale up our innovative capabilities, and in significantly improving our service provided to our clients

    Antonio Ostuni
    Antonio Ostuni

    CIO

    IT Services

    It's common for 3rd parties to work with a limited number of vendors - GlobalDots and its multi-vendor approach is different. Thanks to GlobalDots vendors umbrella, the hybrid-cloud migration was exceedingly smooth

    Motti Shpirer
    Motti Shpirer

    VP of Infrastructure & Technology

    Advertising Services