Since it became law in 2018, the General Data Protection Regulation, commonly known as GDPR, has forced companies to rethink how they collect, store, share, and secure personal data belonging to private citizens. If your business collects personal information belonging to citizens of the European Union, you must understand your responsibilities under GDPR. That includes the risks of mishandling personal data and the consequences under the law for non-compliance.
What is GDPR?
The General Data Protection Regulation (GDPR) is the European Union’s most sweeping data privacy legislation. Since going into effect in 2018, GDPR has provided a stringent regulatory framework for virtually every aspect of data collection and storage for businesses. The objective of GDPR is to give the individual greater control over their personally identifiable information, including whether or not companies can gather it, what companies can do with it once they have it, and the responsibilities of those companies when it comes to safeguarding data from cyberattacks and other security incidents.
There are seven core principles of GDPR to abide by. They are:
- Lawfulness, fairness, and transparency: Prior to collecting data on your data subjects, you must provide clear, concise communication to them on what types of data you will be collecting on them and how you intend to use it.
- Purpose limitation: Businesses are required to only collect the personal information needed for a certain process or transaction and nothing more.
- Data minimization: Similar to purpose limitation, data minimization means the data controller must only collect the minimum amount of personal data from the data subject that you need to deliver an element of your service.
- Data accuracy: Personal information collected by the data controller must be accurate and kept up to date. The collector must take every reasonable step to ensure that inaccurate personal data is erased or corrected as soon as possible.
- Storage limitation: In addition to only collecting the minimal amount of personal data needed, businesses must set time limits on the length of time that data should be retained (also known as the “right to be forgotten”).
- Integrity and confidentiality: This principle deals with data security on the part of the data controller. As the data controller who collects the personal information of data subjects, it is your responsibility to process and retain that data in a safe, secure manner. That requirement under GDPR includes data protection against unauthorized access or accidental loss, destruction or damage. Under the law, businesses must use “appropriate technical or organizational measures.”
- Accountability: The data controller, meaning your business, is ultimately accountable for the safe, secure collection, retention, and destruction of the data holder’s personal information.
What are the Penalties for Failure to Comply with GDPR?
The regulatory consequences of a data breach can be severe. Potential fines under GDPR range up to €20m, or 4% of worldwide annual turnover – whichever is higher. In 2019, for example, both British Airways and Marriott Hotels received eyewatering GDPR fines due to data breaches. British Airways was fined $229 million after a significant data security incident that occurred over several months in 2018. This data breach exposed the personal data of more than 400,000 staff and customers of B.A., including banking and payment information, names, and addresses. Meanwhile, Marriott was ordered to pay $123 million after cybercriminals gained access to approximately 339 million hotel guest records, including seven million records related to people in the U.K.
To Whom Does GDPR Apply?
GDPR applies to any business, known as the "data controller," that targets any E.U. citizen, known as a "data subject," with goods and services. GDPR applies if your organization monitors or collects data on E.U. citizens' online behaviors. For example, if you are based in the U.S. but sell goods to customers in the E.U. and other geographic regions where the GDPR applies (Ireland, Lichtenstein, Norway, and Switzerland) and collect personal data belonging to those customers, GDPR applies to you. An example of an activity a data controller might do is tracking your website's visitors from these geographic regions and collecting the personal information of these visitors.
If you work with a third party to monitor the online behavior of E.U. citizens as part of a marketing or sales campaign, that is also subject to GDPR. Your third-party partner is defined in GDPR as a "data processor." An example of this is For example, a payroll service provider is a third-party data controller because the data controller shares personal data with the provider in order to process payments to employees.
Even if your business operates outside of the E.U., it would be an error to presume you or your data processor are exempt from GDPR compliance. The regulations apply to organizations operating within the E.U. and those worldwide that target — directly or indirectly — individuals in the E.U.
According to GDPR, any E.U. citizen who has had their personal data collected by any company, inside or outside of the E.U., is protected by the law. That means that if your company, as the data controller, mishandles E.U. citizens' data, you are legally responsible under GDPR and can be subject to fines and other regulatory action.
Most of the world's largest companies are subject to the GDPR, including many small businesses in the United States with European customers.
What Kinds of Data Are Covered by GDPR?
In GDPR Article 4, personal data is defined as "Any information relating to an identified or identifiable natural person ('data subject')." And an identifiable natural person is defined as "one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person." In other words, any information that is unique to an individual and can be used to identify that person in some way is classified as personal data. Examples include your social security number, home address, driver's license number, credit card number, and bank account number.
It's no coincidence that personal data is also considered a high-value target by cybercriminals. Attackers seek out personal information as a way to gain access to the victim's financial accounts, sensitive company information, and much more.
What is the Right to Be Forgotten?
The Right to Be Forgotten, as laid out in the text of GDPR, is a provision which maintains that “personal data must be erased immediately where the data are no longer needed for their original processing purpose, or the data subject has withdrawn his consent.” This means that as a data controller, you are responsible for properly deleting or disposing of a data subject’s personal data. Failure to properly dispose of collected personal data can result in a data breach if it falls into the wrong hands, and if that happens, the data collector is still responsible.
What is the Right to Explanation?
Beyond the right to be forgotten, GDPR also maintains that a data subject on whom you collect personal data has the right to "an explanation of the decision reached after [algorithmic] assessment." This section of GDPR is meant to protect individuals from being targeted by technology companies using algorithms to reach them with content. The Right to Explanation has affected algorithms that make decisions based on user behaviors because users have the right to ask a company for an explanation regarding an algorithmic decision made about them.
How Can I Achieve Continuous GDPR Compliance?
GDPR and other data privacy regulations require more than a singular, point-in-time snapshot of your current state of security. You need to keep a record of evidence that demonstrates ongoing proper cybersecurity hygiene for every aspect of your IT environment, from access controls to network and device security to the data itself, both at rest and in motion.
Continuous compliance is the best approach to maintain GDPR compliance. Continuous compliance utilizes frequent, ongoing monitoring of your organization’s compliance status, providing much more than just a snapshot in time.
To achieve continuous compliance, you must first build out a process that continuously monitors your IT environment, including your cloud assets, to ensure that at any given time, it meets your regulatory requirements. Automation and security tools can help by continuously scanning for network threats, and notifying you immediately when your environment becomes non-compliant.
A cybersecurity-as-a-service provider can support a continuous compliance approach because they have the know-how and dedicated resources to continuously monitor your compliance status, 24/7. This model can help your internal security team to shift away from responding reactively to GDPR audit requests and move toward a more proactive approach. Continuous compliance means that you can confidently respond to any kind of scrutiny of the security if your systems and any inquiries about your privacy policies.
Which Security Best Practices Can Minimize Risk of a GDPR data loss fine?
Here are five best practices you should follow minimize the risk of a GDPR data loss fine for your organization.
- Patch early and often. Minimize the risk of a cyberattack by fixing any software vulnerabilities that attackers can exploit to gain access to your systems. There is no perimeter, so everything matters: patch everything as soon as possible.
- Secure personal data in the cloud. More organizations than ever are migrating critical data and systems to the public cloud. Knowing this, you must treat the cloud like any other computer in your environment. Be sure to close unwanted ports and services, encrypt data in transit and at rest, and ensure you have proper access controls in place. It's essential to put mechanisms in place that prevent data leaks that will put you at risk. And do it on all your environments, including AWS, Google Cloud, and Kubernetes, as well as Q.A. and development.
- Minimize access to personal data. GDPR requires companies to only collect the minimum data required to complete a business process. Collecting less data will reduce your attack surface, but that's only the first step. You can reduce your exposure by collecting and retaining only the information you need and making sure the only people with access to it are the people who need it to do their jobs.
- Educate your team. Proper data hygiene training for your users helps ensure that everyone who might come in contact with personal data knows how they need to handle it. In fact, this is a GDPR requirement for businesses. For example, phishing simulation training can help your users spot the signs of a phishing attack and prevent account takeovers or business email compromises.
- Document and prove data protection activities. Be able to document and show that you have a plan in place for data protection. As the data controller, you must prove that you have taken sensible precautions to secure personally identifiable information. A managed security service provider or cybersecurity as-a-service partner can help you with documentation and ongoing compliance monitoring.
Should I Consider a GDPR Compliance Assessment?
Many companies benefit from bringing in a consultant to evaluate its systems for GDPR compliance. A GDPR assessment provides you with a holistic view of your organization’s cybersecurity posture, sharing granular detail when needed. A GDPR compliance assessment gives you a more comprehensive inventory of all the potential weaknesses of your current IT environment and the areas that need improvement.
How Can Cybersecurity-as-a-Service Support GDPR Compliance?
Partnering with a third-party security company that delivers cybersecurity-as-a-service removes a significant burden from businesses who lack the internal resources to maintain continuous GDPR compliance. For example, a Managed Detection and Response (MDR) provider enables their security experts to investigate and assess any potential security risks across your full environment, 24/7, 365 days a year. The right MDR partner will leverage world-leading threat intelligence to identify your risk level and prioritize a fast, effective response to neutralize threats and ensure that personal data is protected. Download the Sophos GDPR compliance card to learn more about how managed security can address the security requirements of regulatory compliance.
The Last Word on GDPR Compliance
Sophos offers a complete portfolio of cybersecurity solutions and services to help businesses achieve and maintain GDPR compliance. Sophos can provide expertise and support for your GDPR compliance initiatives. We do this through continuous compliance monitoring and by keeping your data and devices secure. Get in touch with a Sophos security expert and learn more about reducing your risk.