The General Data Protection Regulation (GDPR) comes into force on 25 May 2018, and while the regulation falls under the European Union (EU), it still has ramifications for businesses in Australia and New Zealand.
As a channel partner, you are in a prime position to ensure your customers have the right people and processes in place to be GDPR compliant.
But first, here’s what you need to know.
What is the GDPR?
The GDPR is a unifying update to EU law that requires businesses to protect the personal data of any EU citizen they do business with, including employees, customers and business partners.
There are two key aims of the GDPR. The first is about giving people more control over how businesses use their data, which is becoming increasingly pertinent in the digital age. The second is to simplify the regulatory environment by setting common standards for data protection.
The GDPR will impose stricter fines of up to €20,000,000 (the equivalent of $32,000,000 AUD) – or 2-4% of a business’ global annual turnover; whichever value is greater – on businesses that mismanage personal data or fail to protect it.
Who does it apply to?
The GDPR extends liability to any business that processes personal data of individuals residing in the EU, regardless of whether the business resides in a member state of the EU or if the processing of data takes place in the EU.
Not sure if the GDPR affects you? Visit our GDPR FAQ page to find out.
What are the key changes and business impacts?
To cut a long and complex regulation short, the GDPR:
- Expands the definition of ‘personal data’ to include anything that can identify an individual, such as genetic, psychological, cultural, economic or social information. This includes a name, photo, email address, medical details, social media posts, bank details or even a computer IP address. As such, businesses will need to evaluate areas for data security which they didn’t previously need to.
- Strengthens controls for obtaining valid consent to use personal data. This means businesses will need to ensure the language they use when seeking consent for personal data is clear and concise, and they can prove valid consent to obtaining that data.
- Requires businesses to notify authorities of a data breach within 72 hours of discovering it. As such, companies will need to be prepared so they can detect and respond to a data breach accordingly.
- Introduces the right to be forgotten, meaning companies will need to get consent should they wish to change the way they are using the data. They will also need to have the right processes in place to be able to delete the data if requested. This, of all changes, will arguably be the most challenging. Fortunately, with data security on everyone’s lips, there is a wealth of security support available to simplify the process.
- Mandates the appointment of a data protection officer for companies that carry out large-scale processing of special categories of data or carry out large-scale monitoring of individuals (such as behaviour tracking) or is a public authority. Companies that fall outside of the above criterion will still need to ensure they have the right skills and staff needed to be GDPR compliant.
- Requires businesses to build data protection into the design of data collection and processing systems (including software) rather than as an add-on later. This means the data controller will be responsible for implementing technical and organisational measures that meet GDPR requirements.
What should businesses do to prepare?
The introduction of the GDPR will force most companies to assess their current systems and processes, and to fill in the gaps where needed. As a partner, you can help guide your customers through the process by taking a holistic approach. We have identified four key areas of focus during this process (below).
The GDPR presents an opportunity for you to help your customers manage the lifecycle of their data. Arrow’s security experts have the training, certification, skills and experience to help you protect your customers, so they can avoid risk and ensure compliance.
The countdown to GDPR has begun. Call us on 1300 673 506 or send us an email to learn how we can make you a trusted GDPR adviser.
There is a wealth of GDPR information being produced at the moment. Here are some useful links we believe will further support your GDPR knowledge:
- GDPR: What you need to know
- Check Point for efficient and effective compliance
- Protecting data under GDPR – Cylance
- F5 – a step toward GDPR compliance
- GDPR – being prepared and response-ready FireEye webinar
- ForeScout’s approach to becoming GDPR-compliant
- Point of view: Gigamon and the European Union General Data Protection Regulation
- Smartly selected infrastructure paves a pathway to GDPR compliance (sponsored by HPE)
- Practical advice to network and security operations pros regarding GDPR compliance (Infoblox)
- EMM for mobile GDPR compliance (MobileIron)
- Palo Alto Networks traps – a key tool for GDPR compliance
- Understanding the GPDR requirements and how to comply (Sophos)
- Getting the Sumo Logic platform ready for GDPR
- GPDR – are you compliance-ready? (Symantec)
- Thirteen essential steps to meeting the security challenges of the new EU GPDR (Tenable)
- A guide to complying with US and EU breach notification rules (Varonis)