What U.S. businesses need to know about the General Data Protection Regulation

Next story

In May 2018, the EU’s new General Data Protection Regulation (GDPR) goes into effect. This set of rules governing the privacy and security of personal data is being laid down by the European Commission—but it has serious implications for many companies in the United States. ESET Sr. Security Researcher Stephen Cobb recently gave a deep dive on what U.S. companies need to know; we lay out his top insights below.

What it is

Regardless of your location, your firm will be affected by the GDPR if:

  • You monitor the behavior of data subjects who are located within the EU.
  • You’re based outside the EU but provide services or goods to the EU (including free services).
  • You have an “establishment” in the EU, regardless of where you process personal data (e.g. cloud-based processing performed outside of the EU for an EU-based company is subject to the GDPR).

Clearly, the new regulation will have a worldwide impact. Now’s the time to start thinking about compliance, if your business will be affected.

What U.S. companies need to know

The GDPR sets out data security principles similar to those in the current directive, including: fairness, lawfulness and transparency; purpose limitation; data minimization; data quality; security, integrity and confidentiality.

Businesses must ensure that customers’ personal data is processed in a manner that ensures its security, including protection against unauthorized or unlawful processing, and against accidental loss, destruction or damage.

The regulation says a number of measures can be used to achieve data protection, includingencryption.

In addition, here are eight important factors that U.S. organizations should be aware of:

  1. GDPR establishes hefty fines for non-compliance. An egregious violation, such as poor data security leading to public exposure of sensitive personal information, could result in a fine in the millions or even billions of dollars
  2. The regulation imposes detailed and demanding breach notification requirements. Affected companies here that are accustomed to U.S. state data breach reporting may need to adjust their breach notification policies and procedures to avoid violating GDPR.
  3. GDPR tightens the definition of consent. Data subjects must confirm consent through a freely given, specific, informed, and unambiguous statement or a clear affirmative action. In other words: silence, pre-checked boxes, or inactivity no longer constitute consent.
  4. The new regulation takes a broad view of what constitutes personal data, potentially encompassing cookies, IP addresses and other tracking data.
  5. GDPR codifies a right to be forgotten so individuals can ask your organization to delete their personal data. Organizations that do not yet have a process for accommodating such requests will have work to do
  6. GDPR gives data subjects the right to receive data in a common format and to ask that their data be transferred to another controller. Organizations that do not yet have a process for accommodating such requests will need to develop one.
  7. The regulation distinguishes between data controllers and data processors. Controllers are liable for the actions of the processors they choose. (The controller-processor relationship should be governed by a contract that details the type of data, purposes, uses, retention, disposal, and protective security measures; think Covered Entity - Business Associate under HIPAA.)
  8. GDPR increases parental consent requirements for children under 16.

What you can do right now

GDPR specifies encryption as one approach that can help to ensure compliance with some of its obligations. Encryption is the process of encoding information in a way that prevents unauthorized parties from being able to read it.

Encrypting the personal data in your systems can help satisfy many requirements of the GDPR. It’s also an excellent way to boost your security instantly and protect confidential information in case of a data breach or lost laptop.

ESET Endpoint Protection is powerful, simple to deploy, and can safely encrypt hard drives, removable media, files and email.

ESET as created an entire ecosystem with resources about GDPR, so you can get everything you need all in one place, here.