The General Data Protection Regulation that takes effect on May 25th, 2018, will obligate both B2B and B2C businesses to comply with brand-new data processing laws. While it might seem that seasoned online businesses should be able to prep for the changes easier, the new regulations will significantly affect the practices of B2B and B2C businesses, both seasoned and new to e-commerce. Businesses might focus only on security and think about the fines and what impact they could have on their business. But most of the fines don’t actually relate to security, they relate to ensuring personal data is processed lawfully, providing the right information to data subjects, and adopting the right policies and procedures to manage data and subject requests.
In this article, we look together with our internal GDPR specialist and Legal Counsel, Paul Tomlinson, at threats to your business in light of the new regulations, and solutions on a high level to help keep your business safe.
THE FINES: IT’S NOT ONLY ABOUT SECURITY
The compliance risk at the highest level includes avoiding the substantial fines, which are on two scales. The fines are not automatic – rather, they are intended to enforce compliance. Regulators will look at a whole case to determine the level of fines and can impose numerous other sanctions in addition to or instead of fines.
The maximum fine that can be imposed under GDPR is up to 20 million euros, or 4% of the group’s annual global turnover. This fine will tend to be applied for fundamental breaches of regulations, such as unlawful processing, compliance with basic principles, not having the right policies in place or not providing relevant information to data subjects at the correct time.
Lower level fines are up to ten million, or 2% of a group’s annual global turnover. These fines will tend to be more administrative and relate to the breach of processing of data.
Ahead of GDPR taking effect, many businesses are focusing heavily on security breaches, although this is only one aspect of compliance. Out of 39 actionable breaches of GDPR, only 2 relate to security; the rest relate to other elements of compliance. Businesses must look at how they collect and process data, who they share it with, how long they keep it and the information they provide to data subjects. It’s about much more than security; the big focus of GDPR is on transparency, accountability, systems, processes, and the provision of information. Together, these form the key elements of compliance.
Looking at finable offenses, about half of these are at high level, and half at the low level. For the high level offenses, nearly all are issues for the controller (the business or merchant). Generally, the controller has more onerous obligations than the processor (solution provider) as it is the controller who engages with the data subjects, collects their data and determines how it is processed and, therefore, has the higher risk.
Along with fines, there’s also a huge potential for reputation damage. GDPR includes a name-and-shame type of policy as well.
While fines are the highest level of punishment, there’s a whole range of measures that authorities can levy as a means of ensuring compliance. This might include compliance orders or improvement notices, but they can also impose regular audits as a result of an infraction. They can even restrict or prohibit the types of data processing a company is allowed to carry out in the future.
Although there is little to go on right now, the wide ranging powers of the regulators could, for example, include
(i) a marketing company that routinely and persistently sends spam mail in breach of regulations may need approval in the future for any marketing activities they may want to initiate.
(ii) a company may get a fine for transferring data outside of the EU, in breach of the regulations, but may also be subject to further sanctions restricted from making such dat transfers at all in the future, which may affect their business.
HOW TO ADAPT TO GDPR
The tricky part about GDPR is that it’s a principle-led legislation, which tells companies what to do, but not how to do it. In terms of security, the requirements aren’t necessarily different than they are under present Data Protection Directive. Essentially, the requirement is to ensure that adequate or appropriate technical measures and organisational measures are in place.
Under current law, this is to prevent unauthorised or unlawful processing of personal data and accidental loss, destruction of or damage to personal data. GDPR qualifies this in a slightly different way and the measures are to ensure a level of security appropriate to the risk and the regulations specifically state that this should include: pseudonymisation and encryption; the ongoing confidentiality, integrity, availability and resilience of processing systems and services; the ability to restore availability and access in the event of an incident; and regularly testing, assessing and evaluating.
In practice, little has changed in that, organisations need to adopt security measures relevant to the nature of the personal data they hold and the harm that may result from a security breach, ensure they have the right physical and technical security (backed up by robust policies and procedures) and be ready to respond to any breach of security swiftly and effectively. However, with the emphasis on transparency and accountability under GDPR there is a much greater need to demonstration what measures are in place.
Companies should strive for state-of-the-art measures that will be deemed adequate. ISO 20071, which provides a specification for an information security management system, is often seen as the current benchmark for information security, although it is scheduled for review in 2018 and will need to be measured against the requirements of GDPR. In the meantime, if a company can meet these standards, they are probably in a good place. PCI-DSS compliance is also a great benchmark to use and although there is a high degree of overlap with ISO 27001, it offers some enhanced (and more prescriptive) measures in terms of access control and monitoring.
Ensuring that software is up-to-date and that known vulnerabilities have been rectified is essential to meet GDPR’s standards.
GDPR does not specify what security scans and penetration testing a company should do, but they do form part of the security requirements. Like many other areas, GDPR has taken what was previously seen as good practice and built this into the regulations. A company should have a robust system in place that is regularly monitored and kept updated. Old, out-of-date legacy systems are a ticking time bomb, and should be replaced. Even under the current system, failing to keep systems up-to-date is seen as “aggravating” factor that results in higher fines.
CLAIMS FROM INDIVIDUALS (DATA SUBJECTS)
Companies must be able to meet the demands of data subjects. Individuals have a right to ask a business to provide information about, and copies of, the data they hold, correct any errors, transfer it elsewhere and (in some circumstances) delete it.
Data subjects could put through damage claims, which could be against both B2B or B2C companies. GDPR makes it clear that the same rules apply to both business and private customers, with no distinction between them. Personal data is defined as anything that identifies an individual, whether those details are related to their private, profession or public life and (by definition) include a person’s business details.
The issues on portability of data and deletion of data are brand-new areas, and for some B2B companies all of this will be new. In the past, business customers were not generally regulated in the same manner. A person’s business details (company email, phone number and perhaps even job title) also count as personal data under GDPR. GDPR is intended to introduce a uniform set of rules across the EU, whilst under current law, before GDPR sets in, a B2B company’s data processing rules will depend on the countries they operate in.
We recently published another post around GDPR, view it here: ‘What is GDPR? – Back to Basics’
Interested in learning more about how Vaimo can help prepare your business ahead of GDPR? Download our GDPR Fines Guide here:
The information given in this article concerning technical legal or professional subject matter is for guidance only and does not constitute legal or professional advice. Vaimo assumes no responsibility for such information contained in this document and disclaims all liability in respect of such information.