Is my organization in scope for GDPR?

Starting May 25^th, the EU’s General Data Protection Regulation (GDPR) is taking effect. Despite the looming start date, there are many organizations that are still unclear about the language of the regulation and why organizations in the US should be aware. A good starting point for understanding how GDPR may affect your organization is to determine if GDPR even applies, and if so, what is your level of exposure to compliance obligations. Compliance and regulation often have a stigma for demanding exhaustive layers of bureaucracy and controls. In this case, the goal of the legislation is not to overburden organizations but to create an environment in which data is recognized as a valuable asset that consumers have the right to manage. To clarify, GDPR is focused on personal data, defined as: Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.

Why is it important in the United States?

Although GDPR is a piece of legislation passed and applicable to the European Union, some US organizations fall in its scope, while others may want to consider this regulation when analyzing their own data privacy and security needs? It is important for those organizations in scope for GDPR to consider the risk of a data breach, and the financial implications that are associated. In the event of a data breach, non-compliant organizations may be subject to a fine of €20 million or up to 4% of global revenue, whichever is higher, by European Union GDPR Supervisory Authorities. Additionally, data privacy has come to the forefront in the media, which has led to an increased awareness of data privacy and security. Organizations who act irresponsibly with sensitive subject data may see repercussions in the form of negative publicity and potentially loss of business.

Step 1: Am I in scope?

This rather broad definition of personal data will require organizations to analyze what data is being collected in their websites, ecommerce platforms, and any forms of interaction with end users. This is where US businesses may fall in scope for the GDPR. Articles 3(1) and 3(2) state that the GDPR applies to businesses established in the EU as well as to businesses based outside the EU that offer goods and services to, or that monitor, individuals in the EU. Although, a US business may not have a physical presence in the EU, if any of the organization’s users or customers are physically present within EU borders, that US business is in scope for GDPR.

Step 2: How do I collect/interact with data?

Once an organization determines if it’s in scope for GDPR, the next distinction to make is whether it is a Controller or Processor of personal data. A Controller is the entity that determines the purposes, conditions and means of the processing of personal data, while the Processor is an entity which processes personal data on behalf of the controller. If an organization is considered the Controller, it is viewed as the primary party responsible for the management of the personal data, and will therefore, be expected to safeguard that data and make sure that processing completed by any third parties be done in accordance with GDPR. This is an important distinction because typically organizations have used third parties to shift responsibility away. Now, as a Controller of data, you cannot shift that responsibility and need to ensure any processing is done in accordance with GDPR standards.

Pop Quiz!

Organization A provides payroll processing services to corporate customers. Organization A provides those services to its customers in accordance with each customer's instructions. Organization A also uses this data to perform benchmarking analysis, so that it can sell further services allowing customers to compare their payroll data to industry averages. Does Organization A fall within the definition of a Controller or a Processor? In fact, being a Controller is not mutually exclusive from being a Processor. In this example, Organization A is a Controller in respect of some processing activities and a Processor in respect of other processing activities. In this example, Organization A is a Processor in respect of the payroll processing services it provides directly to its customers, and a Controller in respect of the benchmarking services, as it is processing personal data to create benchmarks for its own purposes.

Step 3: I’m in scope and know my role(s), what data do I have?

With responsibility established, the next step is to perform data discovery to figure out how far the scope extends. Keeping GDPR regulations in mind, which apply only to EU residents` currently in the EU, it is important to determine the riskiness and volume of the data being collected.

• Risk Level of Data: Not all data is created equal. GDPR identifies special categories of personal data that are seen as particularly valuable to data subjects. These categories include anything that reveals: racial or ethnic origin, political opinions, religious beliefs, genetic or biometric data, health data, union membership, or sexual preference. These data categories should be seen as highly risky, as a breach of this information will likely result in much higher fines. Data that is more readily available and less indicative of personal preferences or opinions, such as email addresses, will warrant much lower fines and punishment.

• Volume of Data: The risk level of the data is not the only factor to consider. The volume of the data is a crucial factor for organizations to consider during the planning stage. Again, it ties back to potential fines in the event of a breach. Although some data may be considered highly sensitive, if it only affects a few hundred people, the fines associated with that breach will be much smaller than a breach of a larger scale with the same type of data.

Step 4: I’m in scope, understand my role and what data I have, so what?

Although the fines stated above can be detrimental in the event of loss of subject data, the reality is those are maximums and there are many other factors that are taken into account when assessing GDPR compliance obligations. The goal of the regulation is to spark change in the way subject data is treated, from being an easy monetization opportunity, to instilling a precedence of privacy as an individual right that organizations are entrusted to protect and uphold. Therefore, regulatory bodies will consider if organizations respect the rules and level of efforts in reasonably trying to protect the data, allowing individuals the right of access, right of portability, and right to be forgotten to name a few. Check back for our next post around the rights required to provide to the data subjects. If you’re interested in other cybersecurity related topics, visit a recent article we published on Dark Reading; How to Build a Cybersecurity Incident Response Plan.