The ultimate GDPR guide to CEOs

As a CEO you have certainly heard about the ‘GDPR’ but probably did not have time to look into it in detail. You know it will affect your company and heard about the horrendous fines you might need to pay in case of a data breach. However, you don’t know where to start, what to do in order to comply with the new rules.

In this blog post, we’ll try to break down for you what’s behind this acronym and how it will affect your business. We’ll also give you some tips that could help your company avoid the financial and reputation damages non-compliance would entail.

Let’s start with some key facts about the GDPR!

 What is the GDPR?

The General Data Protection Regulation (GDPR) is a comprehensive set of data protection rules issued by the European Union. The Regulation aims to provide the same high level of data protection for EU residents in all EU countries. To achieve this, it requires companies to implement reasonable data protection measures to protect consumers’ personal data and privacy against data loss or exposure. Contrary to the previous legislation, the GDPR is immediately binding and applicable in all EU Member States.

When is it coming to effect?

The GDPR entered into force on 24 May 2016. It will directly apply from 25 May 2018.

Who is affected by the GDPR?

The GDPR has a broad territorial scope. It applies not only to organizations established in the EU that process personal data, but also to any organization, irrespective of its establishment, that processes personal data of individuals who are in the EU in order to: offer them goods or services, irrespective of whether a payment is required; or to monitor their behavior within the EU.

What is personal data?

Personal data is any information relating to an identified or identifiable natural person (‘data subject’) such as a name, an identification number, location data, an online identifier, or factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person. The GDPR requires organizations to take measures to minimize the amount of personally identifiable information they store, and ensure that they do not store any information for longer than necessary.

How does the GDPR affect organizations which store and share personal data with cloud-based services?

The GDPR aims to protect personal data at all stages of data processing. The GDPR identifies two different entities that both have obligations: data controllers and data processors. A controller is the entity that determines the purposes, conditions and means of the processing of personal data. For example, educational and research private and public institutions, healthcare services, or any business that manages the personal data of its employees and customers. A data processor is an entity which processes personal data on behalf of the controller such as a cloud provider (for example a Software-as-a-Service like CRM software).

Are data controllers responsible for their data managed by data processors?

Yes, data controllers are responsible to protect personal data whenever they use third-party services (data processors) to manage data in the cloud, and therefore should use services that provide the highest protection. With the GDPR, all data processing must have a lawful basis, such as explicit consent from the data subject. Data controllers must further process data with third-party processors by protecting data in a compatible way with the original legal basis and applying safeguards like encryption.

What security measures does the GDPR recommend to protect data?

The GDPR prescribes that controllers and processors must implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including for instance the pseudonymization and encryption of personal data. Moreover, the GDPR highlights the principles of Data Protection by Design, which means organizations must develop data protection processes and products with privacy in mind from the ground up, and Data Protection by Default which ensures that only personal data that are necessary for each specific purpose of the processing are processed.

What are the consequences of non-compliance?

Companies that do not comply risk being fined up to €20 million, or 4% of their worldwide annual turnover of the prior financial year, whichever is higher. Less serious violations, such as having improper records, or failing to notify of any breaches, can be fined a maximum of 2% of their annual global turnover, or €10 million. Given the GDPR requires data controllers to communicate the personal data breach to data subjects if it is likely to result in a high risk to the rights and freedoms of natural persons, companies will also have to face serious reputational damage in case of a data breach.

We’ve created a GDPR Readiness Assessment. Check your readiness!

Let’s Discuss the steps you can take towards GDPR-compliant data management.

Establish best practices

Principle of Least Privilege
The GDPR requires you to minimize the personally identifiable data managed by your teams. Intended to decrease the damage produced by a security breach, the Principle of Least Privilege limits information access only to users that need it for a legitimate purpose or role. The idea behind this is that data protection can be improved if data is shared only to a limited number of people who need it for their work and who are professionally trained to manage it. For example, an accounting team does not handle interviews, hence they do not need database access to incoming job applications.

Need-to-Know Principle
The Need-to-Know policy is usually enforced by organizations dealing with classified military or governmental information. It implies that even if a person has ample clearance for a certain degree of confidentiality, information will only be shared or discussed if it is required to perform a specific task. If applied to your office, it means that you do not grant access rights or discuss project details only based on hierarchy levels or trust, but based on specific roles and involvement in an assignment.

Privacy by Design

Privacy by Design is an approach that promotes taking privacy into account throughout the whole engineering process to protect users’ privacy and give them control over their data. It stands by the idea that the future of privacy cannot be assured solely by compliance with external regulations, but it must become an organization’s default mode of operation.

Use encryption extensively

Switch to end-to-end encrypted services
With end-to-end encryption, encryption and decryption are done directly on the device before data are uploaded to the cloud. No one can access stored data, except for the owner and users authorized by the proprietor. The re-identification of persons from the end-to-end encrypted data is infeasible, even in case of a server-side data breach. When a breach happens, only the encrypted data leaks and no one can read the contents. The personal data of your staff and clients are not threatened. Hence, in this case, the GDPR’s 72-hours data breach notification requirement does not apply to you. By preventing these types of data breaches, you can also avoid fines up to 4% of your global annual turnover.

Use HTTPS

Everything starts with the security and privacy of the internet connection of your organization. HTTPS encrypts the communication channel between your device and the online service you are visiting. Make sure your employees submit information only through encrypted sites using the https protocol. This can be achieved by holding regular security trainings for your staff.

Use local encryption

Encryption in the cloud doesn’t mean physical protection. End-to-end encryption protects data in the cloud. However, it means that you are responsible for protecting the device on which the information and files are stored. Disk encryption, malware protection and the use of pin codes can help achieve this.

Check how encryption helps for businesses more detailed! Read mini case studies!

Set up internal data governance policies

Manage permission levels for accessing data
Many services, especially cloud storage providers, enable you to manage access permissions for shared projects or folders. Invited users can be granted different roles such as viewer (can read the content), editor (can make edits) or manager (able to make bigger changes such as renaming, deleting or inviting more users). The owner can also revoke access anytime. With this control feature, you can implement best practices such as the Least-Privilege and the Need-to-Know Principles in your office and make sure nobody has more access to confidential documents than the ones necessary.

Set up account security measures
In addition to your password, 2-step verification provides a second, randomly generated password. As your password is the key to your files including personal data, it is highly recommended to secure it with an extra lock. Adding 2-step verification using voice call, text message, a dedicated authentication app, or email provides an additional layer of security that makes it way harder for hackers to break into your system.

Create data governance policies for external data sharing

Share files containing personal data carefully

If you are sharing documents with people outside your team or organization, it is not always possible to apply sophisticated permission settings. Revocable download links can help you to avoid the insecure upload of email attachments and, if necessary, block a link after sending the email. Additional safeguards such as password protection are recommended too.

Use services that are cross-platform
In the times of remote work, business trips and flexible working hours, it becomes increasingly unrealistic to limit data access to the desktop computers in the company headquarters. If secure IT solutions aren’t flexible enough, it can be tempting for employees to find insecure workarounds. Therefore, use services that are available to your employees on all platforms.

Have a fall-back plan

Protect your devices

If you leave your work mobile or laptop unattended on the beach or in a café, your device and data can easily get into the wrong hands. But there are several useful measures next to disk encryption that – if activated – help you to protect confidential business data even if the device itself is stolen and cannot be recovered. Remote wipe, device unlink are some examples.

Use GDPR certified third party providers

When you work with data processing services (emailing solution, CRM system, cloud provider) you should be completely aware of the services’ and solutions’ security. Even if you think you are just the user of these third-party provider tools, you should also take responsibility for the security of the data that are stored and shared by them. Be sure that the third-party provider used by your company is certified for GDPR (or can prove an equivalent protection either by certifying for Privacy Shield or offering model clauses) and uses secure technologies such as encryption, especially end-to-end encryption. Ask about Data Processing agreements.

The materials available on this website are for informational purposes only and does not constitute legal advice. To obtain advice with respect to a particular issue, you should contact your attorney.