Impact on SMEs
The GDPR is a set of legislative conditions on how you can collect, process and manage personal data and one of the key aspects to it is the addition of subject access rights.
It applies to global entities, whether you're based in Europe or not.
Any company that's doing business in Europe will be subject to the GDPR. This includes companies based in a foreign country, even if they do not have an office in Europe, if they provide services to, or they collect personal data from, an EU citizen.
While GDPR has been in effect since May 2016, enforcement began in May 2018. A lot of talk around this regulation is about a significant increase in fines. The fines, at the minimum, are a 10 million Euros or 2% of your global gross revenue, or if it's a really bad data breach, or if the data breach contains sensitive or large amounts of personal data, 20 million Euros or 4% of your global gross revenue.
Yet GDPR is a cultural shift, not simply fines
GDPR is not a matter of compliance. It's an exercise of accountability and risk management at minimum, and it's a cultural shift. There is the simple aspect of having to respond to an incident while having to declare if personal data has been breached within 72 hours of the detection of the breach.
You need to declare a personal data breach if it impacts the ability of the data subject to be safe. For example, if you breach a username and password, that is probably not a reason to declare, but if there's a home address breached, and there's a risk to that user, you have to declare it.
The definition in the GDPR is for any data that can allow you to re-identify a data subject or person either directly or indirectly. The problem is the ‘indirectly', which becomes complicated.
The classic definition of Private Information that most vendors will tell you is name, first name, address things like that. But when you look at the ability to re-identify a person, you have to take into account their images, hair colour, height stature, skin colour, things like that, and it goes all the way to if you are managing CCTV. That's all classed as personal data.
Two things incident response teams should do now
You need to produce a data map of how you as a business are managing personal data. If the response teams have access to that map, they can potentially see where there's going to be an issue, or where there's potential for personal data to be stored, where you might need to monitor a little more heavily.
One of the key aspects of the GDPR is accountability, so account for any aspects of what you're trying to do to prove that you can ensure that personal data is protected and as part of that, look at how you potentially respond to a personal data breach. If you are the target of an attack, you should know if, and make sure that, nothing's been changed or destroyed. That's accountability and demonstrates that you're taking this seriously and you're protecting the data.
With privacy there's a connotation that you're not allowed to use the data, and you're not allowed to process that personal data. But that's not what the GDPR is about. The GDPR sets regulation so that you, as an organisation, understand what your responsibilities are on collecting that data, and that you use that data and process it in a secure manner. When you think of breach, the connotation is, ‘Oh we've lost data or data's been exported'.
But breach under the definitions of the GDPR is exfiltration or malicious destruction. For exfiltration, for example if you get ransomware, you will have to declare it if it's potentially got data that is sensitive. Malicious changes are, for example, if somebody outside of the normal processing activity changes the data, that's considered a breach. And there's one more - malicious deletion – that is, if you erase the data in any form.
Corporate responsibility and the GDPR
Under the GDPR, responsibility is at the highest corporate level - i.e. the board of directors - but liability depends on the type of violation, which articles you're in breach of, or you're not complying with, and it depends on the type of data that's been violated.
There are essentially are two brackets of fines.
For example, if you're managing what is deemed sensitive data, which includes things like political affiliation, trade union affiliation, criminal records, race and some other stuff, you will automatically be in the higher bracket of fines.
If you have done all your footwork, but are missing certain things, not complying with certain articles or you've done something wrong, that's more at the 2% level of fines… but there's a lot more, and it's a lot more complicated than that.
As for responsibility, the GDPR defines that it's the organisation and the board that's responsible, but there is also what they call a Data Protection Officer, or a DPO. The DPO's responsibilities are to manage and coordinate all of the data protection activities, but also be the single point of contact in terms of breach notification, in terms of responding to the DPAs request, and in terms of responding to them eventually in the case where there are complaints from data subjects.
The DPOs responsibility is defined at the highest level in the GDPR.