Levi, Ray & Shoup, Inc.

Getting right with GDPR

4/11/2019 by Jordan Shifflett

By Jordan Shifflett

You know you need to take the highest precautions to protect your organization’s data, whether that’s proprietary data of systems and services or personally identifiable information of clients and employees.

As an organization operating in the US, you don’t have to worry about complying with data privacy laws; your main motivation is the staggering amount of revenue your organization could lose in a data breach.

Except for industry-specific laws such as the Health Insurance Portability and Accountability Act (HIPAA), the Payment Card Industry Data Security Standard (PCI DSS), the Fair Credit Reporting Act (FCRA), and the Electronic Communication Privacy Act, the United States does not have any formal data protection laws at the federal level.

But organizations like LRS, which is an international company with offices in the European Union, there’s need to stay up to date on, and comply with, the EU’s data protection laws. One of those laws is GDPR.

GDPR is the General Data Protection Regulation that was approved as a European Union data protection law in 2016 and officially took effect in May 2018. GDPR’s goal is to strengthen the protection of private data for all residents of the European Union.

This applies heavily to all organizations in the EU, but also has an impact on businesses in the United States and around the world, that collect or use personal data of European Union citizens. GDPR defines personal data as “any information which is related to an identified or identifiable natural person.” This consists of data that can be used to directly or indirectly identify a person, such as names, ID numbers, and location data. But also includes medical information, email addresses, physical addresses, telephone numbers, credit card numbers, and more.

U.S. based organizations that need to stay in compliance with GDPR regulation need to take extra measures to ensure security and also take special actions after an incident has occurred. In the event of a data breach or the mishandling of data which results in personal information of EU residents being compromised, U.S. businesses must notify data protection authorities within 72 hours of when the event was recognized and must make it known to the affected individuals whose information has been compromised.

Organizations can face large fines when infringing upon data protection provisions in the General Data Protection Regulation. Fines for a lower violation are up to 2% of worldwide annual revenue or 10 million euros, whichever is higher. As for upper level offenses, fines can be given that total to 4% or 20 million euros, accordingly.

Under this regulation citizens of the EU have the right to control the use of their personal data. First there must be clear consent from the individual for organizations to access and process personal data as well as being clearly informed when the collection and use of personal data will occur. Under the right of access provision, organizations in control of sensitive data must provide EU residents a copy of their processed information upon their request. Other provisions allow the individual to request that organizations rectify inaccurate information, as well as having the right to request that data controllers remove all traces of personal data under certain circumstances.

Even if GDPR compliance isn’t a requirement for your organization, becoming familiar with the regulation’s security requirements and remediation steps after a breach is a good idea. Here are some useful links:

https://gdpr-info.eu/

https://www.gdpreu.org/

http://www.ncsl.org/research/telecommunications-and-information-technology/data-security-laws.aspx

About the author

Jordan Shifflett is an Information Security Specialist with LRS IT Solutions. Jordan recently joined our security team after receiving a Bachelor of Science in Information Assurance and Security from Illinois State University.