Ask Anything About: GDPR (Part I)

It can be difficult to keep up with every new term or technology available today. Instead of nodding along in agreement, however, it is important to ask questions that will truly help you understand what is being discussed - even if those questions are simplistic in nature.

For this reason, Website Magazine launched its "Ask Anything About" series (inspired by Reddit's popular Ask Me Anything threads) to pair some basic question about a topic with an expert who could answer them in greater detail.

Our expert for "Ask Anything About: General Data Protection Regulation", or GDPR, is David Thomas who is the founder & CEO of Evident ID, Inc. He is an accomplished cybersecurity entrepreneur, having held key leadership roles at market-pioneers Motorola, AirDefense, VeriSign and SecureIT.

In basic terms, what is general data protection regulation (GDPR)?


David Thomas, Founder & CEO of Evident ID, Inc: The General Data Protection Regulation (GDPR) is an European Union (EU) edict designed to improve the overall standard for data privacy while synchronizing data privacy laws across Europe. It will change how a wide range of  businesses handle, hold, store and protect personal information.


When is the deadline, and what needs to happen before that deadline to meet compliance?


Thomas: It's official and inflexible enforcement date is May 25, 2018, a mere four months away.


The new rules apply to all companies residing in any of the EU's 28 member states as well as companies based outside of the member states that process and store personal data of those in the EU. Additionally, the regulation takes a wide view of what constitutes personal identification data - ranging from social media posts to an individual IP address.


Several requirements will challenge your security team, but we wanted to highlight three important components that could require major operational overhauls:


1. Stronger consent conditions
Companies are allowed to store and process personal data for a specific use case only when an individual consents. According to the EU's GDPR website, the request for consent "must be given in an intelligible and easily accessible form." And once a company is permissioned to use an individuals data it must only be used for the purpose as defined when the initial consent was given, and if the person no longer wishes to engage with the company for the initial intended purpose, their personal data must be removed from the appropriate systems.


2. Mandatory breach notification


As stated on the EU's GDPR website, companies must report a data breach to supervisory authorities of each EU country within 72 hours of when said breach was detected. Individuals affected also must receive notification "without undue delay."


3. Privacy by design
Businesses are now legally obligated to build data protection into information management systems from the outset rather than treat security as an addition. Patchwork fixes will no longer cut it.


Do U.S.-based businesses need to worry about GDPR?


Thomas: While GDPR pertains to personal data of those in the EU, U.S.-based businesses may also find that they need to comply with GDPR if they are processing personal data of those in the EU or plan to do so in the future.  GDPR is not dictated by where a business resides, but rather by whether or not the data being processed is that of a data subject in the EU.  This can pertain to customers, employees, contractors, etc.  


What types of customer information is included in GDPR?


Thomas: GDPR was designed to focus on personal data. Personal data is defined as any information relating to an identified or identifiable individual (known as a "data subject" under GDPR). This can include a name, identification number, physical address, email address, location data, online identifier, credit card number or health information. While a finite list isn't provided, something can be considered personal data if one or more factors can be linked to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.


Does GDPR mean companies should stop using customer data to personalize experiences?


Thomas: The intent with GDPR is not to limit the personalized experiences that a company is able to offer, but rather that the "data subject" is able to have more visibility and control about where and how their data is used. 

The critical step for a company who is looking to offer personalized experiences based on someone's personal data is to explicitly outline how the data provided will be used. In addition, they need to allow the "data subject" to both modify and revoke their data for that use.


With GDPR in mind, what should companies be looking for in their technology platforms?


Thomas: Privacy, transparency and security are three of the top considerations when determining how to implement the new requirements. The processes and technology that is put in place needs to be considered "data protection by design and by default".  This means that companies should look to achieve the following with their technology platforms:


  1. Only require the collection of personal data which are necessary for each specific purpose identified
  2. Minimize the processing of personal data
  3. Pseudonymize personal data
  4. Provide transparency with regard to the way personal data is processed
  5. Enable the data subject to monitor the data processing
  6. Enable the controller to create and improve security features, including access controls, encryption, and other data protection measures

How are you involved with GDPR?


Thomas: Evident provides a simple, secure platform that lets businesses confidently know who they are dealing with without handling sensitive personal data. With connections to thousands of authoritative sources through a single API, Evident is the only platform that enables comprehensive, accurate and up to date identity and credential verification. Our unique distributed data model, protected with end-to-end cryptography, readily adjusts to meet growing business and security requirements. With rigorous access controls and user consent processes, we minimize risk and help businesses comply with increasingly strict data regulations like GDPR.


What are the benefits of GDPR for organizations?


Thomas: GDPR will be essential for companies that require the collection of personal data of those in the EU. While the new requirements may add additional processes and work for an organization, they will assist a company in reducing its exposure to data breaches and other liabilities. Overall, it will make an organization more aware of its data practices and potential shortcomings that need to be addressed.  In addition, GDPR should bring more consumer confidence. Today "78 percent of consumers think it is hard to trust companies when it comes to the use of their personal data." This tends to cause misrepresented data to be provided or simply abandonment of engagement all together. The implementation of these standardized regulations should provide peace of mind to individuals that their data is being utilized properly and is being protected, allowing engagement to increase.


What are the risks of GDPR for organizations?


Thomas: Non-compliance of GDPR brings with it a harsh penalty.  A company that fails to comply with GDPR can face up to 20 million Euros or four percent of total global annual turnover, whichever is greater. These fines will be issued by the EU supervisory authority and will be calculated on the type of obligation that has been breached, the seriousness of that breach, its effect on individuals and the behavior of the company. It is critical that organization take the proper steps to comply or risk potential significant damage to business.


What question would you have asked?


  • Why was GDPR created?
  • The scale of the collection and sharing of personal data between public and private actors across the Union has significantly increased since Directive 95/46/EC was put in place. Rapid technological developments and globalization have brought new challenges for the protection of personal data. Technology allows both private companies and public authorities to make use of personal data on an unprecedented scale in order to pursue their activities. Therefore, these regulations were designed to protect the data subject and provide a standard way to address some of the most critical privacy issues.
Keep Reading: