GDPR: One rule to rule them all – legally

It’s almost here but what are the legal ramifications of the incoming legislation for businesses

There is a certain similarity between J. R. R. Tolkien’s The Lord of the Rings trilogy and General Data Protection Regulation (GDPR) coming to force tomorrow, May 25 2018. As weird as it may sound, the regulation puts in place standards identical to those of the One Ring – GDPR is here to rule the world of data protection the same way the One Ring ruled the others.

In real life, this could be directly linked to unifying the different levels of the data protection legislation in each of the European Union (EU) countries. Except in this case, the One Ring is replaced by the single set of data protection rules across the EU. Thus, the regulation aims to protect any information that relates to “an identified or identifiable person” – addressing the export of personal data outside of Europe as well.

WeLiveSecurity spoke with Tomáš Mičo, ESET Data Protection Officer, to clarify the essentials the regulation brings to businesses. “In Slovakia, where the cybersecurity firm ESET is based, we’ve already had, by law the possibility to appoint a Data Protection Officer, so applying GDPR for businesses inside countries with similar requirements of legislation shouldn’t have any significant impediments,” he says.

According to Mičo, businesses have already invested significant time and energy into mapping all the processes and reviewing all the agreements as recommended by data protection professionals. “Moreover, as GDPR has so-called ‘downstream’ effect, businesses need to apply the same principles to all their arrangements including those with third-party processors and sub-contractors,” explains Mičo.

The main purpose of the new regulation is to minimize the unnecessary collection of personal data, including steps that prevent storing data that does not need to be stored, and securing the entire journey of the personal data in the company. However, the biggest challenges for businesses lie with the requirements for Privacy by Design, Privacy by Default, Right to Erasure, Right to be Forgotten and Breach Notification.

The computer security companies around the globe are rightfully using this opportunity, offering solutions to mitigate the main risks connected to the regulation – selling encryption, two-factor authentication and other solutions to close any possible path for cybercriminals to get to the personal data that must be protected under GDPR.

That’s not all. Although businesses are successfully deploying cybersecurity solutions to make sure personal data are properly processed and protected inside your company, there are other legal responsibilities that must be completed. One of them is to offer an easy-to-understand explanation of data processing, so customers are transparently informed about their rights resulting from this new regulation.

“Businesses have to make sure they have consent, contract or other legal basis for processing all of the personal data protected by the regulation, for all their end users. For a middle size business, it can as well mean spending countless hours retroactively contacting all of them if their legal basis is not GDPR valid – including end users that businesses gained through third parties or sub-contractors,” adds Mičo.

In addition, individuals have as well the right to request a detailed listing of all their personal data that is being processed, and request it from any vendor that works with the personal data of EU located customers, even if the company is not physically located in the EU. This is especially hard for all the e-commerce businesses and businesses that work with cloud services. And that is the reason why the majority of newsletters in last couple of weeks start with We have updated our privacy policy.

Moreover, businesses must have the information about the individual available at any time and keep it protected – encrypted – to be GDPR compliant. “This way the personal data, even when the company suffers a breach or is hacked, stay protected,” says Mičo. Perharps the greatest onus in the Breach Notification requirement, which forces businesses to have processes in place that will ensure the information about the data breach will make it to the appropriate data protection authority within 72 hour after it was discovered.

If nothing else, penalties for non-compliance are quite a bite to swallow – looking at 2% to 4% of the company’s global annual turnover, which is an expense no company can afford to take lightly. A recent survey by IDC, however, reveals that for noncompliance, “regulators are more likely to focus on progress toward the goal than penalizing those not quite finished with GDPR conformity”.

In time, we’ll see if the famous one rule to rule them all will find them all and and bind them as the legislators have predicted, or if everyone will meet in an unfulfilled GDPR Land of Mordor.

For more information on GDPR, ESET has a dedicated page to help ensure that you have all the information needed to cope with GDPR. To read more articles like this one, please follow WeLiveSecurity.