If you’ve customers or users in Europe, you probably know of GDPR. It’s that thing, that’s significant, with potential fines, and that your enterprise customers need you to comply with.
Maybe you’ve even signed contracts confirming you are compliant, and crossing your fingers it won’t surface again and you won’t be asked to prove it. This post will walk you through the key things to know about GDPR.
What is GDPR and why does it matter?
GDPR was a sweeping privacy regulation introduced in 2018 that applies to all consumers in the European Union. That is, if you collect any personal data from EU citizens, the GDPR applies. if you don’t comply you may be fined. Perhaps more important than the risk of your own fines; your enterprise customers that use your software are required to comply and that includes responsibility for your compliance.
The fines at their size are likely to be much more significant, as well as the reputation damage and whatnot. They will look for ways to put liability on you (contracts), ask you to assert your compliance (attestations), and in some cases take further steps to actually verify it by requiring you to have it audited or doing their own reviews.
What’s the best way to prove your compliance?
GDPR is not a certifiable standard, it’s a regulation. There are a few ways you can satisfy customers that you are compliant:
- You just tell them you are. This is often in the form of an appendix to a contract, that may have some questions, a checklist, or just a statement, for you to confirm your compliance and sign off to that effect. This is still the most common way.
- You provide details of your compliance. A step further than just telling them, is reporting the details of how you are compliant. This may be a GDPR compliance notice on your website, in an attestation report like SOC 2, or a management style report with the results of assessing your own compliance.
- Closely related certifications. Achieving certifications like ISO 27701 (Privacy Information Management System) or a SOC 2 report with the Privacy criteria included, are closely related to your GDPR compliance. They are often accepted as adequate proof of GDPR compliance.
What’s required for GDPR?
The GDPR is a principles-based regulation, so the way it is applied varies from company to company. We look at the requirements as two parts;
- The technical and organisational measures that secures the data (security); and
- The privacy principles that protect the EU citizens rights (privacy).
The first part can be satisfied by following any of the mainstream information security standards. That’s putting in place reasonable system protections and organisational governance to ensure data is secure and only accessible by people that are authorised to use the data.
The privacy principles cover the rights of EU citizens with respect to how that data is used. This includes obtaining the appropriate consent from those citizens, transparently communicating how the data is used, and informing data subjects of their rights. It requires supporting those rights with things like providing access to their data, ability to modify or request deletion, and even data portability for them to take their data to a different provider.
What’s the relationship between security and privacy?
A common point of confusion is the difference or relationship between information security and privacy; the two parts referenced above. Information security is about how you ensure data is restricted to only those that are authorised to access it. Ie. To ensure data doesn’t fall into the wrong hands. Privacy relies on information security as a starting point, but goes deeper into whether the data is used in a way that’s fair and responsible to the people whose data it is. Privacy only applies for personally identifiable data (PII). That is where data is related to an individual human and that human can be identified from the data. If it’s anonymised (effectively), or related to confidential business information or any other data that’s not personal, then it falls outside the scope of privacy.
How much work is involved in GDPR?
The good news is; for most modern businesses pursuing information security standards, GDPR can be relatively straightforward. Once information security controls have been established and there is clarity around what data is collected, where it’s stored and how it’s secured, the privacy principles for GDPR can be relatively straightforward to add on. From our readiness software, you generally find 20-40 control activities specific to satisfying the privacy principles, to add to 60-90 information security controls.
Privacy requests, data breaches, and other events that trigger the privacy controls are generally less common than other compliance areas like information security. That means the audits and compliance reviews are typically focused on the privacy policy, the design and boundaries of how personal data is used, and the supporting defined processes that protect users privacy rights. A reasonable expectation is being able to complete a GDPR review and achieve compliance within 2-4 weeks if information security has already been established.
How do you get started?
We have free readiness software that can be used for your initial assessment. You can select only GDPR privacy principles if you have already established an information security program, or combine it with information security following several other industry standards. You can also contact us at any time for a chat about how we can support your GDPR requirements.
About AssuranceLab
AssuranceLab is a modern cybersecurity audit firm that provides assurance reports (ASAE 3150, SOC 1/2, and more!). Our award-winning, free software has helped over 500 companies prepare for their compliance goals. We're experts in the latest software and cloud providers. We guide your team through the compliance practices in a way that fits your environment and culture. We work closely with clients through our agile and collaborative approach; saving time, costs, and headaches along the way.