By now, you have likely heard something about the European Union’s new General Data Protection Regulation that went into effect May 25. The GDPR is a privacy regulation aimed at protecting information gathered about what the GDPR calls “data subjects” (i.e., people, such as customers, employees, students or clients). It requires businesses to make various disclosures and obtain consent before gathering personal information, allows people to opt out of data collection about them and imposes numerous other obligations on businesses. If you are a business with any online presence, such as a website or email marketing campaigns, GDPR likely applies to you or your business.
The GDPR imposes enormous financial penalties for violations. This article focuses on two of GDPR’s key requirements to minimize exposure to liability: implementing appropriate security measures and breach notification.
GDPR requires businesses to ensure they have adopted and implemented appropriate security measures. This should not surprise Rhode Island businesses, because the Rhode Island legislature enacted an identity theft protection law in 2015, which, among other things, requires businesses to adopt and maintain an appropriate risk-based information security program to protect personal data they collect and store on Rhode Island residents. Rhode Island businesses should already have developed and implemented a written security program, which provides a good starting point toward achieving GDPR compliance. The goal of the GDPR security measures is to ensure the organization has implemented and enforces safeguards in its data systems that will minimize the risks of data breach, theft and loss.
First, a business should investigate and consider the various technologies available to protect and preserve its data. Once a business understands the data it is collecting, why it is collecting it and what harm could be caused by its loss or theft, it must implement security measures.
In this phase, the business must implement technical and organizational measures to ensure a level of security “appropriate to the risk.” For example, a business could encrypt or pseudonymize the data by replacing identifying data with anonymous fields in their place. It should ensure and maintain the confidentiality and integrity of its processing systems and services, have a reliable backup system or redundancies in place to be able to restore personal data, and regularly test, assess and evaluate the effectiveness of its security program.
If a breach occurs, the GDPR requires a business to promptly notify the proper EU authorities within 72 hours of becoming aware of the breach. Rhode Island businesses should already have a breach notification plan because Rhode Island law requires breach notifications to be made “expediently” and no later than 45 days after any breach is confirmed to have occurred. The time to formulate a breach notification plan is not while the business is in the throes of a crisis. Rather it should create an appropriate template and written process that it will follow if it learns it has incurred a breach or data loss. This process must ensure the right people are included, the right information is gathered and the steps to be taken next are clearly identified.
Although GDPR compliance appears daunting, it can be achieved if the business owner is diligent and supported by a competent team. With all the buzz and controversy with data breaches over recent years, ignoring the risks or hoping it does not happen to you is not a defensible strategy.
Editor’s Note: This is the second of an occasional series on the European Union’s new General Data Protection Regulation.
Brian J. Lamoureux is a partner at Pannone Lopes Devereaux & O’Gara LLC in Johnston.