De-Mystifying Security Series: Compliance and Regulation
The General Data Protection Regulation (GDPR), effective from 25 May 2018, enhances existing data protection rules for all businesses handling personal data of EU citizens and extends responsibilities from data controllers to also cover data processors. Some of the key points of the GDPR include:
- Fines - maximum fines for non-compliance are €20 million or 4% of global annual turnover (whichever is greater)
- Data breach - the relevant data protection regulator (the ICO in the UK) must be notified of any data breaches “without undue delay” and within 72 hours if possible
- Governance - data controllers and processors must demonstrate an awareness of their data protection obligations and show they have taken steps to comply with the regulation (e.g. putting in place effective cybersecurity measures)
Managed service providers (MSPs) and cloud service providers (CSPs) are covered by the GDPR. This means that, although their clients are still responsible for ensuring compliance with data protection rules (as data controllers), MSPs and CSPs now share this responsibility (as data processors). Penalties for failing to comply with the GDPR apply to both data controllers and processors - so both parties need to take steps to avoid falling foul of the rules.
The Data Protection Act 2018 (DPA) is UK legislation which largely reflects the GDPR principles. There are some minor differences but these primarily constitute sections which were left open by the GDPR for individual member states to fill in. While the UK is a member of the EU, the GDPR directly applies to the UK - but when/if Brexit happens the DPA will effectively ensure that UK data protection laws stay in line with EU laws.
Personal data can only be transferred to a country outside the European Economic Area (EEA) if that country provides an adequate level of data protection, according to EU laws. The EU-US Privacy Shield provides a framework agreement which facilitates transfers of personal data from the EEA to US organisations.
American companies which handle any personal data of EU citizens are obliged to register on the Privacy Shield List and self-certify that they meet all the requirements including the minimum data protection standards.
California Consumer Privacy Act of 2018
The California Consumer Privacy Act has been described as a sort of GDPR lite. It affords certain data protection rights to Californian residents, including:
- The right of Californians to know what personal information is being collected about them;
- The right of Californians to know whether their personal information is sold or disclosed and to whom;
- The right of Californians to say no to the sale of personal information;
- The right of Californians to access their personal information; and
- The right of Californians to equal service and price, even if they exercise their privacy rights.
How can Navisite help with regulatory compliance?
One of the most important steps in regulatory compliance is to first identify all the instances and types of data held by a particular business. We help our clients to identify and classify any data they hold on their customers, employees, suppliers, and any third parties. We also provide guidance - tailored to the specific jurisdictions where business is conducted - on the various controls that need to be put in place with regard to any personal information processed, and we can assist with cybersecurity measures to protect the integrity of this data.
Navisite has adopted the ISO/IEC 27001 and SOC-2 framework – the internationally recognised standard for information security management – which gives our clients peace of mind that their data is in safe hands. We are consistently audited to ensure that we always follow the leading standards.