What is ‘PCI Compliance’
Payment card industry (PCI) compliance refers to the technical and operational standards that businesses must follow to ensure that credit card data provided by cardholders is protected. PCI compliance is enforced by the PCI Standards Council, and all businesses that store, process or transmit credit card data electronically are required to follow the compliance guidelines.
BREAKING DOWN ‘PCI Compliance’
Payment card industry (PCI) compliance standards require merchants and other businesses to handle credit card information in a secure manner that helps reduce the likelihood that cardholders would have sensitive financial data stolen. If merchants do not handle credit card information properly, the card information could be hacked and used to make fraudulent purchases. Additionally, sensitive information about the cardholder could be used in identity fraud.
Being PCI compliant means consistently adhering to a set of guidelines set forth by companies that issue credit cards. The guidelines outline a series of steps that credit card processors must continually follow. Companies are first asked to assess their information technology infrastructure, business processes and credit card handling procedures to help identify potential threats that may compromise credit card data. Companies are then asked to address any gaps in security, and to avoid storing sensitive cardholder information, such as social security and driver’s-license numbers, whenever possible. Companies are required to provide compliance reports to the card brands that they work with, such as American Express and VISA.
All companies that process credit card information are required to maintain PCI compliance, regardless of their size or the number of credit card transactions they process. All companies are broken into merchant levels based upon the number of transactions that are processed during a specified period. PCI compliance is governed by the Payment Card Industry Security Standards Council, an organization formed in 2006 for the purpose of managing the security of credit cards. The requirements, known as the Payment Card Industry Data Security Standards (PCI DSS), are managed by the major credit card companies, including VISA, American Express, Discover and MasterCard, among others.
PCI Compliance and Data Breaches
Many of history’s largest data breaches may have been avoided if the affected merchants or financial institutions been PCI-compliant. Here are some key takeaways from the Verizon 2017 Payment Security Report, an in-depth study of PCI DSS compliance:
- Retail organizations demonstrated the lowest PCI compliance sustainability across all key industries.
- The IT services industry achieved the highest full compliance of all key industry groups studied.
- 77 percent of companies assessed after a data breach were not in compliance with the number one PCI requirement: install and maintain a firewall configuration.
- The study shows a “demonstrable” correlation between businesses that are up-to-date on the PCI standards and businesses that have successfully defended themselves against cyber threats.
- The number of businesses that are 100 percent PCI-compliant is growing considerably on a year-over-year basis.
What is the ‘Health Insurance Portability and Accountability Act (HIPAA)’
Health Insurance Portabiilty and Accountability ACT (HIPAA) is an act created by the U.S. Congress in 1996 that amends both the Employee Retirement Income Security Act (ERISA) and the Public Health Service Act (PHSA). HIPAA was enacted in an effort to protect individuals covered by health insurance and to set standards for the storage and privacy of personal medical data.
BREAKING DOWN ‘Health Insurance Portability and Accountability Act (HIPAA)’
Health Insurance Portability and Accountability Act (HIPAA) ensures that individual health-care plans are accessible, portable and renewable, and it sets the standards and the methods for how medical data is shared across the U.S. health system in order to prevent fraud. It preempts state law unless the state’s regulations are more stringent.
This act has been modified since 1996 to include processes for safely storing and sharing patient medical information electronically. The act also has an administrative simplification provision, which is aimed at increasing efficiency and reducing administrative costs by establishing national standards.
Health insurers, health maintenance organizations (HMOs), healthcare billing services and other entities that handle sensitive personal medical information must comply with the standards set by the HIPAA. Noncompliance may result in civil or criminal penalties.
Challenges for HIPAA in the Digital Age
In an age of fitness-tracking apps and GPS-tracked, shareable data on everything from an individual’s daily step count to their average heart-rate, medications, allergies, and even menstrual cycles, there are new challenges for upholding standards in storing and protecting personal medical data.
In 2009, the Health Information Technology for Economic and Clinical Health Act (HITECH) broadened HIPAA privacy and security protections. The HITECH Act was enacted as part of the American Recovery and Reinvestment Act of 2009 as well as to promote the use of health-information technology. A portion of the HITECH Act addresses the privacy and security concerns.
In 2018, Bloomberg Law reported on the privacy risks that come from digital health-care data and the likelihood of updated federal laws in the near future. Currently, though insurance companies and health-care providers are subject to laws that require compliance with HIPAA’s security and privacy protections, companies like FitBit and Apple aren’t held to similar standards. In a video interview, Nan Halstead, a health privacy and security attorney with Reed Smith LLP, said that future laws are unlikely to expand on HIPAA but rather use its framework as a model to create new laws governing the digital sector. Bloomberg’s reportage further elucidates that while no federal laws have yet been passed to manage consumer health data, states can pass laws that fill the gap in the meantime, and companies tracking consumer data are subject to supervision by regulating bodies like the U.S. Food and Drug Administration and the Federal Trade Commission.
What is the ‘USA Patriot Act’
The USA Patriot Act is a law passed shortly after the Sept. 11, 2001 terrorist attacks in the United States, giving law enforcement agencies broad powers to investigate, indict and bring terrorists to justice. It also led to increased penalties for committing and supporting terrorist crimes. An acronym for “Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism,” this anti-terror measure was chiefly designed to lower the probable cause threshold for obtaining intelligence warrants against suspected spies, terrorists, and other enemies of the U.S.
BREAKING DOWN ‘USA Patriot Act’
The USA Patriot Act deters and punishes terrorist attacks in the United States and abroad through enhanced law enforcement and strengthened money laundering prevention. It also allows the use of investigative tools designed for organized crime and drug trafficking prevention for terrorist investigations. For example, federal agents can use court orders to obtain business records from hardware stores or chemical plants to determine who may be buying materials to make bombs, or bank records to determine who is sending money to terrorists or suspect organizations. Police officers, FBI agents, federal prosecutors and intelligence officials are better able to share information and evidence on individuals and plots, thus enhancing their protection of communities.
Patriot Act’s Effect on Finance
While the Patriot Act initially conjures thoughts of expanded surveillance activity, it also impacts the broader U.S. community of financial professionals and financial institutions engaging in cross-border transactions with its Title III provision, entitled “International Money Laundering Abatement and Financial Anti-Terrorism Act of 2001.”
With a goal of thwarting the exploitation of the American financial system by parties suspected of terrorism, terrorist financing and money laundering, Title III cites International Monetary Fund data estimating that laundered money from drug trafficking and other smuggling activities accounts for 2-5% of the US’s gross domestic product. And by chipping away at these illegal sources of capital, which this law dubs “financial fuel of terrorist operations,” Title III aims to diminish their impact, through a variety of restrictions and controls. (For more, see: Terrorism’s Effects On Wall Street.)
A Closer Look at the Books
The main Title III mandate imposes tighter bookkeeping requirements, forcing financial institutions to record aggregate amounts of transactions involving countries where laundering is a known problem for the United States. Such institutions must install methodologies of tracking and identifying beneficiaries of such accounts, as well as individuals authorized to route funds through payable-through accounts.
Title III also expands the authority of the Secretary of the U.S. Treasury to develop regulations that stimulate more robust communication between financial institutions, with an aim of stemming laundering activity and making it harder for launderers to conceal their identities. The Treasury is also empowered to halt the merger of two banking institutions, if both have historically failed to discourage laundering with their own internal safeguards.
In an effort to control suspicious activity abroad, Title III prevents business with offshore shell banksthat are unaffiliated with a bank on U.S. soil. Banks must now also investigate accounts owned by political figures suspected of past corruption. And there are greater restrictions on the use of internal bank concentration accounts that fail to effectively maintain audit trails — a money laundering red flag, according to the law.
Expanded Money Laundering Definition
Nomenclature/definitions are also affected under Title III. For example, the definition of “money laundering” was broadened in scope to include computer crimes, the bribing of elected officials, and the fraudulent handling of public funds. And “money laundering” now encompasses the exportation or importation of controlled munitions not approved by the U.S. Attorney General. Finally, any offense where the U.S. is obligated to extradite a citizen under a mutual treaty with another country likewise falls under the broadened “laundering” banner.
The final subtitle under the Title III provision deals with an effort to rein in the illegal physical transport of bulk currency. This movement builds upon the Bank Secrecy Act of 1970 (BSA) — also known as The Currency and Foreign Transactions Reporting Act — which requires banks to record cash purchases of instruments that have daily aggregate values of $10,000 or more — an amount that triggers suspicion of tax evasion and other questionable practices. Because of the BSA’s success, sharp money launderers now know to bypass traditional banking institutions, and instead move cash into the country using suitcases and other containers. For this reason, Title III makes concealing more than $10,000 on anyone’s physical person an offense punishable by up to five years in prison. (For more, see: Compliance With The Patriot Act: Customer Accounts.)
For banks, investors, financial advisors, intermediaries, broker/dealers, commodity merchants and the like, the practical result of the Patriot Act’s Title III provision effectively translates to a unprecedented levels of due diligence on any corresponding accounts that exist in money-laundering jurisdictions throughout the world. However, many believe that the actual methods of achieving this analysis tilt towards the nebulous. And the specific questions that must be asked seem to fluctuate, since there are no concrete levels of information required to satisfy potential inquiries, should a bank or an investor be suspected of violating Title III terms. For this reason, many are taking a “better-safe-than-sorry” approach to gathering as much information as possible.
On the banking side, applications for foreign accounts — either directly or indirectly owned by U.S. citizens, have become inordinately complex and onerous. Compliance officers are routinely augmenting applications, with an almost paranoid worry about satisfying broader Patriot Act mandates, and the enforcement agencies that oversee them.
Advantages of the USA Patriot Act
The Act has been a highly-polarizing national security initiative since President George W. Bush signed the bill into law, a month following the terrorist attacks of September 11. Advocates feel the Act has made anti-terrorism efforts more streamlined, efficient and effective. Federal agents use roving wiretaps while tracking international terrorists trained to avoid surveillance by rapidly changing locations and communication devices. A reasonable delay in notifying terrorist suspects of a search warrant gives law enforcement time to identify the criminal’s associates, eliminate immediate community threats and coordinate the arrests of individuals without tipping them off first.
Faster inquiries are made about suspicious activities, strengthening terrorism prevention. Surveillance is easier because companies have a clear definition of who investigates terrorist activities. Increased wiretapping lets investigators listen to conversations potentially threatening to national security. Because law enforcement has more unity through multiple communication channels, investigating officers can act quickly before a suspected attack is completed.
Disadvantages of the USA Patriot Act
Opponents of the Act argue it effectively lets the U.S. government investigates anyone it sees fit, colliding directly with one of the U.S.’ most cherished values: citizens’ rights to privacy. Questions of misusing government funds arise when limited resources are used in tracking American citizens, especially those moving overseas. It is unclear what federal authorities plan to do with information discovered through tracking public records, raising concerns about the government’s autonomy and power.
Suspected terrorists have been imprisoned on Guantanamo Bay without always explaining why or allowing legal representation, violating their right to due process; some prisoners have been proven, subsequently, to not even have any ties to terrorism.
The business, finance and investment communities are more likely to be affected by heightened documentation requirements and due diligence responsibilities. Though the impact is more on institutions than individual investors, anyone who conducts international business is likely to experience added costs and greater hassles with something as mundane as opening a simple foreign checking account.
What was the ‘The Gramm-Leach-Bliley Act of 1999 (GLBA)’
The Gramm-Leach-Bliley Act of 1999 (GLBA) was a bi-partisan regulation under President Bill Clinton, passed by Congress on November 12, 1999. The GLBA was an attempt to update and modernize the financial industry. The GLBA is most well-known as the repeal the Glass-Steagall Act of 1933, which stated that commercial banks were not allowed to offer financial services, like investments and insurance-related services, as part of normal operations.
The act is also known as Gramm-Leach-Bliley Financial Services Modernization Act.
BREAKING DOWN ‘The Gramm-Leach-Bliley Act of 1999 (GLBA)’
Due to the remarkable losses incurred as a result of 1929’s Black Tuesday and Thursday, the Glass-Steagall Act was originally created to protect bank depositors from additional exposure to risk, associated with stock market volatility. As a result, for many years, commercial banks were not legally allowed to act as brokers. Since many regulations have been instituted since the 1930s to protect bank depositors, GLBA was created to allow these financial industry participants to offer more services.
GLBA was passed on the heels of commercial bank Citicorp’s merger with the insurance firm Travelers Group. This led to the formation of the conglomerate Citigroup, which offered not only commercial banking and insurance services, but also lines of business related to securities. Its brands at this stage included Citibank, Smith Barney, Primerica, and Travelers. Citicorp’s merger was a violation of the then-existing Glass–Steagall Act, as well as the Bank Holding Company Act of 1956.
To allow the merger to take place, the U.S. Federal Reserve gave Citigroup a temporary waiver in September 1998—a precursor to Congress’s passage of GLBA. Moving forward, other similar mergers would be fully legal. Repealing Glass–Steagall also removed the ban of “simultaneous service by any officer, director, or employee of a securities firm as an officer, director, or employee of any member bank.”
The Gramm-Leach-Bliley Act and Consumer Privacy
The Gramm-Leach-Bliley Act also required financial institutions offering consumers loan services, financial or investment advice, and/or insurance, to fully explain their information-sharing practices to their customers. Firms must allow their customers the option to “opt-out” if they do not want their sensitive information shared. While many consider critical information, such as bank balances and account numbers, to be confidential, in reality this data is consistently bought and sold by banks, credit card companies, and others. Gramm-Leach-Bliley required limited privacy protections against such personal data sales, along with pretexting (obtaining personal information through false pretenses).
DEFINITION of ‘Bank Secrecy Act – BSA’
The Bank Secrecy Act (BSA) is legislation created in 1970 to prevent financial institutions from being used as tools by criminals to hide or launder their ill-gotten gains. The law requires banks and other financial institution to provide documentation such as currency transaction reports to regulators. Such documentation can be required from banks whenever their clients deal with suspicious cash transactions that involve sums of money in excess of $10,000. This grants authorities the ability to more easily reconstruct the nature of the transactions.
Also known as “Currency and Foreign Transactions Reporting Act.”
BREAKING DOWN ‘Bank Secrecy Act – BSA’
The BSA was put into action to better identify when money laundering is used to further a criminal enterprise, support terrorism, cover up tax evasion or disguise other unlawful activities. The legislation saw early use to counteract the funding of criminal organizations but soon came into use to also address the funding of terrorist groups.
Criminals and fraudsters use money laundering as a means to hide their illicit actions under the color of legitimacy. Cash, rather than traceable electronic transactions, tend be the preferred means of buying illicit goods and services. Money laundering tactics are employed to disguise those cash sources of revenue as legitimate transactions.
Ways the Bank Secrecy Act is Applied
The law does not require every transaction exceeding $10,000 to be documented. According to the Internal Revenue Service, there is a general rule that any person in a trade or business must file Form 8300 if their business receives more than $10,000 in cash from one buyer. This can be the result of a single transaction or of two or more related transactions. The rule can apply to an individual, a company, corporation, partnership, association, trust, or an estate. Form 8300 must be filed by the 15th day after the cash transaction took place. This requirement is applicable if any part of the cash transactions occurs within United States, its possessions, or territories.
The legislation maintains a list of exceptions that do not call for such scrutiny. Government departments/agencies and companies listed on the major North American exchanges are examples of exempt parties.
While this act can be useful in fighting criminal activity, the BSA has drawn criticism because there are very few guidelines defining what is considered suspicious. Law enforcement agencies also do not need to obtain a court order to gain access to the information.
The Office of the Comptroller of the Currency regularly examines banks, federal savings associations, and other institutions for compliance with the BSA.
DEFINITION OF FISMA COMPLIANCE
The Federal Information Security Management Act (FISMA) is a United States federal law passed in 2002 that made it a requirement for federal agencies to develop, document, and implement an information security and protection program. FISMA is part of the larger E-Government Act of 2002 introduced to improve the management of electronic government services and processes.
FISMA is one of the most important regulations for federal data security standards and guidelines. It was introduced to reduce the security risk to federal information and data while managing federal spending on information security. To achieve these aims, FISMA established a set of guidelines and security standards that federal agencies have to meet. The scope of FISMA has since increased to include state agencies administering federal programs like Medicare. FISMA requirements also apply to any private businesses that are involved in a contractual relationship with the government.
In April 2010 the Office of Management and Budget (OMB) released guidelines which require agencies to provide real time system information to FISMA auditors, enabling continuous monitoring of FISMA-regulated information systems.
FISMA COMPLIANCE REQUIREMENTS
The National Institute of Standards and Technology (NIST) plays an important role in the FISMA Implementation Project launched in January 2003, which produced the key security standards and guidelines required by FISMA. These publications include FIPS 199, FIPS 200, and the NIST 800 series.
The top FISMA requirements include:
- Information System Inventory: Every federal agency or contractor working with the government must keep an inventory of all the information systems utilized within the organization. In addition, the organization must identify the integrations between these information systems and other systems within their network.
- Risk Categorization: Organizations must categorize their information and information systems in order of risk to ensure that sensitive information and the systems that use it are given the highest level of security. FIPS 199 “Standards for Security Categorization of Federal Information and Information Systems” defines a range of risk levels within which organizations can place their various information systems.
- System Security Plan: FISMA requires agencies to create a security plan which is regularly maintained and kept up to date. The plan should cover things like the security controls implemented within the organization, security policies, and a timetable for the introduction of further controls.
- Security Controls: NIST SP 800-53 outlines an extensive catalog of suggested security controls for FISMA compliance. FISMA does not require an agency to implement every single control; instead, they are instructed to implement the controls that are relevant to their organization and systems. Once the appropriate controls are selected and the security requirements have been satisfied, the organizations must document the selected controls in their system security plan.
- Risk Assessments: Risk assessments are a key element of FISMA’s information security requirements. NIST SP 800-30 offers some guidance on how agencies should conduct risk assessments. According to the NIST guidelines, risk assessments should be three-tiered to identify security risks at the organizational level, the business process level, and the information system level.
- Certification and Accreditation: FISMA requires program officials and agency heads to conduct annual security reviews to ensure risks are kept to a minimum level. Agencies can achieve FISMA Certification and Accreditation (C&A) through a four-phased process which includes initiation and planning, certification, accreditation, and continuous monitoring.
THE BENEFITS OF FISMA COMPLIANCE
FISMA compliance has increased the security of sensitive federal information. Continuous monitoring for FISMA compliance provides agencies with the information they need to maintain a high level of security and eliminate vulnerabilities in a timely and cost-effective manner.
Companies operating in the private sector – particularly those who do business with federal agencies – can also benefit by maintaining FISMA compliance. This can give private companies an advantage when trying to add new business from federal agencies, and by meeting FISMA compliance requirements companies can ensure that they’re covering many of the security best practices outlined in FISMA’s requirements.
PENALTIES FOR FISMA NON-COMPLIANCE
For those government agencies or associated private companies that fail to comply with FISMA there are a range of potential penalties including censure by congress, a reduction in federal funding, and reputational damage.
FISMA COMPLIANCE BEST PRACTICES
Obtaining FISMA compliance doesn’t need to be a difficult process. The following are some best practices to help your organization meet all applicable FISMA requirements. While this list is not exhaustive, it will certainly get you on the way to achieving FISMA compliance.
- Classify information as it is created: Classifying data based on its sensitivity upon creation helps you prioritize security controls and policies to apply the highest level of protection to your most sensitive information.
- Automatically encrypt sensitive data: This should be a given for sensitive information. Ideally, you should arm your team with a tool that can encrypt sensitive data based on its classification level or when it is put at risk.
- Maintain written evidence of FISMA compliance: Stay on top of FISMA audits by maintaining detailed records of the steps you’ve taken to achieve FISMA compliance.
What is the ‘Sarbanes-Oxley Act Of 2002 – SOX’
The Sarbanes-Oxley Act of 2002 (SOX) is an act passed by U.S. Congress on July 30, 2002 to protect investors from the possibility of fraudulent accounting activities by corporations. The Sarbanes-Oxley Act of 2002, also known as the Corporate Responsibility Act of 2002, mandated strict reforms to improve financial disclosures from corporations and prevent accounting fraud.
The Act was created in response to accounting malpractice in the early 2000s, when public scandals such as Enron Corporation, Tyco International plc and WorldCom shook investor confidence in financial statements and demanded an overhaul of regulatory standards.
BREAKING DOWN ‘Sarbanes-Oxley Act Of 2002 – SOX’
The rules and enforcement policies outlined by the Sarbanes-Oxley Act of 2002 (SOX) amend or supplement existing legislation dealing with security regulations. The Act was responsible for sweeping reforms in the following four areas:
- Corporate Responsibility
- Increased Criminal Punishment
- Accounting Regulation
- New Protections
Section 302 and 404 of the Sarbanes-Oxley Act of 2002
There are two key provisions of the Sarbanes-Oxley Act of 2002, Section 302 and Section 404.
Section 302 of the Sarbanes-Oxley Act of 2002 is a mandate that requires senior management to certify the accuracy of the reported financial statement.
Section 404 of the Sarbanes-Oxley Act of 2002 is a requirement that management and auditorsestablish internal controls and reporting methods on the adequacy of those controls. Section 404 has very costly implications for publicly traded companies as it is expensive to establish and maintain the required internal controls.
Section 802 of SOX
Section 802 of the Sarbanes-Oxley Act of 2002 contains the three rules that affect record keeping. The first deals with destruction and falsification of records. The second strictly defines the retention period for storing records. The third rule outlines the specific types of business records that need to be stored, which includes electronic communications.
In addition to the financial side of a business, such as the audits, accuracy, and controls, the Sarbanes-Oxley Act of 2002 also outlines requirements for information technology (IT) departments regarding electronic records. The Act does not set forth a set of business practices in this regard but instead defines which company records need to be stored on file and for how long. The standards outlined in the Sarbanes-Oxley Act of 2002 do not specify how a business should store its records, only that the IT department is responsible for storing them.
What is ‘Basel III’
Basel III is an international regulatory accord that introduced a set of reforms designed to improve the regulation, supervision and risk management within the banking sector. The Basel Committee on Banking Supervision published the first version of Basel III in late 2009, giving banks approximately three years to satisfy all requirements. Largely in response to the credit crisis, banks are required to maintain proper leverage ratios and meet certain minimum capital requirements.
BREAKING DOWN ‘Basel III’
Basel III is part of the continuous effort to enhance the banking regulatory framework. It builds on the Basel I and Basel II documents, and seeks to improve the banking sector’s ability to deal with financial stress, improve risk management, and strengthen the banks’ transparency. A focus of Basel III is to foster greater resilience at the individual bank level in order to reduce the risk of system-wide shocks.
Minimum Capital Requirements
Basel III introduced tighter capital requirements in comparison to Basel I and Basel II. Banks’ regulatory capital is divided into Tier 1 and Tier 2, while Tier 1 is subdivided into Common Equity Tier 1 and additional Tier 1 capital. The distinction is important because security instruments included in Tier 1 capital have the highest level of subordination. Common Equity Tier 1 capital includes equity instruments that have discretionary dividends and no maturity, while additional Tier 1 capital comprises securities that are subordinated to most subordinated debt, have no maturity, and their dividends can be cancelled at any time. Tier 2 capital consists of unsecured subordinated debt with an original maturity of at least five years.
Basel III left the guidelines for risk-weighted assets largely unchanged from Basel II. Risk-weighted assets represent a bank’s assets weighted by coefficients of risk set forth by Basel III. The higher the credit risk of an asset, the higher its risk weight. Basel III uses credit ratings of certain assets to establish their risk coefficients.
In comparison to Basel II, Basel III strengthened regulatory capital ratios, which are computed as a percent of risk-weighted assets. In particular, Basel III increased minimum Common Equity Tier 1 capital from 4% to 4.5%, and minimum Tier 1 capital from 4% to 6%. The overall regulatory capital was left unchanged at 8%.
Basel III introduced new requirements with respect to regulatory capital for large banks to cushion against cyclical changes on their balance sheets. During credit expansion, banks have to set aside additional capital, while during the credit contraction, capital requirements can be loosened. The new guidelines also introduced the bucketing method, in which banks are grouped according to their size, complexity and importance to the overall economy. Systematically important banks are subject to higher capital requirements.
Leverage and Liquidity Measures
Additionally, Basel III introduced leverage and liquidity requirements to safeguard against excessive borrowings and ensure that banks have sufficient liquidity during financial stress. In particular, the leverage ratio, computed as Tier 1 capital divided by the total of on and off-balance assets less intangible assets, was capped at 3%.
What does GDPR stand for?
General Data Protection Regulation.
How did it come about?
In January 2012, the European Commission set out plans for data protection reform across the European Union in order to make Europe ‘fit for the digital age’. Almost four years later, agreement was reached on what that involved and how it will be enforced.
One of the key components of the reforms is the introduction of the General Data Protection Regulation (GDPR). This new EU framework applies to organizations in all member-states and has implications for businesses and individuals across Europe, and beyond.
“The digital future of Europe can only be built on trust. With solid common standards for data protection, people can be sure they are in control of their personal information,” said Andrus Ansip, vice-president for the Digital Single Market, speaking when the reforms were agreed in December 2015.
What is GDPR?
The reforms are designed to reflect the world we’re living in now, and brings laws and obligations – including those around personal data, privacy and consent – across Europe up to speed for the internet-connected age.
Fundamentally, almost every aspect of our lives revolves around data. From social media companies, to banks, retailers, and governments — almost every service we use involves the collection and analysis of our personal data. Your name, address, credit card number and more all collected, analyzed and, perhaps most importantly, stored by organizations.
What is GDPR compliance?
Data breaches inevitably happen. Information gets lost, stolen or otherwise released into the hands of people who were never intended to see it — and those people often have malicious intent.
Under the terms of GDPR, not only will organizations have to ensure that personal data is gathered legally and under strict conditions, but those who collect and manage it will be obliged to protect it from misuse and exploitation, as well as to respect the rights of data owners – or face penalties for not doing so.
Who does GDPR apply to?
GDPR applies to any organization operating within the EU, as well as any organizations outside of the EU which offer goods or services to customers or businesses in the EU. That ultimately means that almost every major corporation in the world will need to be ready when GDPR comes into effect, and must start working on their GDPR compliance strategy.
There are two different types of data-handlers the legislation applies to: ‘processors’ and ‘controllers’. The definitions of each are laid out in Article 4 of the General Data Protection Regulation.
A controller is “person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing of personal data”, while the processor is “person, public authority, agency or other body which processes personal data on behalf of the controller”. If you are currently subject to the UK’s Data Protection Act, for example, it’s likely you will have to look at GDPR compliance too.
“You will have significantly more legal liability if you are responsible for a breach. These obligations for processors are a new requirement under the GDPR,” says the UK’s Information Commissioners Office, the authority responsible for registering data controllers, taking action on data protection and handling concerns and mishandling data.
GDPR ultimately places legal obligations on a processor to maintain records of personal data and how it is processed, providing a much higher level of legal liability should the organization be breached.
Controllers will also be forced to ensure that all contracts with processors are in compliance with GDPR.
What is personal data under the GDPR?
The types of data considered personal under the existing legislation include name, address, and photos. GDPR extends the definition of personal data so that something like an IP address can be personal data. It also includes sensitive personal data such as genetic data, and biometric data which could be processed to uniquely identify an individual.
When does GDPR come into force?
GDPR will apply across the European Union from 25 May 2018, and all member nations are expected to have transferred it into their own national law by 6 May 2018.
Following four years of preparation and debate, GDPR was approved by the European Parliament in April 2016 and the official texts and regulation of the directive were published in all of the official languages of the EU on May 2016.
What’s the GDPR compliance deadline?
As of 25 May 2018, all organizations are expected to be compliant with GDPR.
How does Brexit impact on GDPR?
The UK is set to leave the EU on 29 March 2019, a little over ten months after GDPR comes into force. The UK government has said this won’t impact on GDPR being enforced in the country, and that GDPR will work for the benefit of the UK despite the country ceasing to be an EU member. So Brexit is unlikely to have any impact on an organization’s GDPR compliance requirements.
What does GDPR mean for businesses?
GDPR establishes one law across the continent and a single set of rules which apply to companies doing business within EU member states.. This means the reach of the legislation extends further than the borders of Europe itself, as international organizations based outside the region but with activity on ‘European soil’ will still need to comply.
It’s hoped that by slim-lining data legislation with GDPR, it can bring benefits to businesses. The European Commission claims that by having a single supervisor authority for the entire EU, it will make it simpler and cheaper for businesses to operate within the region. Indeed, the Commission claims GDPR will save €2.3 billion per year across Europe
“By unifying Europe’s rules on data protection, lawmakers are creating a business opportunity and encouraging innovation,” the Commission says.
What that means, they say, is regulation will guarantee data protection safeguards are built into products and services from the earliest stage of development, providing ‘data protection by design’ in new products and technologies.
Organizations will also be encouraged to adopt techniques like ‘pseudonymization’ in order to benefit from collecting and analyzing personal data, while the privacy of their customers is protected at the same time. (Although some groups have argued that this already comes too late, given the number of connected devices in the world.)
What does GDPR mean for consumers/citizens?
Because of the sheer number of data breaches and hacks which have occurred over the years, the unfortunate reality for many is that some of their data — be it an email address, password, social security number, or confidential health records — has been exposed on the internet.
One of the major changes GDPR will bring is providing consumers with a right to know when their data has been hacked. Organizations will be required to notify the appropriate national bodies as soon as possible in order to ensure EU citizens can take appropriate measures to prevent their data from being abused.
Consumers are also promised easier access to their own personal data in terms of how it is processed, with organizations told that they need to detail how they use customer information in a clear and understandable way.
Some organizations have already moved to ensure this is the case, even if it is as basic as sending customers emails with information on how their data is used and providing them with an opt-out if they don’t issue their consent to be a part of it. Many organizations, such as those in the retail and marketing sectors, have contacted customers to ask if they want to be a part of their database.
In these circumstances, the customer should have an easy way of opting out of their details being on a mailing list. Meanwhile, some other sectors have been warned that they have a lot more to do in order to ensure GDPR compliance – especially when consent is involved.
GDPR is also set to bring a clarified ‘right to be forgotten’ process, which provides additional rights and freedoms to people who no longer want their personal data processed to have it deleted, providing there’s no grounds for retaining it.
Organisations will need to keep these consumer rights in mind once GDPR comes into force.
Is this privacy email really from an actual company? Could it be a scam?
Organisations of all sizes in all sectors are sending customers emails, asking them to opt-in in order to keep receiving messages and other marketing material. For the most part, if the customer does want to remain on the list, they just need to click the part of the email that tells the company they wish to remain in touch.
However, with so many organisations sending out emails on GDPR, criminals and scammers have taken it up as a prime opportunity to send out phishing emails in order to catch people unware – especially given how people might be receiving more emails from organisations than usual right now.
However, those behind this scheme are very much leveraging GDPR in order to steal information, because while the real Airbnb message doens’t ask for any information, those who receive the fake message are asked for their personal information, including account credentials and payment card information.
It’s unlikely to be the only attempt by criminals to piggyback on GDPR for their own gain.
What is a GDPR breach notification?
Once GDPR comes into force, it’ll introduce a duty for all organisations to report certain types of data breaches which involve unauthorised access to or loss of personal data to the relevant supervisory authority. In some cases, organisations must also inform individuals affected by the breach.
Organisations will be obliged to report any breaches which are likely to result in a risk to the rights and freedoms of individuals and lead to discrimination, damage to reputation, financial loss, loss of confidentiality, or any other economic or social disadvantage.
This will need to be done via a breach notification, which must be delivered directly to the victims. This information may not be communicated only in a press release, on social media, or on company website. It must be a one-to-one correspondence with those affected.
Under GDPR, when does an organisation need to make a notification about a breach?
The breach must be reported to the relevant supervisory body within 72 hours of the organisation first becoming aware of it. Meanwhile, if the breach is serious enough to mean customers or the public must be notified, GDPR legislation says customers must be made responsible without ‘undue delay.’
What are the GDPR fines and penalties for non-compliance?
Failure to comply with GDPR can result in a fine ranging from 10 million euros to four per cent of the company’s annual global turnover, a figure which for some could mean billions.
Fines will depend on the severity of the breach and on whether the company is deemed to have taken compliance and regulations around security in a serious enough manner.
The maximum fine of 20 million euros or four percent of worldwide turnover — whichever is greater — is for infringements of the rights of the data subjects, unauthorised international transfer of personal data, and failure to put procedures in place for or ignoring subject access requests for their data.
A lower fine of 10 million euros or two percent of worldwide turnover will be applied to companies which mishandle data in other ways. They include, but aren’t limited to, failure to report a data breach, failure to build in privacy by design and ensure data protection is applied in the first stage of a project and be compliant by appointing a data protection officer — should the organisation be one of those required to by GDPR.
What’s in a GDPR-compliant breach notification?
In the event of a company losing data, be it as a result of a cyberattack, human error or anything else, the company will be obliged to deliver a breach notification.
This must include approximate data about the breach, including the categories of information and number of individuals compromised as a result of the incident and the categories and approximate numbers of personal data records concerned. The latter takes into account how there can be multiple sets of data relating to just a single individual.
Organisations will also need to provide a description of the potential consequences of the data breach, such as theft of money, or identity fraud, and a description of the measures which are being taken to deal with the data breach and to counter any negative impacts which might be faced by individuals.
The contact details of the data protection officer, or main point of contact dealing with the breach, will also need to be provided.
When do we need to appoint a Data Protection Officer?
Under the terms of GDPR, an organisation must appoint a Data Protection Officer (DPO) if it carries out large-scale processing of special categories of data, carries out large scale monitoring of individuals such as behaviour tracking or is a public authority.
In the case of public authorities, a single DPO can be appointed across a group of organisations.While it isn’t mandatory for organisations outside of those above to appoint a DPO, all organisations will need to ensure they have the skills and staff necessary to be compliant with GDPR legislation.
There’s no set criteria on who should be a DPO or what qualifications they should have, but according to the Information Commissioner’s Office, they should have professional experience and data protection law proportionate to what the organisation carries out.
Failure to appoint a data protection officer, if required to so by GDPR, could count as non-compliance and result in a fine.
What does GDPR compliance look like?
GDPR might seem complex, but the truth of the matter is that for the most part, the legislation is consolidating principles which currently form part of the UK’s Data Protection Act.
However, there are elements of GDPR such as breach notification and ensuring that someone is responsible for data protection which organisations need to address, or run the risk of a fine.
There’s no ‘one size fits all’ approach to preparing for GDPR. Rather, each business will need to examine what exactly needs to be achieved to comply and who is the data controller who has taken responsibility for ensuring it happens.
“You are expected to put into place comprehensive but proportionate governance measures,” says the UK’s ICO. “Ultimately, these measures should minimise the risk of breaches and uphold the protection of personal data. Practically, this is likely to mean more policies and procedures for organisations, although many organisations will already have good governance measures in place.”
That could be the responsibility of an individual in a small business, or even a whole department in a multinational corporation. Either way, budget, systems and personnel will all need to be considered to make it work.
Under the GDPR provisions that promote accountability and governance, companies need to implement appropriate technical and organisational measures. These could include data protection provisions (staff training, internal audits of processing activities, and reviews of HR policies), as well as keeping documentation on processing activities. Other tactics that organisations can look at include data minimisation and pseudonymisation, or allowing individuals to monitor processing, the ICO said.
In preparing for GDPR, bodies such as the ICO offer general guidance on what should be considered. All organisations will need to ensure they’ve carried out all the necessary impact assessments are and GDPR compliant come 25 May 2018 or risk falling foul of the new directives.
What has changed now GDPR is here?
As of May 25th, GDPR has now come into force, with the days and weeks prior to it seeing a surge in companies sending emails to customers asking them to opt-in to new privacy and consent policies. Emails came so thick and fast in the last 24 hours, that many web users felt overwhelmed.
In the run up to the date, some organisations and platforms, including social media site scoring site Klout simply shut down operations – Klout didn’t explicitly point to GDPR, but the date of May 25th probably isn’t a coincidence. It isn’t the only service to shut down operations or restrict access to European users.
European users who visited high profile US news websites such as The LA Times, The Chicago Times and The Baltimore Sun on the morning of May 25th found that they weren’t able to access the websites, with the publishers pointing to GDPR as the reason.
“Unfortunately, our website is currently unavailable in most European countries. We are engaged on the issue and are commited to looking at options that support our full range of digital offerings in the EU market,” said a statement on the Los Angles Times website.
Similar statements were posted across news publications operated by the Lee Enterprises and Tronc groups.
Denying users access to products – at least for the time being – is viewed by many as a price worth paying to avoid potential fines. Although some would ask the the question, what were they doing with user data and what consent did they have?