You’ve met the GDPR, but you could still be breached, and the fines are massive. How can you minimize the risk?
By May 25, 2018, companies doing business with EU residents must meet General Data Protection Regulation (GDPR) standards or risk fines as high as 20 million euros or 4 percent of their annual worldwide profits. But even if your company meets the Regulation, hackers will keep trying to get at your data, and if they’re successful, you could face class-action lawsuits and the destruction of hard-won consumer trust.
And you could still face GDPR fines.
The news is full of good reasons for consumer distrust, such as the 2017 Equifax breach when 143 million records were stolen, including social security numbers linked to them. But if you can show that you have taken every possible step to protect the people who rely on you, the courts and your customers are more likely to give you the benefit of the doubt.
Encryption is an obvious step, and it is part of GDPR, so under the Regulation, you must convert your data into a coded, difficult-to-unlock format that maintains authentication, integrity and non-repudiation. But you also need to implement data minimization and de-identification.
In simple terms, data minimization means that you don’t ask for or keep more than you need, while de-identification temporarily removes links between the data points and the individuals they describe.
- Data minimization
With so much personal data available, it may be tempting to collect and cross-reference new information to learn more about your customers. But consumers don’t like it, and are increasingly suspicious of sharing their details. So while a next-of-kin’s name and phone number on a financial services account could help verify family if the account holder dies, asking for the relative’s workplace data may be going too far. And you’re definitely crossing the line if you use any of the data for a purpose that the customer hasn’t agreed to.
The GDPR explicitly states that you need to limit the amount of data you collect, as well as the way you use it. It also says that you can only use the data for its specified, lawful purpose, and stresses the importance of having a plan to destroy the information once the agreed-upon use is finished.
And frankly, less data means you have less to steal.
Your institution might need to have some data linked directly to individuals’ names in some instances, for example, keeping names, account numbers and addresses together for account-statement generation. However, other work clusters will not need identifying information, but may need to be able to link it back later.
De-identification is different from anonymization; the information is still linked, but steps are taken to mask it. This can include giving people pseudonyms, plus “k-anonymization”, which hides or replaces details that could expose an identity, such as a birth date.
As a part of encryption, de-identification makes it that much harder for hackers to make use of stolen information.
The rewards of minimizing risk
While it’s EU law, complying with the GDPR has value no matter where your company does business. Meeting these standards, minimizing your data collection and ensuring de-identification will help you protect your reputation, add reasons for your customers to trust you, and reduce your overall risk.
Want to learn more? Join us, along with the Privacy by Design creator Dr. Ann Cavoukian, for an in-depth webinar in how you can prepare for the GDPR.
By Alex Loo, VP Operations, Echoworx