GDPR Compliance:

Your Guide to Saving 4% of Revenue

An overview of GDPR’s impacts on data controllers
and processors working with citizens in the EU.

securityiq.infosecinstitute.com
Executive Summary Table of Contents

Scheduled to come into effect May 25, 2018, the General What is the General Data Protection Regulation? 1
Data Protection Regulation (GDPR) has struck fear into What Kind of Data Does the GDPR Cover? 1
compliance officers around the world. Much confusion
The GDPR & Personal Data Rights 2
surrounds this new regulation as organizations everywhere
How the GDPR Impacts European Businesses 2
work to understand its new requirements and adjust
business processes accordingly. This paper will define How the GDPR Impacts Businesses Working with
GDPR, review key requirements and explain the impact European Customers or Staff 4
GDPR will have on organizations across the world. Where Does the GDPR Differ From the DPD? 4
Six Steps to Becoming GDPR Compliant 6
Consequences of Noncompliance 6
The Importance of Training for GDPR Compliance 7
Staying Compliant with SecurityIQ 8
Conclusion 8
About InfoSec Institute 9
Sources 10
 Comprehensive Security Education

SecurityIQ is an integrated security training program offering awareness training,

phishing simulations and dedicated client support in one platform. Together, these
tools will transform your workforce into guardians of critical data and infrastructure.
Our time-proven and science-backed approach helps your organization
reach sustained attack avoidance rates of up to 99%.

SecurityIQ is designed for flexibility and easy implementation in a variety

of settings. It easily integrates with Active Directory, and offers advanced
reporting tools for communication with executive teams.

AwareEd PhishSim Security Excellence

Security Awareness Training Anti-Phishing Simulation Integration, Support & Reporting

»» Secure LMS with interactive,
gamified learning, quizzes for
reinforcement and key summaries
»» Over 130 frequently updated modules,
driven by science-backed educational
methods selected for high performance
»» Customizable content for all audiences:
General, role-based, language,
compliance, time constrained,
industry and level of expertise
»» Includes over 200 threat templates
in multiple languages, continually
updated for just-in-time reporting
»» Programmed for progressive
degrees of difficulty (automated
or manual configuration)
»» Simulates a variety of attack
types, including phishing, spear-
phishing, data entry, attachment,
macros and USB planting
»» Dedicated Client Success Manager for
white-glove support, from installation
to day-to-day management
»» A 12-month delivery plan,
supplemented with posters,
newsletters, employee handbooks,
employee and executive
communications and event plans
»» Actionable performance analytics for
program evaluation, and “boardroom-
ready” performance reports for public
reporting, filings and risk evaluations
»» Security posture scorecarding for
benchmarking security risks by
organization, department and learner

866.471.0059 | securityiq@infosecinstitute.com securityiq.infosecinstitute.com

 What is the General Data Protection Regulation?

The General Data Protection Regulation (GDPR) evolved from its predecessor, the
Data Protection Directive 95/46/EC. When the Data Protection Directive (DPD)
was enacted in 1995, it was one of the most comprehensive data privacy directives
in the world. Cloud computing and the Internet of
Things did not exist at this time, and the “big-data” era
we now live in existed only in concept. The GDPR is
The GDPR is the EU’s response to today’s rapidly the European Union’s (EU) response to today’s rapidly
changing technology environment and the growing changing technology environment and the growing need
to keep personal data secure.
need to keep personal data secure.
The GDPR is a fully fledged regulation for modern, cloud-
based data transactions. It mandates specific controls
over how personal data of EU citizens is handled and
unifies privacy laws across EU states. With a primary focus on protecting individuals’
personal data (referred to in the regulation as the “data subject”), the GDPR:

»» Defines personal and sensitive data

»» Details how personal and sensitive data must be handled
»» Establishes fines for noncompliance
»» Sets new requirements for breach notifications

What Kind of Data Does the GDPR Cover?

The GDPR covers two types of data, specified in the regulation as:

1. Personal Data

Personal data is information that can be used to determine individual

identities. It can be thought of as an “identifier” used to directly or indirectly
link data to individuals. This can include names, locations or online identifiers
like IP addresses. It also includes economic, cultural or physiological data that
could be linked together to determine individual identities.

2. Sensitive Personal Data

Sensitive personal data under the GDPR are special categories of personal
data that require stronger protections. Sensitive personal data includes
genetic data, biometric data and other data types that can reveal information
such as religion, race or ethnic origin.

Whitepaper: GDPR Compliance: Your Guide to Saving 4% of Revenue 1

 The GDPR & Personal Data Rights

The GDPR, perhaps more than any other privacy directive, gives individuals much
more control over their personal data. The GDPR requires EU citizens have certain
personal data rights, including:

1. Consent for personal data to be shared and processed. The GDPR requires
organizations to gain consent from individuals prior to data sharing and
processing. Consent must be given in the form of a “clear affirmative act,”
meaning consent must be expressly collected and demonstrated. Opt-
out buttons are no longer allowed, and organizations must implement a
mechanism to manage users’ revocations of consent.
2. Access to personal data. Individuals must be allowed to easily access their
data collected and stored by organizations. The GDPR specifically states the
“data subject should have the right of access to personal data which have
been collected concerning him or her, and to exercise that right easily.”
3. Right to be forgotten. This is one of the most difficult-to-manage
requirements of the GDPR. Under this directive, individuals must be able to
remove all traces of their personal data from an organization if they wish.
This would apply, for example, if the user removes consent to share.
4. Right to portability. The data subject must be allowed to transfer their data
easily between controllers.
5. Right to rectification. The data subject must have the right to have
inaccurate data rectified.

How the GDPR Impacts European Businesses

GDPR regulations apply to both data processors and controllers in the EU. These
are defined in the GDPR as:

»» Processors: Entities processing data on behalf of the controller (clouds).

»» Controllers: Entities that decide what personal data needs to be processed
and how that processing will be carried out.

Whitepaper: GDPR Compliance: Your Guide to Saving 4% of Revenue 2

 By unifying data protection mandates across the EU, the GDPR will simplify data
collection and sharing across business units. However, European organizations may
need to complete a number of processes to comply with GDPR. These include:

1. Appoint a Data Protection Officer (DPO).

Article 37 of the GDPR requires organizations to assign a DPO if the

organization’s core activities involve either of the following:

»» Data processing requiring regular and systematic monitoring of

individuals on a large scale.
»» Large-scale processing of special categories of data and personal data
relating to criminal convictions.

A DPO has a number of duties, including balancing regulatory requirements

with business processes, training staff on proper data handling and liaising with
supervisory authorities.

Some organizations may be exempt from the DPO requirement if they do not handle
personal data. Smaller organizations may also work with a consultant to remain in
compliance without adding significantly to overhead.

2. Review data collection procedures for compliance with GDPR

requirements.

This must include the entire lifecycle of data collection, storage, management,
processing and data deletion/archival.

3. Create a data protection awareness program.

This will ensure staff members are aware of the various GDPR rules around
data processing and breach notifications.

4. Perform ongoing information audits.

This step will ensure the organization knows what data is collected and how
it is processed at all times.

5. Complete Data Protection Impact Assessments (DPIA).

Essentially, DPIAs are Privacy Impact Assessments. According to the GDPR,

DPIAs will “evaluate, in particular, the origin, nature, particularity and severity”
of the “risk to the rights and freedoms of natural persons.”

Data-dependent organizations, such as the healthcare and retail industries, will

likely find GDPR compliance challenging. These organizations must understand and
map data connections across myriad associates and end points. Few retailers and
healthcare providers, if any, will not be impacted by the new GDPR requirements.

Whitepaper: GDPR Compliance: Your Guide to Saving 4% of Revenue 3

 How the GDPR Impacts Businesses Working with
European Customers or Staff

The GDPR was born in the EU, but its reach is far and wide. The framework
protects EU citizens from whomever they deal with, in whichever country. In a
highly connected, global economy, the net effect of the GDPR is far reaching. If you
process individuals’ data or collect any user behavioral data, you will need to do so
under the watch of the GDPR.

In addition, the GDPR isn’t just about consumer data. The GDPR also applies to
human resources information. If a U.S. company employs EU citizens, but employee
data is processed in the U.S., the company must still comply with the GDPR when
handling these records.

Where Does the GDPR Differ From the DPD?

Regulation Description GDPR vs. EU Data Privacy Directive (DPD)

Consent Consent from a data subject The GDPR requires much more stringent
to share and process personal terms around data sharing consent, requiring
data unambiguous consent to be taken.
The GDPR also has specific consent requirements
where children are concerned.

Fines Fines for various GDPR fines are larger than DPD fines and
noncompliance follow a tiered approach based on severity of
noncompliance.

Data categories Various categories that The GDPR includes two new categories:
describe personal data biometric and genetic data.

Right to restrict processing Grants individuals the right to Both GDPR and DPD include this right, but the
block processing of personal GDPR defines it in more detail and has more
data stringent requirements.

Right to be forgotten Allows individuals to Both have provision for this, but the GDPR goes
decide if their stored data several steps further, including stipulations that
should be erased in specific if data is public, controllers must inform other
circumstances controllers of data erasure requests.

Whitepaper: GDPR Compliance: Your Guide to Saving 4% of Revenue 4

Regulation Description GDPR vs. EU Data Privacy Directive (DPD)

Supervisory authority Cross-border processing by a The GDPR has much more detailed rules on a
controller or processor supervisory authority.

Data transfer outside the EU The scope of data protection The GDPR provides more explicit direction on
across borders this issue, mandating data can only be transferred
to companies outside the EU and EEA when
adequate protection of data is guaranteed.

Liabilities Defines what liability lies with The GDPR defines liabilities for both controllers
which authority and processors, whereas DPD specifies liabilities
for controllers only.

Data Protection Officer An independent person that A DPO is mandatory only in the GDPR.
(DPO) oversees data protection
strategy and implementation
of GDPR

Data Protection Impact An audit of privacy A DPIA is mandatory for GDPR compliance.
Assessment (DPIA) procedures

Data breach notification Rules around when and how Under the GDPR, breach notifications must
organizations must report a be announced within 72 hours. It also includes
data breach notification requirements based on the type of
breach.

Data portability The ability for individuals This is explicitly defined in the GDPR.
to move data from one
controller to another

Pseudonymisation A method to help de-identify This is defined in the GDPR as processing

data personal data so it can no longer be attributed to
a specific individual without the use of additional
information. This additional information must be
held separately, and securely, from processed
data.

Territorial scope Geographical application of The GDPR is dependent on the individual’s

the regulation location and not the location of the data
processes or controller. Its reach is much larger
than the DPD.

Whitepaper: GDPR Compliance: Your Guide to Saving 4% of Revenue 5

 Six Steps to Becoming GDPR Compliant

Becoming GDPR compliant starts with understanding the new requirements and
determining what business processes are impacted from the policy changes. Here
are six steps to help you evaluate the GDPR’s impact on your organization.

1. Know what data you need to hold and why.

2. Understand why you need to process this data. Document what data you
will process.
3. Determine how your organization will acquire and revoke individuals’
consent to share information. Create a policy to document this process.
4. Recognize the rights granted to individuals through GDPR, including rights
lement to specific groups like minors.
Imp
5. Compare your existing procedures to GDPR requirements and make edits
where required to meet identified gaps.
May 25, 2018 6. Implement all policy changes before May 25, 2018.

Po
licy es
Chang Consequences of Noncompliance

An area that has significantly changed in the new ruling is in the level of fine
applicable for noncompliance. There are now two levels of fines:

Amount Reason for fine

2% of annual global revenue, Includes:

or €10 million (whichever is »» Data breaches
higher) »» Not employing the services of a DPO
»» Not conducting a DPIA
»» Not keeping appropriate records

4% of annual global revenue, Includes:

or €20 million (whichever is »» Failing to gain consent
higher) »» Not upholding consumer rights under
GDPR rules
»» Moving data outside the EU within
the confines of Chapter 5 of the
GDPR

Whitepaper: GDPR Compliance: Your Guide to Saving 4% of Revenue 6

 Noncompliance with GDPR carries more than a large fine. The GDPR is ultimately
about protecting personal information. If you do not protect your customers’
personal information, you may also find there are other consequences. These
include:

1. Cost of rectification. Data has intrinsic value to everyone. This includes your
organization, your customers and cybercriminals. The Ponemon Institute
values the average cost of rectification following a breach as $141 per
record.
2. Damaged company reputation. If your company suffers a breach, you must
notify supervisory authorities within 72 hours. If the breach is deemed high
risk, you must also inform those impacted (your customers).
3. Lost consumer trust. Compensation claims and customer attrition could well
outstrip noncompliance fines.
4. Declining share value. A study by Oxford Economics found share value can
drop by 1.8 percent after a cyberattack.

The Importance of Training for GDPR Compliance

GDPR does not include specific requirements for security training design, however,
Article 37 tasks Data Protection Officers with “awareness raising and training of
staff involved in the processing operations.” Also, one of the requirements under
Article 43 is to provide “the appropriate data protection training to personnel
having permanent or regular access to personal data.”

Depending on the role of the employee, your training program should include the
following topics:

»» What is the purpose of the GDPR?

»» What constitutes personal and sensitive personal data?
»» What are the principles of the GDPR? Which
Articles exemplify each principal?
»» What are the roles of the processor, controller and DPO?
»» What data does your organization need to collect? Why?
»» How do the new consent rules affect your current data collection processes?
»» What are the rights of the data subject?
»» What types of breaches fall under GDPR notification requirements?
»» What type of rules impact collection of data on children?
»» Where and when can techniques like pseudonymization
and anonymization be used?

Whitepaper: GDPR Compliance: Your Guide to Saving 4% of Revenue 7

 Staying Compliant with SecurityIQ

InfoSec Institute’s SecurityIQ platform can help your organization fulfill the
personnel training requirements under GDPR. It includes several interactive training
modules related to privacy and data security, including a comprehensive “Privacy
and EU GDPR” module. The GDPR-specific training module covers key topics from
the list above, as well as best practices for protecting sensitive data throughout its
lifecycle.

Conclusion

Written to help organizations achieve privacy and security by design, the GDPR
establishes new regulations for companies collecting and processing EU citizen data.
Compliance under GDPR is achieved in three key steps: meeting data collection and
processing requirements, raising security awareness and training staff involved in
processing operations. With the right training and level of security awareness in
place, your organization can achieve GDPR compliance and more importantly, keep
its sensitive data secure.

Is Your Workforce Aware?

Try our security awareness training platform, SecurityIQ, for free! Sign
up for a 30-day trial to see how you can prepare your workforce with
security awareness education and anti-phishing simulations in one
automated, easy-to-use platform!

Sign up for your free demo!

Whitepaper: GDPR Compliance: Your Guide to Saving 4% of Revenue 8

 About InfoSec Institute
InfoSec Institute, founded in 1998, provides award-
winning security awareness and training solutions. We
deliver certification-based training courses for security
professionals and enterprise-grade security awareness and
phishing training for businesses, agencies and institutions
of all sizes. Rooted deeply in science-backed education
methods that achieve measurable results, our security
solutions fortify your organization against harmful and
expensive security threats. Our mission is to transform the
largest information security risk — your workforce —
into your strongest line of defense.

infosecinstitute.com

Whitepaper: GDPR Compliance: Your Guide to Saving 4% of Revenue 9

Sources

1. Regulation (EU) 2016 of the European Parliament and of the Council, Council of the European Union

2. The EU Data Protection Directive 95/46/EC, EUR-Lex

3. Study: GDPR’s global reach to require at least 75,000 DPOs worldwide, International Association of Privacy
Professionals

4. Should Your Company Appoint a Data Protection Officer (DPO) under the EU GDPR?, DPO Network Europe

5. 2017 Cost of Data Breach Study, Ponemon Institute

6. Cyber Breaches Cause Permanent Damage to Share Values, Fortune

© 2017 InfoSec Institute, Inc. All rights reserved.

Whitepaper: GDPR Compliance: Your Guide to Saving 4% of Revenue 10