The EU’s General Data Protection Regulation (GDPR) represents the biggest shakeup to European privacy laws in more than two decades, but it’s not just European media and entertainment (M&E) companies that need to familiarize themselves with rules before compliance is required starting May 25, 2018, according to Stephanie Iyayi, director at Convergent Risks.
GDPR will strengthen individuals’ rights, but introduces various, stringent obligations on data controllers and data processors.
The regulation applies to all companies anywhere in the world that process personal data for EU citizens, regardless of vocation, Iyayi said during a session on “Everything You Need to Know About GDPR” Dec. 6 at the Content Protection Summit in Los Angeles. Under the regulation, any data that can be used to identify an individual is considered personal data, including distribution lists and tax information, she said, adding: “It’s pretty difficult to find data that wouldn’t fall into that category.”
Just how much personal data an organization collects isn’t of much significance because the “volume of information is actually irrelevant,” she said, noting “if you have this personal data, you must completely comply with everything.” And that personal data must all be “processed lawfully, fairly and in a transparent manner,” so you must have a “legal basis for processing the personal data that you hold,” including a legitimate business interest of some sort or if it’s part of a contract, she said.
One “key principle under the GDPR is implementing an appropriate level of security around your personal data,” but GDPR “doesn’t actually proscribe what that means,” Iyayi said. It’s “up to you to assess the type of data you have, how much you have, the nature of it and what you do with it, and then it’s for you to determine what those measures must be,” she told the summit.
“The big change under the GDPR is that privacy must be by design and it mustn’t be an afterthought anymore; you must be putting these into your operational processes day to day,” she said.
Taking steps to comply with GDPR will help tremendously if there is a security breach, she noted, telling the summit: “If you were to be investigated by a regulator and you had those measures in place, it would help to bring down any fine that would be implemented.”
Another “one of the key principles” of GDPR is “not collecting data just for the sake of collecting it anymore; you’ve really got to have a purpose for what you’re collecting” and “you can’t hold onto it for any longer than is necessary,” she said, adding that data must also be securely deleted once the purpose for using it has expired.
Also a key element of GDPR is “you to have to notify your local regulator” about any data breach that occurs — whether it’s an accidental loss or an intentional hack – “within 72 hours of discovering it,” she said, adding: “For most people, that creates a lot of fear really” because it’s such a “short time period.”
What “causes a lot of problems” is if there’s been a breach that presents a high risk to individuals, such as the loss of financial or other sensitive data, she went on to say. If that happens, under GDPR, you must notify the individuals impacted directly, she said.
GDPR also requires organizations to keep a “wide range of documentation” to prove compliance, as well as the appointment of a data protection officer if you monitor and collect data from individuals on a large scale, she told the summit. That officer doesn’t have to be a dedicated role, but “it can’t just be Joe Blow because it has to be somebody who has gravitas within the organization,” she explained.
“The fines now are really quite huge” if one is found not complying with GDPR, she said, adding: “We’re talking up to 20 million euros or 4 percent of worldwide turnover.” What would attract fines that large include an organization not having a legal basis to process data that was breached and data breaches that aren’t handled correctly, she said.
Litigation costs could be “massive,” but “it’s not just financial” risk that organizations face, she said, adding the risk to one’s reputation is “potentially huge” as well. Therefore, she said: “It’s something that everybody needs to pay attention to” and prepare for as soon as possible. She predicted this will all “become best practice across the board eventually” for all organizations using personal data.
The Content Protection Summit was produced by MESA and CDSA, presented by MediaSilo, and sponsored by Independent Security Evaluators, Aspera, the Digital Watermarking Alliance, Menlo Security, Microsoft Azure, NAGRA, NexGuard, Convergent Risks, HGST, PwC, Thinklogical, Avid, Militus Cybersecurity Solutions, Amazon Web Services and Bob Gold & Associates.