Podcast: Play in new window | Download
Full Episode Transcript
Hello everyone. Welcome to today’s show. I’m Rocio Baeza and today we’re going to be talking about a fairly interesting topic to me. So this topic is, or the title of today’s episode is “What is GDPR? The Facts and our Quick Applicability Test”.
So I’m going to start off with a story. And before I do that let me give you some context as to why I want to talk about this. So when we were hearing about all this GDPR noise back in 2018, even before GDPR took effect, I would see lots of questions, lots of questions around “oh, well I don’t think GDPR applies to me”. “My organization is not based in Europe, so I’m good.” Or other things that I would hear are things like “hey, we’re actually very small and I think GDPR applies to larger organizations, larger enterprises. So I think GDPR doesn’t apply to me.” So we’re going to be talking about that in this episode. But first, I want to start with a story.
So if you know a little bit more about how I made a here into the GDPR space, how I broke into the cyber security space, then you will know that coming out of school, this is not something that I was planning on doing. So my background is in mathematics. I figured that that would be a degree that would allow me to just explore what I want to do after school because I didn’t know what I want is to do. A part of me want to teach, a part of me wanted to go into business. And another part of me wanted to go into technology.
So fast forward a couple of years after coming out of school and I found myself being responsible for security. So at that time, this was back in around the 2011 timeframe, my manager at the time, he had been running security audits at the company. He was very busy and he needed some help, so he asked me if this is something that I could take on. And of course I said yes. I figured hey, it’s something new. Something that I can learn more about. And my first break into the cybersecurity space was supporting PCI audits.
So if you’re not familiar with the acronym PCI, it stands for payment card industry. And basically if your organization accepts card payments, then you have to worry about PCI compliance. So when I first started entering this PCI world, I thought “all right, if an organization has to comply with a PCI requirements, then it means that all organizations have to do all of the things all the time.” And that quickly led me to feel overwhelmed and lost. I was frustrated to be honest.
So if you are not familiar with PCI, so it’s basically a set of standards. The common standard is called the PCI DSS. This is organized in six goals and it is divided into 12 requirements. And for each requirement there are sub requirements. So again, initially I thought “okay, if an organization had to comply with the PCI DSS, it means that for all of the IT systems, the organization had to satisfy the 12 PCI DSS requirements all the time.”
And I thought “oh man, that’s hard.” I mean, I was feeling overwhelmed. I was feeling lost. I was feeling defeated, especially because as I was supporting these PCI audits and at the time I was responsible for this. If there were any findings that the auditors found, part of my job was to make sure that we had a remediation plan so that when the auditors came back next year we would be able to say, Hey those issues that you found? We fixed them!
At this time, I realized that there are all these findings that the auditors found and I have to work with a number of different teams because different teams manage different IT systems. Now, I wasn’t managing these teams. So I had to somehow figure out “okay, how do I convince these teams to correct these issues by a certain time?” And I would pray that the teams would just somehow absorb that as part of their day to day responsibilities, so that come next year, I could tell the auditors hey, yeah, we fixed it.
And I’m saying this because if you are responsible for GDPR at your organization, you may be feeling the same way. You may be thinking: “Oh my gosh, I have to worry about GDPR for all the systems, all the data that my organization holds. And I don’t know if it’s doable. I don’t know if it’s something that I can actually do.” And you can easily start to feel defeated and and frustrated in the journey.
So going back to my PCI example, after years of going through these PCI audits I realized that PCI actually allows for segmentation. What that means is, in your organization, you can segment the organization in a very particular way, so that the PCI requirements that your organization has to follow, they would only apply to a subset of the organization. In other words, if you basically set up some boundaries around the organization so that card data is only flowing in a part of the organization, then the effort and the resources and the time that it took to achieve a PCI compliance, it would be much less.
So the reason that I’m sharing the story is because the same way that that not all 12 PCI DSS requirements apply to all organizations, for GDPR, not all of the GDPR requirements apply to your organization. And to me, this is great news. This is great news because we can really hone in on the areas that we have to focus on, the areas that have to comply with GDPR and focus our attention there, as opposed to getting everything a compliant with GDPR.
And I’m not saying that organizations shouldn’t aim for everything to be consistent. But I am saying that as a starting point, I think it makes sense to focus on what you have to do and once you have something established and it’s working, then it makes sense to take an extra step and mature that when the time comes.
All right. So for today’s lesson I’m going to be walking you through a quick applicability test that I put together a to help organizations understand does GDPR apply to me, yes or no? And I think that by taking this simple step, organizations will have more clarity as to should I continue to worry about this or is this something that I can just put to bed so that I can no longer focus my energy around that and I can focus around the other things that require my attention?
So this applicability test. So it’s a three point question. I like to make things simple. My experience has been that if you make something simple, it’s more likely for people to be able to follow. Cybersecurity and the data privacy space, it’s already complex. So whenever I can, I look to simplify things.
So these are the three questions that are in my applicability test. So question number one is is your organization located in the EU, yes or no? Now the EU, that stands for European Union. So just take a couple of seconds and answer that question for yourself. Is your organization located in the EU?
Question number two is do you service the EU market, yes or no? Now basically if your product or service is available internationally, regardless of where you’re located, if there’s an opportunity for someone to to work with you, to buy your product or your service and that person can be in the EU, then you would answer yes because your product or service would be available in the EU market.
And question number three, the last one is, do you hold information about a living person that is from the EU or that is living in the EU, yes or no? So when you’re answering the third question, I want you to think about your customers. Customers that have used your product or service. Do you hold information about someone that is living still and is either from the EU or that is living in the EU?
Also think about the people that you are targeting. So these may not be your customers, but these may be prospects. So you may not have sold a good or a product, but you may have provided them with information and maybe you hold information about them. Maybe it’s an email address, maybe it’s their contact information. Think about prospects as well.
The other two categories that I want you to think about when you’re thinking about this question, number three, is our employees and contractors. Does your organization employ anyone that is from the EU or that is living in the EU? And the same thing applies to contractors. Are you contracting out any type of work to someone that is from the EU or from someone that is living in the EU?
If you answered yes to any of those questions, then it makes sense for you to continue your due diligence because it’s very likely that the GDPR applies to your or organization.
So I’m going to repeat those three questions and our quick applicability test. Question number one, are you located in the EU, yes or no? Question number two, do you service the EU market, yes or no? And question number three is do you hold information about a living person that is from the EU or that is living in the EU, yes or no? And if you answered yes to any of these three questions, you should continue with your due diligence. That next step would be to create a data inventory.
Now, I will be talking about what that actually is in a future episode, but just know that this quick applicability test is step zero. And if you answered yes to any of these three questions, then your next step is to create that data inventory.
All right. So at the top of the episode we talked about some questions, and I want to address two things. So the first thing that I want to address is so you might be still not be convinced. You may not be convinced that GDPR applies to you, even though you may have answered yes to one of the three questions. And you may say “hey, well I’m not located in the EU so I don’t really have to worry about GDPR. There are other important things that I should be worrying about.”
So I have two responses to that. So the first one is I want to cite to the article, the GDPR article that I would want you to take a closer look. So GDPR is organized in a number of different articles. For the article around what types of organizations GDPR applies to, I want to focus your direction to article three, which talks about territorial scope.
So there are three topics that this article addresses and I want to just quickly read the first two. So number one under article three, it says this regulation applies to the processing of personal data in the context of the activities of an establishment, of a controller or a processor in the union, regardless of whether the processing takes place in the union or not. What this means is the organization doesn’t have to be in the EU. The organization doesn’t have to be handling personal information in the EU. If they are handling personal data about an EU citizen or a resident, then GDPR applies to that organization.
Now I’m going to read number two. This is number two, again in article three. So it reads this regulation applies to the processing of personal data, of subjects, of data subjects who are in the union by a controller or a processor not established in the union where the processing activities are related to the offering of goods and services, irrespective of whether a payment of the data subject is required to such data subjects in the union, or the monitoring of their behavior as far as their behavior takes place within the union. So to put it in layman terms, this point in number two is basically saying hey, your organization doesn’t have to be established in the union. And this organization doesn’t have to receive money, nor receive some sort of payment in order for GDPR to take place.
In other words, if your organization is holding personal data about an EU resident or citizen, then the regulation applies. So if you are getting pushback from others in your organization that GDPR may not apply to the organization, I would point you to article number three. And I would recommend that your Legal Counsel be involved in confirming that.
All right. So my other response to hey, I’m not located in the EU, so it doesn’t apply to me is I want to point you to a recent GDPR fine that was issued to a hospital in Portugal. I’m going to include a link to the article in the show notes. But at a very high level, so this hospital, they’re called Centro Hospitalar Barreiro Monijo. So they were issued a fine of 400,000 Euros. For us Americans, this comes out to about $460,000. That’s a lot of money.
And this fine was issued for violating the GDPR. Now at a high level, the violations had to do with more … So lots of people had access to personal data and those people that had this level of access, it was deemed that it was excessive. So more people had access to personal data than they were supposed to.
Secondly it was found that no technical or organizational measures were in place to prevent the unlawful access to personal data.
And in number three, it was found that the hospital did not have continued measures to ensure the confidentiality, integrity, and availability of systems and services that were processing personal data.
So in a future episode, we will be taking a closer look at these organizations that are being slapped with these GDPR fines. But I think the takeaway here is hey, a hospital that is located in Portugal, they were issued a fine and it was a hefty fine. I expect to see more of these reports go going into 2019.
All right, so to close out this episode, I just want to point you to a free resource that we have that I think will be helpful to you. So you took our quick applicability test and you answered yes to one of the three questions, I want to point you to our free resource, which is called The 10 GDPR Components. So I know when I was starting to learn about GDPR, I felt very lost because it was all of these requirements. And I felt like I was having a very hard time wrapping my head around all right, what are all of the requirements and how can I keep track of all of them?
And so to help me with that, I put together a sheet where I basically broke down the GDPR into 10 components and I call it The 10 GDPR Components. We will be covering that resource in detail in a future episode, but if you go to our website gdprstandup.com and if you scroll towards the middle, you should be able to see an image that says The 10 GDPR Components. If you click on that, you will be taken to a screen where you can see that. And if you want to download that as a PDF, you can do that as well.
Thanks for checking us out for this episode and looking forward to seeing you in a future one. Goodbye.
Helpful links and resources:
- First GDPR fine in Portugal issued against hospital for three violations
- GDPR Stand Up Website: gdprstandup.com
- The 10 GDPR Components
- Join the GDPR Stand Up Virtual Community
- Free GDPR Data Inventory Course: http://gdprstandup.com/free-course/