General Data Protection Regulation (GDPR)?
What is GDPR?
The GDPR is designed to unify data privacy requirements across the European Union (EU). If you market to or process the information of EU Data Subjects – which include end users, customers and employees – you need to learn how to address these key requirements.
Starting at the beginning
Every organization needs to begin its GDPR readiness journey somewhere. CobraSoft can help you get started with a GDPR readiness assessment and a roadmap for moving forward.
Once you’ve started, it’s important to keep moving in the right direction. We offers a comprehensive set of data discovery and data mapping tools to help you pinpoint where your data is located, track its movement across business processes, and find, identify and mitigate data layer security and access risks.
Operationalising your program
When you’re ready to run your GDPR program, CobraSoft can help you develop and execute TOMs (Technical and Organizational Measures), manage risks, automate security operations, design processor audits, and identify and respond to data breaches.
In general, the GDPR builds on the EU’s previous privacy standards – the 1995 Data Protection Directive. It expands and clarifies those requirements in areas including:
Territorial Scope – It will apply to all organisations with access to the personal information of residents of these countries regardless of where the company is based
Penalties – The new structure of fines is graduated and capped. Maximum fines are larger than in the past.
Consent – Consent forms must be clear and succinct with minimal “legalese”
Rights of Individuals:
Breach notification – They must be notified within 72 hours of the discovery of a breach of their information
Right to Access – They may request information about their personal data maintained by the organisation
“Right to be Forgotten” – They can request the organisation erase their personal information
Data Portability – They can retrieve their information and share it with another entity
Privacy by Design – Personal information security must be a component of the initial design of any systems that use or hold such data.
Data Protection Officers – Organisations must appoint a Data Protection Officer if their personal information processing activities exceed a certain threshold.
You company MUST be GDPR Compliance. We can help to ensure your company is compliance with the regulation.
GDPR ENFORCEMENT AND PENALTIES FOR NON-COMPLIANCE
In comparison to the former Data Protection Directive, the GDPR has increased penalties for non-compliance. SAs have more authority than in the previous legislation because the GDPR sets a standard across the EU for all companies that handle EU citizens’ personal data. SAs hold investigative and corrective powers and may issue warnings for non-compliance, perform audits to ensure compliance, require companies to make specified improvements by prescribed deadlines, order data to be erased, and block companies from transferring data to other countries. Data controllers and processors are subject to the SAs’ powers and penalties.
The GDPR also allows SAs to issue larger fines than the Data Protection Directive; fines are determined based on the circumstances of each case and the SA may choose whether to impose their corrective powers with or without fines. For companies that fail to comply with certain GDPR requirements, fines may be up to 2% or 4% of total global annual turnover or €10m or €20m, whichever is greater.
REQUIREMENTS OF GENERAL DATA PROTECTION REGULATION 2018
The GDPR itself contains 11 chapters and 91 articles. The following are some of the chapters and articles that have the greatest potential impact on security operations:
Articles 17 & 18 – Articles 17 and 18 of the GDPR give data subjects more control over personal data that is processed automatically. The result is that data subjects may transfer their personal data between service providers more easily (also called the “right to portability”), and they may direct a controller to erase their personal data under certain circumstances (also called the “right to erasure”).
Articles 23 & 30 – Articles 23 and 30 require companies to implement reasonable data protection measures to protect consumers’ personal data and privacy against loss or exposure.
Articles 31 & 32 – Data breach notifications play a large role in the GDPR text. Article 31 specifies requirements for single data breaches: controllers must notify SAs of a personal data breach within 72 hours of learning of the breach and must provide specific details of the breach such as the nature of it and the approximate number of data subjects affected. Article 32 requires data controllers to notify data subjects as quickly as possible of breaches when the breaches place their rights and freedoms at high risk.
Articles 33 & 33a – Articles 33 and 33a require companies to perform Data Protection Impact Assessments to identify risks to consumer data and Data Protection Compliance Reviews to ensure those risks are addressed.
Article 35 – Article 35 requires that certain companies appoint data protection officers. Specifically, any company that processes data revealing a subject’s genetic data, health, racial or ethnic origin, religious beliefs, etc. must designate a data protection officer; these officers serve to advise companies about compliance with the regulation and act as a point of contact with Supervising Authorities (SAs). Some companies may be subjected to this aspect of the GDPR simply because they collect personal information about their employees as part of human resources processes.
Articles 36 & 37 – Articles 36 and 37 outline the data protection officer position and its responsibilities in ensuring GDPR compliance as well as reporting to Supervisory Authorities and data subjects.
Article 45 – Article 45 extends data protection requirements to international companies that collect or process EU citizens’ personal data, subjecting them to the same requirements and penalties as EU-based companies.
Article 79 – Article 79 outlines the penalties for GDPR non-compliance, which can be up to 4% of the violating company’s global annual revenue depending on the nature of the violation.
Are You Ready to Comply with GDPR?
WHO IS SUBJECT TO GDPR COMPLIANCE?
The purpose of the GDPR is to impose a uniform data security law on all EU members, so that each member state no longer needs to write its own data protection laws and laws are consistent across the entire EU. In addition to EU members, it is important to note that any company that markets goods or services to EU residents, regardless of its location, is subject to the regulation. As a result, GDPR will have an impact on data protection requirements globally.
BEST PRACTICES FOR GDPR: AN IMPORTANT EU DATA PROTECTION LAW
All organizations, including small to medium-sized companies and large enterprises, must be aware of all GDPR requirements and comply. For many of these companies, the first step in complying with GDPR is to designate a data protection officer to build a data protection program that meets the GDPR requirements.
The General Data Protection Regulation not only applies to businesses in the EU; all businesses marketing services or goods to EU citizens MUST comply with GDPR as well. By complying with GDPR requirements, businesses will benefit from avoiding costly penalties while improving customer data protection and trust.