What is GDPR?
At its core, the General Data Protection Regulation (GDPR) is a new set of rules designed to give EU citizens more control over their personal data.
The reforms are designed to reflect the world we’re living in now, and brings laws and obligations – including those around personal data, privacy and consent – across Europe up to speed for the internet-connected age. These regulation aims to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.
Fundamentally, almost every aspect of our lives revolves around data. From social media companies, to banks, retailers, and governments — almost every service we use involves the collection and analysis of our personal data. Your name, address, credit card number, social security, emails, health records, and more all collected, analyzed and, perhaps most importantly, stored by organizations. The regulation is making these organizations responsible and accountable for any negligence and mishandling of peoples personal information. This is enforced by fines and remediation audits.
When does enforcement begin?
After four years of preparation and debate the GDPR was finally approved by the EU Parliament on 14 April 2016. Enforcement date: 25 May 2018 – at which time those organizations in non-compliance may face heavy fines.
Who does the GDPR apply to?
GDPR applies to any organization operating within the EU, as well as any organizations outside of the EU which offer goods or services to customers or businesses in the EU. That ultimately means that almost every major corporation in the world will need to be ready when GDPR comes into effect.
One of the major changes GDPR will bring is providing consumers with a right to know when their data has been hacked. Organizations will be required to notify the appropriate national bodies as soon as possible in order to ensure EU citizens can take appropriate measures to prevent their data from being abused.
Sanctions:
The following sanctions can be imposed if there is any negligence found on an organizations hold peoples personal information:
- A warning in writing in cases of first and non-intentional non-compliance.
- Regular periodic data protection audits.
- A fine up to 10,000,000 EUR or up to 2% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater (Article 83, Paragraph 4.
- A fine up to 20,000,000 EUR or up to 4% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater (Article 83, Paragraph 5 & 6.
Your Organizations Responsibility:
Proposed regulations surrounding data breaches primarily relate to the notification policies of companies that have been breached.
- Data breaches which may pose a risk to individuals must be notified to the DPA within 72 hours and to affected individuals without undue delay.
- As a company you need to be sure that your collect and document consent properly, and you are using that data safely there will be no implied consent.
- Companies need to implement appropriate technical and organizational measures. These could include data protection provisions (staff training, internal audits of processing activities, and reviews of HR policies), as well as keeping documentation on processing activities.
Acmetek’s Seven Layers of Security - Companies need to use the proper standard SSL encryption and security technologies to ensure that there clients information is protected. Such technologies can be found on SSL Support Desk’s parent company Acmetek Global Solutions at www. Acmetek.com.
Does my business need to appoint a Data Protection Officer (DPO)?
DPOs must be appointed in the case of: (a) public authorities, (b) organizations that engage in large scale systematic monitoring, or (c) organizations that engage in large scale processing of sensitive personal data (Art. 37). If your organization doesn’t fall into one of these categories, then you do not need to appoint a DPO.
But someone from your organization will have to act as such. The Data Protection Officer may be a staff member of your organization, who contains professional qualities and expert knowledge of data protection law and capable of fulfilling the tasks of compliance security referred to in Art. 39.
The key articles of the GDPR, as well as information on its business impact, can be found throughout the following website > General Data Protection Regulation GDPR
A recommended approach to securing your organizational and readying it for the GDPR:
Posted by:
Dominic Rafael
Senior Lead IT Engineer
Be sure to Subscribe!!