What Does GDPR Mean?
The EU General Data Protection Regulation (GDPR) is the most significant piece of European privacy legislation in the last twenty years. It came into direct force on 25th May 2018.GDPR applies to any organisation which is operating within the EU, ff support data as well as any organisations outside of the EU which offer goods or services to customers or businesses in the European Union. This clearly means that almost every major corporation in the world needs to adhere GDPR compliance.
GDPR’s seven principles
Lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality (security); and accountability. In reality, only one of these principles – accountability – is new to data protection rules. In thehack zombie tsunami UK all the other principles are similar to those that existed under the 1998 Data Protection Act. avast secureline vpn licencia 2018
The GDPR establishes
- Enhanced personal privacy rights
- Increased duty for protecting data
- Mandatory breach reporting
- Significant penalties for non-compliance
Under GDPR there are also a few special categories of sensitive personal data that are given greater protection. This personal data includes information about racial or ethnic origin, political opinions, religious beliefs, membership of trade unions, genetic and biometrff support data apkic data, health information, and data around a person’s sex life or orientation.
Accountability and Responsibility
An organisation should be asking itself questions such as – What types of personal data do we hold? Where is it located? How accessible is it? Are we adequately protecting the data? Are we adequately protecting the target’s rights and interests? Do we have the necessary consent? Most importantly – Are we compliant? Data protection should become a board-level discussion due to the huge onus on organisations to comply, and the penalties for those who don’t. Where the DPA (1998) was typically tougher on companies operating inside the EU, the scope of GDPR extends globally. If an organisation holds or processes data that can identify an EU citizen, then they must comply regardless of physical location. It also brings data processors into the spotlight. While the GDPR still focuses on the controllers i.e who collected it and who dictates its use, data processer such as data suppliers are also brought under the microscope when it comes to accountability.
Businesses working on GDPR compliance need to invest in
- Privacy personnel and employee training
- Data policies (GDPR’s Article 30 lays out that most organisations need to keep records of their data processing, how data is shared and also stored)
- Data Protection Officer (if your business has more than 250 employees)
- Processor/vendor contract
Breaches & Penalties
The punishment for data breaches has been dramatically increased from the £500,000 maximum fine that was permitted under the DPA. The GDPR provides a comprehensive package for collecting, processing, and managing data and should therefore not be violated. Heavy fines of up to 2% of annual global turnover await those who fail to comply with GDPR. Businesses that suffer a serious data breach are open to fines of up to €20m or 4% of annual turnover – whichever is higher.
What constitutes a Breach?
A data breach is more than just losing personal data. A Breach, as defined by the ICO (Information Commissioner’s Office) is – “A breach of security leading to the destruction, loss, alteration, unauthorized disclosure of, or access to, personal data.” Breaches vary in severity which makes it important to understand how an organization has been breached, what has been accessed, and how it will affect the rights of the client. For example, a data breach that allows unauthorized access to customers’ transactional data risks the client falling victim to identity theft. This should be reported as it imposes a threat on the security of an individual.
GDPR doesn’t say what good security practices look like, as it’s different for every organisation. A bank will have to protect information in a more robust way than your local dentist may need to. However, broadly, proper access controls to information should be put in place, websites should be encrypted, and pseudonymization is encouraged.
Cybersecurity Measures
“Your cybersecurity measures need to be appropriate to the size and use of your network and information systems,” the ICO says. If a data breach occurs, data protection regulators will look at a company’s information security setup when determining any fines that may be issued. Cathay Pacific Airways was fined £500,000, under pre-GDPR laws, for exposing 111,578 of its UK customers’ personal information. It was said the airline had “basic security inadequacies” within its setup.
Indian companies need to review their contracts with their parent company and clients on the data privacy rules so that any implications of GDPR may fall on the Indian business operations.
