How to prepare implementation of the GDPR – General Data Protection Regulation
The General Data Protection Regulation (GDPR) comes into effect on May 25th 2018, with the goal of homogenizing European Union (EU) laws, regarding the treatment and processing of citizen’s data. The new rules, however, have repercussions all over the world, since even companies outside of the EU will have to respect the RGPD when dealing with the data of European citizens.
One of the Regulation’s essential points is the strengthening of security and privacy of citizen’s personal data that is registered by companies. The new rules determine rigorous methods related to the source, storage, treatment, and access to this type of information. Many companies will have to reposition their entire Information Technology (IT) structure, in order to implement far more efficient architectures for IT security and data processing.
And if managers are already factoring the cost of the investment required, the cost should also include the harsh sanctions for companies that don’t comply with the GDPR. Those who do not comply with the fundamental rules risk fines of up to 20 million euros in the case of large companies. But even smaller companies should prepare for the new law, since the GDPR calls for the responsibility of harm caused due to non-compliance, namely when citizen’s data are “violated”.
Reporting security failures in 72 hours
One of the GDPR’s relevant points is the fact that it obliges companies and organizations to report security failures in 72 hours after first detection. This leaves very little time to gather up all the necessary information, namely the extension of the failure, and the type and quantity of affected data. This highlights the importance of maintaining total transparency and visibility of processes, in the entire IT infrastructure, from the cloud to endpoints, and including software-as-a-service.
This point also highlights the need to implement efficient Data Loss and Encryption systems, in order to timely detect and/or prevent failures and accidents. Early detection is fundamental and can even avoid the need to report failures, if they’ve been signalled in an early stage, before any data have been compromised. This means saving both time and money.
In addition to reporting the incident, you’ll need to define detailed procedures to contain and solve the problem, as well as follow preventive measures to improve IT security. All this requires that companies have a very efficient response time for threats, and therefore, resilient and high availability IT infrastructures.
Starting with a clean slate
In preparing for the new GDPR, companies should start by assessing and detailing customer’s personal data that they are storing, determining its source, storage location, and purpose. It is particularly important to understand if any of this data has been violated, and to detect any security failures that may enabled the breach. It is crucial to solve any currently exiting problems in order to enter the GDPR era with a clean slate.
Companies should detail all processes that conform with GDPR, namely to define and test in advance how the regulations are to be applied. These steps are fundamental to comply with the new regulations, particularly regarding new rights of citizens for whom you are storing data. Among these new rights is the right to be forgotten – upon request, a citizen’s information must be removed or eliminated from the data base within a month – and the right of portability – a person can request that his or her data be transferred to a third-party entity, free of charge.
Privacy by Design
Another fundamental point of GDPR is the citizen’s consent. Many companies will be obligated to review their privacy policy, since the GDPR demands that the citizen’s consent be clearly defined, orally or in writing, for the specific purpose for which the data was intended. The transmission of customer data between companies will also have to respect the same rule, demanding explicit consent of the person involved.
Likewise, companies will also have to guarantee that by default that they will only process and store the data that is strictly necessary for the operations consented to. This is called «Privacy by Default«, or «Data Minimization».
The company’s philosophy should be guided by the concept of «Privacy by Design», with the entire personal data storage and processing being designed with total transparency and clarity. This guarantees that there won’t be any failures in compliance with GDPR and that its norms are complied with.
Data Protection Officer
Public entities or organizations, as well as companies that deal with large scale or sensitive personal data, have to nominate a Data Protection Officer. But this measure should also be applied in companies to guarantee diligence in complying with GDPR.
It is essential for organizations to be absolutely aware of their internal reality, and of what they should do to comply with the law. Starting with a security audit and seeking professional that are knowledged in the legal conditions defined by the GDPR, and in particular, of the technical aspects to consider for implementing them, is the best way to go.
Eurotux can help you on this path towards full compliance with the GDPR. Schedule a meeting now, since there is no use in putting off the inevitable.
