The coming into effect of the General Data Protection Regulation (GDPR) compels companies to prepare in order to comply with the new law, or otherwise face hefty fines. Stay up to date with the major changes the legislation implies, and confirm if your company is ready for them.
Fines for companies that aren’t in compliance with GDPR can reach up to 20 million euros.
The General Data Protection Regulation (GDPR) came into effect on May 25th, 2018.
The GDPR is the new European Union (EU) legislation on data protection, replacing the Data Protection Directive of 1995, as well as the several regulations that resulted from it, applied to all member-states. The goal is to make EU laws more homogenous regarding the Protection and Privacy of citizen’s personal data.
The new regulations apply to all companies, regardless of their size or volume of business, that process the personal data of EU citizens, or of non-EU citizens that are presently or have been in the EU – even if the data processing occurs outside of the EU.
This succession of questions and answers aims to help you understand that the GDPR implies, and if your company is or not in compliance with the new norms. If you cannot yet answer this question, upon having read our answers, you can get in touch with Eurotux to request a detailed technical evaluation of your case. You can also respond to Microsoft’s quick survey to assess if you are or are not in compliance.
The organizations that do not take adequate measures to apply the new regulations, risk hefty fines that can reach up to 20 million euros or 4% of the total annual business volume. The GDPR also foresees the accountability of companies for harm caused due to non-compliance, namely when citizen’s personal data are violated, for instance, in malware attacks. There is also compensation for the interruption or restriction of data transfers, due to lack of the customer’s consent to data processing, for forgoing risk evaluation, among other penalties that can become very costly for companies that do not comply with GDPR.
The new General Data Protection Regulation is based on sevent fundamental principles that aim to protect EU citizen’s data, and that should guide organization’s procedures:
The GDPR applies to personal data, being considered any type of information related to a physical identified or identifiable person. This includes names, photographs, email addresses, banking data, medical information, as well as social network publications, IP addresses, location data, and CCTV images. It covers information stored on data bases for employees, sales, and service provision, as well as data contained on forms submitted by customers. The GDPR also defines a special category of sensitive personal data, such as genetic and biometric.
The GDPR strengthens the criteria of privacy and security for owners of personal data withheld by companies, imposing a policy of “privacy by design” and “privacy by default”. As such, companies must protect the privacy of personal data from collection to storage, covering their processing until their elimination. Additionally, they must assure that they only collect data that is strictly necessary for the specific ends they are being processed for. Citizens also have a right to be forgotten – upon request, their data must be removed or erased from their database within a month – and the right of portability – they can request that their data be transferred to a third party entity with no extra charge. They also have the right to restrict the processing of their data, and they can rectify them at any time.
The main change is related to the consent given by the data’s owners, for the respective collection and processing. The GDPR requires consent to be clearly stated, in either oral or written form, for the specific purpose the data was collected for. When consent is given, companies should also inform the person, in a clear and transparent manner (especially when minors are involved), about how the data will be processed and for how long they will be stored. Likewise, they must also inform the persons that they have the right to withdraw their consent at any moment, which determines that their data will be removed from databases and backups, as well as any Disaster Recovery infrastructures. The transmission of customer data between companies is covered by the same rule, requiring citizens to state their explicit consent.
The regulation applies regardless of the data’s storage location, which means that it is very important for the company to guarantee that it only transfers data to a cloud that is in compliance with the requisites that apply to any other infrastructure.
The GDPR applies to companies that collect and process data for their own purposes, determining the finality, conditions, and methods that are employed – known as controllers – as well as companies that process data for third parties – known as processors. As such, controllers can only resort to processors that are in compliance with the GDPR. Processors are also required to process data according to the instructions of controllers, implement security measures, and keep track of all processing activities they execute for third parties.
Only companies and public organizations, as well as companies that handle sensitive or large scale personal data, are required to appoint a Data Protection Officer. But this measure can also be applied to other companies, to guarantee that all efforts are in compliance with the GDPR.
The GDPR requires companies to report security failures, within 72 hours of detection, to the supervising authority and to the customers whose personal data has been violated. This report must include the extension of the type of failure, as well as the quantity of affected data and the detailed procedures for containing and fixing the problem. The company is also required to establishing preventive measures to improve IT security and prevent future failures.
Encryption is registered with the GDPR as a security measure against potential security failures. When sensitive data and greater risks are involved, the GDPR recommends encryption as the appropriate technical measure to avoid threats. Encryption makes data unintelligible in the face of potential attacks, thus helping to avoid companies from having to report failures in case its customers’ data has not been violated. There are several products and services that guarantee a robust encryption for static or dynamic data. You can get in touch with Eurotux to learn more about them.
Your company should begin by assessing processing (which result in the identification of systems, activities, and employees that interact with personal data). Next, you should conduct a Privacy Impact Assessment, and afterwards, apply its findings in terms of processes, systems, technologies, people, activities, internal regulations, or even legal issues.