The entry into force of the General Data Protection Regulation (GDPR) compels companies to prepare to comply with the new law or otherwise face hefty fines. Stay up to date with the changes the legislation implies, and confirm if your company is ready for them..
Fines for companies that do not comply with GDPR can reach up to 20 million euros.
The General Data Protection Regulation (GDPR) came into effect on May 25th, 2018.
The GDPR is the new European Union (EU) legislation on data protection. It applies to all member-states and replaces the Data Protection Directive of 1995 and several regulations that resulted from it. The goal is to make EU laws more homogenous concerning citizens’ data protection and privacy.
The new regulations apply to all companies that process the personal data of EU citizens or non-EU citizens that are/have been in the EU. These companies must comply, despite their size, the volume of their business, or where they process citizens’ data.
Questions and answers on this page can help you understand what the GDPR implies and whether your company complies with the new norms. Having read it, if you still have doubts, you can get in touch with Eurotux to request a detailed technical evaluation of your case. You can also respond to Microsoft’s quick survey to assess if you are or are not in compliance.
Organizations that do not take adequate measures to apply the new regulations risk hefty fines of up to 20 million euros or 4% of the total annual business volume. The GDPR also make companies accountable for the harm caused due to non-compliance, namely when citizens’ data are violated, for instance, in malware attacks. Compensations are also due in cases of interruption or restriction of data transfers, lack of the customer’s consent to data processing, and waiving risk evaluations. These and other penalties can become very costly for companies that do not comply with GDPR.
Seven fundamental principles that aim to protect the data of EU citizens and that should guide the procedures of the organizations are the foundation of the new GDPR.
The GDPR applies to personal data, meaning any information related to an identified or identifiable private individual. Personal data include names, photographs, email addresses, banking data, medical information, social network publications, IP addresses, location data, and CCTV images. It covers information stored on databases for employees, sales, and service provision, as well as data submitted by customers on forms. The GDPR also defines a particular category of sensitive personal data, such as genetic and biometric.
The GDPR strengthens privacy and security criteria for owners of personal data withheld by companies, imposing a policy of “privacy by design” and “privacy by default”. As such, companies must protect the privacy of personal data from collection to storage, covering their processing until their elimination. Additionally, they must ensure that they only collect the data strictly necessary for the specific purposes XX. Citizens have the right to forgetfulness. Within one month, upon request by the owner, companies must remove or erase personal data from their databases. Citizens also have the right to portability, having the possibility to request companies to transfer their data to a third-party entity at no extra charge. Citizens likewise have the right to restrict the processing of their data, and they can rectify them at any time.
The main change relates to the consent given by the data owners for the respective collection and processing. The GDPR requires a clear consent statement, oral or written, for the specific purpose of the data collection. Companies should also inform the data owner (especially if minor) clearly and transparently about how they process and how long they will store the data collected. Likewise, they must also inform the persons that they have the right to withdraw their consent at any moment. Withdrawing consent determines the removal of their data from databases, backups and any Disaster Recovery infrastructures. The transmission of customer data between companies is covered by the same rule, requiring citizens to state their explicit consent.
The regulation applies regardless of the data’s storage location. Thus the company needs to guarantee that it only transfers data to a cloud that complies with the requisites that apply to any other infrastructure.
The GDPR applies to companies that collect and process data for their purposes, determining the finality, conditions, and methods employed – known as controllers. It also applies to companies that process data for third parties – known as processors. Controllers can only resort to processors that comply with the GDPR. Processors must process data according to the instructions of the controllers. Likewise, they should implement security measures and keep track of all processing activities they execute for third parties.
Public companies and organizations are required to appoint a Data Protection Officer. This requirement also applies to private companies that handle sensitive or large-scale personal data. Although not mandatorily, other companies can use this measure to guarantee that all efforts comply with the GDPR.
The GDPR requires companies to report security failures to the supervising authority and to the customers whose personal data have been violated within 72 hours of detection. This report must include the extension of the breach, the quantity of affected data and the detailed procedures for containing and fixing the problem. The company must establish preventive measures to improve IT security and prevent future failures.
The GDPR defines encryption as a security measure against potential security failures. When the privacy of sensitive data is at risk, the GDPR recommends encryption as the appropriate technical measure to avoid threats. Encryption turns data unintelligible when attacked, and companies may not have failures to report as their customers’ data are still safe. Some products and services guarantee robust encryption for static or dynamic data. You can get in touch with Eurotux to learn more about them.
Your company should begin by assessing how data are processed, resulting in the identification of systems, activities, and employees that interact with personal data. Next, you should conduct a Privacy Impact Assessment and apply its findings to processes, systems, technologies, people, activities, internal regulations, or legal issues.