Does Your Company Comply With GDPR?
Security breaches could result in a fine of 4% global turnover
GDPR will change how a business or organisation can handle data stored about customers.
What is GDPR?
GDPR is the new data protection laws that will replace the previous data protection directive of 1995 which is currently what the data protection act of 1998 is based upon.
The new regulation is designed to rework the current data protection laws in Europe to provide greater protection to individuals and the main objective is to provide citizens the right to control their personal data again. Companies such as: Facebook, Twitter and YouTube offer free services and are based outside of the EU, but they will still have to comply to GDPR for users that are based within Europe.
There are two forms of data, known as ‘Controllers’ and ‘Processors’ and these must comply to the GPDR, this is due to the data controller having to state how and why any personal data is being processed, meanwhile the processor of the data is the force that processes all the information that is sent. For example, the controller could be a company and the processor may be the companies IT firm that transfers all the data.
If your organisation suffers from a data breach, under the new regulation the following may apply, depending on how severe the breach was:
- Your organisation must notify the local data protection authority and the owners of the record that have been breached
- Your organisation could be fined nearly 4% of global turnover or up to €20 million
Organisations will be expected to remain in control of their data and ensure that it is only accessed and processed by authorised users.
GDPR states organisations must:
- Only access data with authorisation
- Ensure all data is accurate and up-to-date
- reduce identity exposure
- Security measures in place for data breaches
Organisations will be expected to place security as a priority, and the following must be implemented:
- Data protection by design and default
- Security must be in contact with partners and service providers
- Encryption of all data
- Security measurements that match their risk assessments
Right to Erasure
Once data has been collected, consumers still have a degree of control over it, this is known as the right to erasure. This can require organisations to completely erasure all personal data on a subject when:
- Subject requests the right to be forgotten
- Partner organisation requests data to be removed
- Agreement with data subject comes to an end
Risk Mitigation and Due Diligence
All organisations must take into account the risks to subjects privacy and security, they must be able to demonstrate that the appropriate measurements have been taken to protect security.
- Undertake a full risk assessment
- Implement measurements to demonstrate compliance
- Encourage partners and consumers to comply
- Have full data control and be-able to demonstrate this
Once an organisation is threatened by a security breach, the organisation must notify consumers and authorities. Following the new regulation, organisations must:
- Contact their supervisory authority within a 72-hour timescale
- Describe the consequences of the data breach
- Directly communicate with the subjects about that data breach