25th May 2018, the day has arrived when the EU’s General Data Protection Regulation (GDPR) has come into effect. The GDPR, a high-profile and wide-ranging piece of legislation which will, no doubt, completely reshape the world of cybersecurity and data privacy. Passed by the European Union (EU) in April 2016, the GDPR has framed a new set of regulations around data security.
In a nutshell, the GDPR aims to update the rules and regulations around data privacy for EU citizens in a world where this topic is getting increasingly important. The territorial scope has increased, stiffer penalties have been defined and conditions for data consent have also been formulated. Organizations across the world are scrambling to ensure they are in compliance with the regulations. Has your company done its due diligence?
Understanding the scope
First and foremost, company heads must understand the scope of the regulation. While GDPR applies to EU citizens, it is not restricted to just the European Union. It applies to all companies processing the personal data of data subjects residing in the EU, regardless of the company’s location. Basically, if your organization deals with the personal data of EU citizens, it comes under the purview of GDPR and it’s important that you start taking the required steps, because the consequences could be costly.
Breach of the regulations in GDPR will incur hugely steep fines. Sanctions can range from a warning for a first-time, non-intentional violation to fines of up to a massive 20 million Euros or 4% of the annual turnover of an organization, whichever is higher. No organization would want to be at the risk of this kind of a huge financial hit – and in most cases, it would cripple the organization to the ground. Don’t take the risk – if your company comes under GDPR, start biting the bullet and get compliant. It might seem a burdensome process but it’ll allow you and your company to have some peace of mind.
Run an information audit
GDPR requires organizations to maintain records of all personal data of individuals it owns. Hence, organizations should run information audits so that they themselves are aware of what kind of data they hold. This will not just give organizations an understanding of the data they posses but also answer important questions like where it came from and how the data will be used. This should be documented in a proper data policy which will make an organization compliant with GDPR’s data protection principles.
Communicating with your visitors
GDPR empowers visitors to have more control of their data and for that, organizations need to be on their toes. There is more responsibility on organizations now to explain to users what data they are collecting, why they are collecting it and how long they will be holding it on for. This will require organizations fundamentally change their data collection policies to ensure everyone is on board. Individuals also have rights to data portability or ask for deletion of their personal data. Is your organization prepared for this radical change?
Does your organization need a DPIA?
Under GDPR, Data Protection Impact Assessments (DPIA) are mandatory for organizations under certain circumstances. Organizations must look at these circumstances and understand if they fall under the regulations. If they do, they need to conduct a Data Protection Impact Assessment. These circumstances where a DPIA is required are in situations where data processing could lead to high risk to individuals such as:
- When a new technology is being employed
- Where a profiling operation could significantly impact individuals
- Where there is processing on a large scale of the special categories of data
Appoint a Data Protection Officer
Some organizations, which fall under certain categories, must designate an official Data Protection Officer, under the terms of GDPR. Whatever the case may be, GDPR will bring a new revolution and companies will need to adapt. It is important they appoint someone to take responsibility for data protection compliance with proper knowledge of the all the processes, rules and regulations for data security.
Organizations can consider roping in security solutions provider like Seqrite to help them become GDPR compliant. Seqrite offers GDPR risk assesement and includes features like anti-ransomware and encryption, helping organizations to comply with the guidelines.