What Is the General Data Protection Regulation (GDPR) and How Does It Affect My Organization?
If your organization deals with the processing of personal data, maintaining the security and privacy of that data should be an organization’s top priority. The regulation of data security and privacy are constantly changing, and organizations must be aware of these changes. These regulations and protections not only keep your organization’s data secure but are also required by law.
Formalized since April 2016, GDPR applies to all organizations conducting business within Europe or with European clients.
By May 25, 2018, organizations not in regulation or have a data breach while not in compliance will be fined up to 20,000,000 EUR or 4% of the total worldwide annual turnover of the preceding year, whichever is higher.
GDPR Rules Explained:
Overview of the GDPR
Up until recently, most data protection laws within the European Union (EU) were based on the Data Protection Directive (EU Directive 95/46/EC) laid out in the mid-90’s. Although this directive covered the basics of data privacy, it had long-since become outdated due to emerging technologies.
The EU has worked over four years to develop an updated regulation to create stronger privacy protection rule for individuals. The new regulations would also eliminate some of the red tapes that created additional expenses for organizations.
Benefits for Individuals
One mandate for GDPR is the portability of personal data. This means that an individual has the right to securely move, copy or transfer their personal data stored by any organization.
Another mandate put forward by GDPR requires notification of a security breach to individuals who have had their personal data leaked. An individual is only notified if the security breach is likely to result in a high risk to the rights and freedoms of that individual.
Individuals also have the right to erasure under GDPR. This means that any individual has the right to have their personal data erased and prevented from being processed if certain conditions (such as an individual withdrawing their consent) are met.
In addition, GDPR enables the right to restrict processing and access. This gives an individual the ability to decide how their personal data can be processed and who can access their personal data.
New Rules for Organizations
When a data breach occurs, it’s important that an organization acts quickly. This is because GDPR requires that any security breach is reported to a relevant supervisory authority within 72 hours. To help prevent these breaches in the first place, GDPR requires that data protection is taken into consideration during the earliest stages of designing any personal data processing system. Another GDPR requirement is that organizations must appoint a Data Protection Officer to keep records of all data-processing activities.
Data Protection Impact Assessments (DPIA) are mandated by regulation to require organizations to identify and mitigate any high risks that may exist when processing an individual’s personal data. The regulation also lays out specific requirements for data encryption and the attestation process of compliance with the new rules.
GDPR does not only consist of new restrictions and processes for organizations, it also lifts some of the old regulations. Organizations no longer must notify local authorities whenever personal data is processed. This was a frustrating regulation for organizations that conducted business in multiple countries. Although the notification requirement was removed, organizations must still keep an inventory of personal data they process.
In addition to the lifting of local notification rules, GDPR will be introducing new data protection certifications by which an organization can demonstrate compliance to current and potential clients.
What Does GDPR Mean for Your Organization?
If your organization or your organization’s clients are located within the European Union, they must comply with the rules laid out in GDPR. Many organizations are unaware that this regulation directly impacts them.
If you have questions about GDPR or if you are uncertain if your organization is compliant to GDPR, CISOSHARE can help. Click here to contact our information security experts and ensure that your systems are up-to-date and ready to handle this new regulation.
Information security experts with 20+ years of combined experience in developing, implementing, and securing highly regulated organizations.