On May 25, 2018, the General Data Protection Regulation (GDPR) comes into force and GDPR compliance will be mandatory. Now is the time to get prepared. GDPR compliance is likely to require considerable effort and resources. If your organization is not prepared, you may miss the GDPR compliance deadline.
GDPR is a new regulation that will apply to all organizations based in EU member states, as well as those based in non-member states that capture, hold or process the data of EU citizens. GDPR is a replacement of the 1995 EU Data Protection Directive and will address web-based technology that was not widely available in 1995. Use of the cloud for instance.
The new regulation will help to ensure the personal data of EU citizens is protected and the risk of sensitive data being exposed is minimized. The new regulation will also allow EU citizens to have much greater control over the personal data that is collected and stored by organizations, and how those data are used.
How Will GDPR Protect Consumers?
One of the main elements of GDPR is improving the rights of EU citizens with regards to the personal data that is collected, stored and used by organizations. GDPR requires organizations to obtain informed consent from consumers prior to collecting and using their data. Consumers must be told the reason why data are being collected, how data will be used, and consumers must be told that they can withdraw their consent at any time. A mechanism must be put in place that will allow an organization to delete data when it is no longer required or when consent is withdrawn.
GDPR gives consumers the right to:
- Find out how their data will be used
- Discover how data were obtained if informed consent was not provided
- Access personal data
- Find out how long data will be stored
- Correct errors in stored data
- Move data to a different processor
- Restrict or prohibit the processing of data
- Find out with whom data have been or will be shared
- Have data permanently erased
- Avoid being evaluated on the basis of automated processing
Organizations must also limit the data collected to the minimum necessary amount for the purpose that has been described to consumers to be performed.
While organizations that have an online presence and actively collect data will have to comply with GDPR – Amazon for example – GDPR will apply to a much broader range of companies. In fact, many companies that do not have an online presence will need to comply with GDPR. GDPR will apply to any company that collects the types of data covered by the GDPR definition of personal information. That includes organizations that store ‘personal data’ of employees in an electronic database.
What Data are Covered by GDPR?
Under GDPR, personal information includes an individual’s name and a host of other identifiers, including online identifiers such as location data, IP addresses, cookies and other “pseudonymous data”. Information such as race and ethnic origin, religious or philosophical beliefs, political opinions, sexual orientation, details of sex life, criminal convictions, trade union membership, health data, biometric data, and genetic data are all covered.
Data Security Standards Necessary for GDPR Compliance
GDPR also covers the protections that must be put in place by organizations to ensure the confidentiality, integrity, and availability of data. That includes stored data and all data that flows through systems or applications.
GDPR compliance requires organizations to conduct a risk/gap analysis to assess potential vulnerabilities in their current systems and processes.
Companies must “implement appropriate technical and organizational measures” to ensure the confidentiality, integrity and availability of data. Those measures should “ensure a level of security appropriate to the risk.”
Companies must adopt a privacy and security-by-design approach, and ensure that controls are implemented during the planning stages, development, implementation, and use of applications and systems. Regular testing and security assessments must also be performed.
Systems must also be implemented that allow data to be recovered and restored in the event of a security incident or technical problem being experienced.
Data Breach Notification Requirements of GDPR
Any organization that experiences a breach of data covered by GDPR must inform their Data Protection Authorities (DPAs) within 72 hours of the breach being discovered. Individuals impacted by a data breach must also be notified, if such a breach has potential to result in identity theft or fraud, discrimination, financial loss, reputation damage, or other significant economic or social disadvantage. Notifications will not be required if stored data are encrypted or are otherwise undecipherable and unusable.
Preparing for GDPR
Many organizations currently lack the necessary systems to ensure GDPR compliance. For instance, many do not have systems that allow them to easily identify consumer data, retrieve it, and delete it as necessary.
Privacy policies will need to be drafted and published to incorporate the new regulation and ensure GDPR compliance. Forms explaining consent to use data will need to be developed and published. Staff will need to be trained on the new rights of individuals. Policies must also be developed – or updated – covering data breach notifications in case personal information is exposed, accessed, or stolen. Additional security solutions will need to be implemented. GDPR compliance will involve considerable cost and resources and ensuring GDPR compliance will take time.
Organizations must therefore start preparing for the introduction of the new regulation. It may be a year before GDPR compliance is necessary, but given the necessary changes, organizations should start planning now. From May next year, GDPR compliance will be mandatory and there will be severe penalties for non-compliance.
What are The Penalties for Non-Compliance with GDPR?
Any organization that fails to comply with GDPR can be fined by their DPAs. DPAs will be given more powers to investigate data breaches and non-compliance. The potential fines for non-compliance with GDPR are considerable.
If an organization does not comply with the GDPR security standards, a fine of up to €10 million can be issued or 2% of global annual turnover, whichever is the greater. The failure to comply with GDPR privacy standards can attract a fine of up to €20 million or 4% of global annual turnover, whichever is the greater.
Fines will be dictated by the extent of the violation or data breach, the number of individuals impacted, and the extent to which the organization has implemented controls and standards to ensure GDPR compliance.
Individuals also have the right to seek compensation if their personal information is misused or stolen, if they have suffered harm as a result. Criminal sanctions may also be applied, such as if data is collected without consent.
Organizations are likely to suffer reputational damage in the event of a data breach, as the EU will be naming and shaming organizations that fail to implement appropriate measures to protect data and prevent data breaches. Details of organizations that have not complied with GDPR will be published and made available to the public.
How Can TitanHQ Help with GDPR Compliance?
TitanHQ offers a range of data security solutions that offer real-time protection against viruses, malware, ransomware and spyware to help organizations effectively manage risk, prevent data breaches, and ensure GDPR compliance.
TitanHQ offers award-winning security solutions to prevent web-based and email-based cyberattacks, in addition to helping organizations protect themselves from insider breaches.
SpamTitan is an advanced email security solution that protects organizations from email-based attacks such as phishing, blocking the most common method of malware and ransomware delivery. SpamTitan detects and blocks 99.97% of spam email, with a range of deployment options to suit the needs of all businesses.
WebTitan offers industry-leading protection against a wide range of web-based threats such as exploit kits, malvertising, phishing websites and drive-by malware downloads. The solution allows data protection officers to limit the types of websites that can be accessed by employees to minimize risk.
ArcTitan is an easy to use email archiving system that copies all inbound and outbound messages and stores them in an encrypted email archive, preventing loss of data and ensuring emails can be recovered and audited. The solution satisfies GDPR compliance requirements for identifying, retrieving, and deleting individuals’ personal data, when its purpose has been served or consent is withdrawn.
For more information on TitanHQ’s cybersecurity solutions and how they can help with GDPR compliance, contact the TitanHQ team today.