GDPR Compliance , Regulations and More
In this first installment of our course on the foundations of information security, "Data Protection 101," you will learn about the General Data Protection Regulation (GDPR) and the criteria for complying with it.
An Explanation of the GDPR (General Data Protection Regulation)
The Data Protection Directive 95/46/ec is going to be replaced by the General Data Protection Regulation (GDPR), which was agreed upon by the European Parliament and Council in April of 2016, as the primary law regulating how businesses protect the personal data of EU citizens. This change is going to take place in the spring of 2018. Before the General Data Protection Regulation (GDPR) goes into effect on May 25, 2018, businesses that were previously in compliance with the Directive need to verify that they are also in compliance with the additional standards of the GDPR. Companies who fail to comply with GDPR by the deadline may be subject to harsh penalties and fines. These penalties and fines may include jail time.
The General Data Protection Regulation (GDPR) imposes rules on every member state of the European Union, with the intention of establishing a more uniform level of consumer and personal data protection across all EU states. The following is a list of some of the most important obligations that the GDPR imposes in terms of privacy and data protection:
- Demanding the permission of the subjects before processing their data
- Protecting individuals' privacy by concealing their identities in acquired data
- Providing data breach notifications
- Managing the transmission of data across international boundaries in a secure manner
- requiring certain businesses to hire a data protection officer who will be responsible for ensuring compliance with GDPR
To put it more simply, the General Data Protection Regulation (GDPR) requires businesses that process the personal data of EU people to adhere to a minimum standard established in order to improve the protection of that processing and the flow of that data.
Who is Responsible for Ensuring Compliance with the GDPR?
As a result of the General Data Protection Regulation (GDPR), each member state of the EU will no longer be required to draft its own data protection rules, and legislation will be consistent throughout the whole of the EU. The goal of the GDPR is to make this transition as smoothly as possible. It is vital to highlight that the legislation applies not just to countries that are members of the EU, but also to any other business that, regardless of its location, promotes products or services to inhabitants of EU countries. As a consequence of this, GDPR will have an effect on the obligations for data protection all around the world.
responsibilities and obligations under the General Data Protection Regulation
The General Data Protection Regulation (GDPR) itself is made up of 91 articles and 11 chapters. The following is a selection of the chapters and articles that, taken together, have the potential to have the biggest influence on security operations:
Articles 17 and 18 The General Data Protection Regulation (GDPR) includes articles that allow individuals greater control over the use of their personal data when it is subjected to automated processing. As a consequence of this change, data subjects now have the ability to more easily transfer their personal data from one service provider to another (also known as the "right to portability"), and they also have the ability to direct a controller to erase their personal data under certain circumstances (also known as the "right to erasure").
Articles 23 and 30 - Articles 23 and 30 require businesses to take adequate data protection measures in order to safeguard the personal information of customers and prevent their privacy from being compromised in the event of data loss or disclosure.
Notifications of data breaches are covered in detail under Articles 31 and 32 of the General Data Protection Regulation (GDPR). Article 31 outlines the requirements that must be met in the event of a single data breach. Controllers are required to notify Supervising Authorities (SAs) of a personal data breach within 72 hours of becoming aware of the breach and must provide specific details regarding the breach, including the nature of the breach and an estimate of the number of data subjects who were affected. Article 32 mandates that data controllers inform data subjects as soon as feasible of breaches where the breaches put a serious risk on the subjects' rights and freedoms.
Articles 33 and 33a - Articles 33 and 33a require businesses to conduct Data Protection Impact Assessments to determine whether or not there is a risk to the personal information of customers and Data Protection Compliance Reviews to guarantee that any identified risks have been mitigated.
Article 35 - Article 35 mandates that some corporations designate data protection officers. Specifically, any company that processes data that reveals a subject's genetic data, health, racial or ethnic origin, religious beliefs, etc. must designate a data protection officer; these officers serve to advise companies about compliance with the regulation and act as a point of contact with SAs. Specifically, any company that processes data that reveals a subject's genetic data, health, racial or ethnic origin, religious beliefs, etc. must designate a data protection officer. This provision of the GDPR may apply to some businesses for the simple reason that these businesses gather personal information about their workers as part of the human resources procedures they carry out.
Articles 36 and 37 - Articles 36 and 37 detail the role of data protection officer as well as the obligations that come with it. These tasks include maintaining compliance with GDPR as well as reporting to Supervisory Authorities and data subjects.
Article 45 – Article 45 extends data protection standards to overseas firms who collect or handle the personal data of EU people, exposing these organizations to the same duties and penalties that EU-based corporations would face if they were found in violation of the law.
Article 79 – Article 79 details the penalties for GDPR non-compliance, which depending on the type of the infringement may be as much as 4% of the breaching company's worldwide annual sales.
Compliance with GDPR and the Consequences for Failing to Do So
The General Data Protection Regulation (GDPR) comes with harsher punishments for violations than its predecessor, the Data Protection Directive. Because the GDPR establishes a standard throughout the EU for all enterprises that handle the personal data of EU people, supervisory authorities (SAs) have greater jurisdiction than they had under the prior regulation. The SAs have investigative and corrective powers, and they are able to issue warnings for non-compliance, perform audits to ensure compliance, require companies to make specified improvements by prescribed deadlines, order data to be erased, and prevent companies from transferring data to other countries. Both those who control and those who handle data are subject to the powers and penalties of the SAs.
The General Data Protection Regulation also gives supervisory authorities the authority to levy fines that are significantly higher than those imposed by the Data Protection Directive. The amount of the fines is dependent on the specifics of each violation, and the SA has the option of enforcing their corrective powers with or without the imposition of fines. Companies who do to adhere to certain GDPR criteria may be subject to penalties of up to 2% or 4% of their entire annual worldwide revenue, or €10 million or €20 million, whichever is larger.
Everyone who communicates with European citizens is subject to GDPR.
It is vital to highlight that the legislation applies not just to countries that are members of the EU, but also to any other business that, regardless of its location, promotes products or services to inhabitants of EU countries. Businesses that comply with the rules of the GDPR will not only improve consumer data privacy and confidence, but they will also avoid the payment of hefty fines.
Because this privacy legislation is now in effect, websites that do not comply with its requirements will no longer be accessible in states located in Europe. The Chicago Tribune and the Los Angeles Times stood out the most among the list of websites that were temporarily restricted. If the website your company uses to gather data from European visitors, then it is required to comply with the General Data Protection Regulation (GDPR).
Will the United States of America Adopt Laws Protecting Personal Data?
The topic of data privacy in the United States is now front and center as a result of increased public and political scrutiny. There is currently no federal law in place to protect the privacy of data. Despite this, there have been more and more conversations on the subject recently. The congressional hearings of Facebook founder Mark Zuckerberg brought the topic of discussion to the forefront of public attention. A great number of states have passed their very own legislation, the California Consumer Privacy Act being the one that has garnered the most attention to this point.
Because to the General Data Protection Regulation (GDPR), almost two-thirds of corporations in the United States may be reconsidering their strategy in Europe, as stated in a survey by Ovum. However, in light of the fact that businesses in the United States are expecting an expansion of data privacy legislation, some of those businesses are coming to the realization that it may be time to install more strict data protection measures generally.
The General Data Protection Regulation (GDPR) is a Crucial Piece of EU Data Protection Legislation.
All companies, from sole proprietorships to multinational conglomerates, are responsible for understanding the GDPR's standards and ensuring that they are prepared to comply with those regulations going ahead. In order to comply with GDPR, the first step for many of these businesses is to nominate a data protection officer who will be responsible for developing a data protection program that is compliant with GDPR standards. When compliance has been achieved, it is critical to maintain awareness of any changes in the legislation or tactics used for its enforcement. There is a page dedicated to GDPR that may be found on the BBC website. This page covers recent news articles on enforcement as well as other topics.
Taking the Necessary Steps to Ensure GDPR Compliance
1. Actually Take the Time to Read the GDPR
Every individual who is in a position to be impacted by GDPR should make an effort to study and comprehend this ground-breaking law, despite the fact that some portions are harder to parse and involve more legal terminology than other parts of the document.
2. Consider Working with Different Organizations
GDPR will have an impact not just on businesses located in the European Union but also on businesses located in every other region of the globe. Get in touch with people who are already compliant if you or others in your company still do not have a complete knowledge of the necessary measures to obtain compliance. It's probable that a lot of companies will talk about the efforts they took to become compliant.
3. Devote Your Full Attention to Maintaining Your Website
On a website, it is simple to configure a variety of features, including cookies, opt-ins, data storage, and more. The extent to which they comply with GDPR is a completely other issue. Even while many of the technologies that are used to gather and retain contact data have compliance built in, it is ultimately up to you to ensure that you are in compliance.
4. Pay Closer Attention to the Information You Have.
If you have any kind of presence in the European Union, whether it be digital or physical, then the General Data Protection Regulation (GDPR) applies to all of your company's data. Create an accurate flowchart of how data is received, stored, and/or moved before it is erased. For the sake of avoiding data breaches and guaranteeing accurate reporting in the case of a data loss, it is very necessary to be aware of every possible path that personal information may travel.