The General Data Protection Regulation (GDPR) was created to unite principals of data privacy within Europe. Data Protection used to be subject to each single country in the EU which has led to remarkable differences. This situation will now be changed by a unique law which applies equally to each EU Member State.
GDPR – yet another abbreviation to keep in mind. Nobody wants to get egg on their face. Furthermore, those four letters seem to be irrevocably anchored in IT business. Grit Heinig took the chance to have a dive deeper into this subject and went through the whole General Data Protection Regulation (GDPR).
In the end there were 5 main points which crystallized:
The Regulation is Already Valid
It was adopted in April this year by the European Parliament. It entered into force on the 25th of May 2016 – 20 days after its publication in the Official Journal of the European Union. The interesting aspect is that it shall only apply two years later – from the 25th of May 2018 on.
Of course, there is still a lot of time that will pass until that day. But as we become granular on the rights and duties we need to answer the question: Does your IT comply with everything?
The Regulation is Also Valid Outside of the EU
When we were creating a battle card in our team to feature GDPR in our sales catalogue, a colleague from Switzerland mentioned that it does not concern her. It’s well-known that Switzerland does not belong to the European Union. But hold on: “It’s about citizens of the EU!” we both pointed out.
The GDPR applies to all companies worldwide who work with personal data of EU citizens. To be compliant it might be sufficient that your customer fills in and submits a simple form via your website.
Conclusion: GDPR concerns all of us. Or do you really want to say that you have nothing, absolutely nothing to do with any citizen of the EU?
The Regulation is Related to the Processing and Recording of Personal Data
Sounds simple and it basically is. Nevertheless, there are 88 pages with 89 articles and all of them contain several passages. It is worth your while to take a precise look at it. Of course, you may read about the GDPR in various IT magazines from time to time. Or you can simply google the term which will lead you to thousands of pages. But have you ever thought that an article has taken everything from the legal text into consideration? And have you ever felt comfortable of having got the whole overview about the measures that you have to implement?
Nevertheless, I do not want to miss the opportunity to present my “favorites” to you:
The processing of personal data should be “adequate, relevant and limited to what is necessary for the purposes for which they are processed”.
The period for which the data is stored is limited to a minimum.
Personal data shall be accurate and kept up to date.
Personal data shall be protected from unauthorized access, illegal processing and loss. In this instance, the regulation points out pseudonymization and encryption of data. Furthermore, the “ability to ensure availability and resilience of processing systems and services” plays an important role.
At this point, I would like to draw your attention to the fact that security software companies such as Symantec provide a number of products which exactly meet the demands of the GDPR. Data Loss Prevention, for example, discovers, monitors and protects your sensitive data. Talking about Encryption, products like Endpoint or Desktop Email Encryption come into mind. But also Advanced Threat Protection (ATP) or Control Compliance Suite will help you to implement the regulation.
A data protection officer has to be designated who is responsible for monitoring compliance with GDPR and makes sure that personal data is safe and secure.
All relevant people have the right to receive a copy of their data, the right to correct and restrict their data as well as the right to erase data.
The Regulation Contains Not Only Rights
In case your company’s IT systems were attacked and/or in case of a personal data breach, you have to notify your supervisory authority preferably within 72 hours. But this is not the only authority that has to be notified. All concerned persons also have to be informed. This may be done by a public communication. But who wants to voluntarily admit that there has been a security lapse either at a system level or caused by internal staff? Today it’s not a question of IF but WHEN you will be attacked, but fortunately there are also appropriate solutions available to keep the risk of widespread damage low.
The Regulation has Significant Consequences in Store
Last but not least, fines will be imposed which should be “effective, proportionate and dissuasive”. Quoted from the regulation! Depending on the kind of infringement, there might be monetary penalties from 2% up to 4% of the total worldwide annual turnover, yet not less than 10 to 20 million Euro. That really is dissuasive, isn’t it?
Summing up, the GDPR should not be taken lightly. To ignore or underestimate the regulation would be enormously careless. Or do you want your company to be the precedent which surely will be set?