In 2018, the General Data Protection Regulation (GDPR) replaced the Data Protection Directive 95/46/ec as the Primary Law regulating how companies will protect EU citizens’ personal data. The new requirements of GDPR became effective on 25th May 2018. Today, companies that are already in compliance with the directive must ensure that they are also compliant with these new requirements of GDPR. If a company fails to achieve General Data Protection Regulation Compliance, it is subjected to stringent penalties and fines.
General Data Protection Regulation Requirements
GDPR requirements apply to every member state of the European Union. The requirements aim at creating more consistent protection of consumer and personal data across EU nations. The Key Privacy and Data Protection requirements include:
- Consent of subjects for Data Processing
- Protecting privacy by anonymizing collected data
- Handling safe transfer of data across borders
- Providing Data Breach Notifications
- Appointing a Data Protection Officer [DPO] to oversee GDPR compliance
A set of standards is made mandatory for companies that handle the data to better safeguard the processing and movement of EU citizens’ personal data.
General Data Protection Regulation imposes a uniform data security law on all EU members, so that every member state no longer needs to write its own data protection laws and the laws are consistent everywhere. In addition, it is crucial to note that any company that markets goods or services to EU residents, regardless of its location, is subject to the regulation. As a result, GDPR will impact the data protection requirements globally.
Requirements Of GDPR 2018
General Data Protection Regulation contains 91 articles and 11 chapters. Following articles and chapters have the greatest potential impact on security operations:
- Articles 17 & 18: These articles give data subjects more control over personal data which is processed automatically. As a result, the data subjects may transfer their personal data between service providers more easily. They can also direct a controller to erase their personal data under certain circumstances. These activities are known as “Right to Portability” & “Right to Erasure”, respectively.
- Articles 23 & 30: These articles require companies to implement reasonable data protection measures so as to protect the personal data and privacy of consumers against loss or exposure.
- Articles 31 & 32: These articles are about data breach notifications. According to Article 31, for single data breaches, controllers must notify Supervising Authorities [SA]s of a personal data breach within 72 hours of learning about the breach. They should provide specific details of the breach like the nature of it and the approximate number of data subjects affected. According to Article 32, data controllers should notify data subjects as quickly as possible about the breach, when it puts their rights and freedoms at high risk.
- Articles 33 & 33a: These articles require companies to perform Data Protection Impact Assessments in order to identify risks to consumer data and Data Protection Compliance Reviews to make sure that the risks are addressed.
- Article 35: According to this article, certain companies should appoint data protection officers. If a company processes data that reveals a subject’s genetic data, health, racial or ethnic origin or religious beliefs, it must designate a data protection officer who can advise the company about compliance with the regulation and act as a point of contact with SAs. Some companies are subjected to this article as they collect personal information about their employees as part of human resources processes.
- Articles 36 & 37: These articles outline the position of Data Protection Officer and the responsibilities to ensure compliance as well as reporting to Supervisory Authorities and data subjects.
- Article 45: This article extends data protection requirements to international companies that collect or process the personal data of EU citizens. It subjects them to the same requirements and penalties as EU-based companies.
- Article 79: This article outlines the penalties for the General Data Protection Regulation non-compliance. It could be up to 4% of the violating company’s global annual revenue depending on the nature of the violation
Best Practices for GDPR
Every organization must be aware of all GDPR requirements and must comply with them. For many companies, the first step in complying with it is to appoint a Data Protection Officer who can build a Data Protection Program to meet their requirements. Once the company is compliant, it is crucial to stay informed of changes to the law and enforcement methods.
Steps to Ensure GDPR Compliance
- Read the GDPR: There may be several sections in the legislation which are difficult to decipher and they also feature more legal language. But every person in a position to be affected by General Data Protection Regulationshould attempt to read and understand the legislation.
- Look to Other Organizations: Not just in the European Union, businesses around the world are affected by this. If your organization still lacks understanding about the needed steps to reach compliance, you must reach out to those who are compliant. Other businesses are likely to share the steps taken to reach compliance.
- Pay Close Attention to Your Website: Data storage, cookies, opt-ins, and more are things that can be easily set up on a website. Their compliance with GDPR is crucial. While many tools used to collect and store contact data have allowed for compliance, it is up to the organization to make sure that it is compliant.
- Pay Close Attention to Your Data: All the data must comply with GDPR if you have a presence in the E.U. It should be properly mapped out as to how data will enter, how it will be stored, transferred or deleted. Knowing every route personal information is vital to prevent breaches and ensuring proper reporting in the event of data loss.
GDPR Enforcement And Penalties For Non-Compliance
As compared to the previous Data Protection Directive, the General Data Protection Regulation has now increased penalties for non-compliance. It has set a standard across the EU for all companies that handle EU citizens’ personal data and therefore, SAs have more authority than in the previous legislation. They have corrective and investigative powers and can issue warnings for non-compliance. They can also perform audits to ensure compliance, order data to be erased, require companies to make specified improvements by prescribed deadlines, and even block companies from transferring data to other countries. Data controllers and processors are subject to SAs’ powers and penalties.
This also allows SAs to issue larger fines than the Data Protection Directive, which are determined based on the circumstances of each case. The SA can decide whether to impose its corrective powers with or without fines. If a company fails to comply with certain General Data Protection Regulation Requirements, it would be fined €10m or €20m or 2% or 4% of total global annual turnover, whichever is greater.
Neumetric, a cyber security services, consulting & products organization, can help you reduce your security cost without compromising your security posture. Our years of in-depth experience in handling security for organizations of all sizes & in multiple industries make it easier for us to quickly execute cost-cutting activities that do not bring value to you, while you continue focusing on the business objectives of the Organization.