Blog

Get the Latest News and Press Releases

General Data Protection Regulation – Complying With GDPR Requirements

In 2018, the General Data Protection Regulation (GDPR) replaced the Data Protection Directive 95/46/ec as the Primary Law regulating how companies will protect EU citizens’ personal data. The new requirements of GDPR became effective on 25th May 2018. Today, companies that are already in compliance with the directive must ensure that they are also compliant with these new requirements of GDPR. If a company fails to achieve General Data Protection Regulation Compliance, it is subjected to stringent penalties and fines.

General Data Protection Regulation Requirements

GDPR requirements apply to every member state of the European Union. The requirements aim at creating more consistent protection of consumer and personal data across EU nations. The Key Privacy and Data Protection requirements include:

  • Consent of subjects for Data Processing
  • Protecting privacy by anonymizing collected data
  • Handling safe transfer of data across borders
  • Providing Data Breach Notifications
  • Appointing a Data Protection Officer [DPO] to oversee GDPR compliance

A set of standards is made mandatory for companies that handle the data to better safeguard the processing and movement of EU citizens’ personal data.

GDPR Compliance

General Data Protection Regulation imposes a uniform data security law on all EU members, so that every member state no longer needs to write its own data protection laws and the laws are consistent everywhere. In addition, it is crucial to note that any company that markets goods or services to EU residents, regardless of its location, is subject to the regulation. As a result, GDPR will impact the data protection requirements globally.

Requirements Of GDPR 2018

General Data Protection Regulation contains 91 articles and 11 chapters. Following articles and chapters have the greatest potential impact on security operations:

  • Articles 17 & 18: These articles give data subjects more control over personal data which is processed automatically. As a result, the data subjects may transfer their personal data between service providers more easily. They can also direct a controller to erase their personal data under certain circumstances. These activities are known as “Right to Portability” & “Right to Erasure”, respectively.
  • Articles 23 & 30: These articles require companies to implement reasonable data protection measures so as to protect the personal data and privacy of consumers against loss or exposure.
  • Articles 31 & 32: These articles are about data breach notifications. According to Article 31, for single data breaches, controllers must notify Supervising Authorities [SA]s of a personal data breach within 72 hours of learning about the breach. They should provide specific details of the breach like the nature of it and the approximate number of data subjects affected. According to Article 32, data controllers should notify data subjects as quickly as possible about the breach, when it puts their rights and freedoms at high risk.
  • Articles 33 & 33a: These articles require companies to perform Data Protection Impact Assessments in order to identify risks to consumer data and Data Protection Compliance Reviews to make sure that the risks are addressed.
  • Article 35: According to this article, certain companies should appoint data protection officers. If a company processes data that reveals a subject’s genetic data, health, racial or ethnic origin or religious beliefs, it must designate a data protection officer who can advise the company about compliance with the regulation and act as a point of contact with SAs. Some companies are subjected to this article as they collect personal information about their employees as part of human resources processes.
  • Articles 36 & 37: These articles outline the position of Data Protection Officer and the responsibilities to ensure compliance as well as reporting to Supervisory Authorities and data subjects.
  • Article 45: This article extends data protection requirements to international companies that collect or process the personal data of EU citizens. It subjects them to the same requirements and penalties as EU-based companies.
  • Article 79: This article outlines the penalties for the General Data Protection Regulation non-compliance. It could be up to 4% of the violating company’s global annual revenue depending on the nature of the violation

Best Practices for GDPR

Every organization must be aware of all GDPR requirements and must comply with them. For many companies, the first step in complying with it is to appoint a Data Protection Officer who can build a Data Protection Program to meet their requirements. Once the company is compliant, it is crucial to stay informed of changes to the law and enforcement methods.

Steps to Ensure GDPR Compliance

  • Read the GDPR: There may be several sections in the legislation which are difficult to decipher and they also feature more legal language. But every person in a position to be affected by General Data Protection Regulationshould attempt to read and understand the legislation.
  • Look to Other Organizations: Not just in the European Union, businesses around the world are affected by this. If your organization still lacks understanding about the needed steps to reach compliance, you must reach out to those who are compliant. Other businesses are likely to share the steps taken to reach compliance.
  • Pay Close Attention to Your Website: Data storage, cookies, opt-ins, and more are things that can be easily set up on a website. Their compliance with GDPR is crucial. While many tools used to collect and store contact data have allowed for compliance, it is up to the organization to make sure that it is compliant.
  • Pay Close Attention to Your Data: All the data must comply with GDPR if you have a presence in the E.U. It should be properly mapped out as to how data will enter, how it will be stored, transferred or deleted. Knowing every route personal information is vital to prevent breaches and ensuring proper reporting in the event of data loss.

GDPR Enforcement And Penalties For Non-Compliance

As compared to the previous Data Protection Directive, the General Data Protection Regulation has now increased penalties for non-compliance. It has set a standard across the EU for all companies that handle EU citizens’ personal data and therefore, SAs have more authority than in the previous legislation. They have corrective and investigative powers and can issue warnings for non-compliance. They can also perform audits to ensure compliance, order data to be erased, require companies to make specified improvements by prescribed deadlines, and even block companies from transferring data to other countries. Data controllers and processors are subject to SAs’ powers and penalties.

This also allows SAs to issue larger fines than the Data Protection Directive, which are determined based on the circumstances of each case. The SA can decide whether to impose its corrective powers with or without fines. If a company fails to comply with certain General Data Protection Regulation Requirements, it would be fined €10m or €20m or 2% or 4% of total global annual turnover, whichever is greater.

Neumetric, a cyber security services, consulting & products organization, can help you reduce your security cost without compromising your security posture. Our years of in-depth experience in handling security for organizations of all sizes & in multiple industries make it easier for us to quickly execute cost-cutting activities that do not bring value to you, while you continue focusing on the business objectives of the Organization.

Ensuring Compliance With New General Data Protection Regulations

General Data Protection Regulation (GDPR) is the EU’s new data protection legislation that strengthens and unifies data protection for individuals and addresses the export of personal data outside the EU.

In January 2012, the European Commission wanted to make Europe ‘fit for the digital age’, for which they set out plans for data protection reform across the European Union. Four years later, an agreement was reached, General Data Protection Regulation (GDPR) was introduced and the new EU framework applied to organizations in all member-states and had implications for businesses and individuals across Europe, and beyond.

What is General Data Protection Regulation?

GDPR is a new set of laws to provide EU citizens more control over their personal data. It simplifies the regulatory environment for business, so that both citizens and businesses in the European Union can benefit from the digital economy. It brings laws and obligations around personal data, privacy and consent across Europe for the internet-connected age.

In April 2016, General Data Protection Regulation got its approval by the European Parliament. In May 2016, official texts and regulation of the directive were published in all of the EU official languages. On 25th May 2018, the legislation came into force across the European Union.

GDPR Compliance

Primarily, every aspect of our lives revolves around data. Almost every service that we use involves the collection and analysis of our personal data. Our name, address, credit card number and other information (generally known as Personally Identifiable Information [PII] ) are all collected, analysed, and stored by organisations. But data breaches inevitably happen. Information gets stolen, lost or otherwise released into the hands of people with malicious intent.

With the General Data Protection Regulation compliance strategy, organisations have to ensure that personal data is gathered legally and under strict conditions and those who collect and manage it are obliged to protect it from misuse and exploitation. They must also respect the rights of data owners or else face penalties for not doing so.

The personal data under GDPR as per the existing legislation includes name, address, photos, IP address and sensitive personal data like genetic data or biometric data that can be processed to uniquely identify an individual.

Who Needs to be GDPR Compliant?

GDPR applies to every organisation operating within the EU or outside the EU that offers goods or services to customers or businesses in the EU. Basically, every major corporation in the world needs a GDPR compliance strategy.

There are two different types of data-handlers to whom legislation applies; processors and controllers. A controller is a public authority, person, agency or body that determines the purposes and means of processing the personal data. On the other hand, the processor is a public authority, person, agency or body that processes personal data on behalf of the controller. For instance, if you were subject to the UK’s Data Protection Act, you will likely need to be General Data Protection Regulation compliant.

In order to maintain records of personal data and how it is processed, GDPR places legal obligations on a processor. Controllers are required to make sure that all contracts with processors are in compliance with GDPR. This gives a higher level of legal liability should the organisation be breached.

GDPR for Businesses & Consumers

GDPR has established one law for all companies doing business within EU member states. According to European Commission, having a single supervisor authority for the entire EU will make it simpler and cheaper for businesses to operate within the region. The Commission claims that GDPR will save €2.3 billion every year across Europe.

Organisations are encouraged to adopt techniques like pseudonymization so as to get benefitted from collecting and analysing personal data, while the privacy of their customers is protected at the same time 

Due to the sheer number of hacks and data breaches that occur, the unfortunate reality is that some of our data has been exposed on the internet, like email address, password, social security number and much more. But one major feature of GDPR is that it provides consumers the right to know when their data has been hacked.

Businesses must notify the appropriate national bodies as soon as possible so as to ensure that EU citizens can take appropriate measures to prevent their data from being abused. Consumers also get an easier access to their own personal data with respect to how it is processed and how their information is used in a clear and understandable way. Some organisations have already moved to ensure this. For instance, even if it is about sending emails to customers with information on how their data is used and providing them with an opt-out if they do not wish to be a part of it.

Many organisations, within the retail and marketing sectors have contacted customers to ask if they want to be a part of their database. While other sectors have been warned that they have a lot more to do in order to ensure GDPR compliance, especially if the consent is involved. 

GDPR also has a “Right to be Forgotten” feature that provides additional rights to people who no longer want their personal data processed to have it deleted. This leaves organisations with no grounds to retain it. Therefore, businesses need to keep these consumer rights in mind.

Rectifying if a Privacy Email is a Scam or from an Actual Company

Organisations of all sizes send customers emails and with so many organisations sending out emails on GDPR, scammers and criminals take it up as a prime opportunity to send out phishing emails.

At Redscan, researchers found out scammers posing as Airbnb and claiming that the user won’t be able to send messages to prospective guests until a new privacy policy was accepted or accept new bookings. They specifically mentioned the new EU privacy policy as the reason for the message being sent.

However, the scammers were leveraging GDPR to steal information, but the real Airbnb message didn’t ask for any information. Customers who received the fake message were being asked for their personal information, including account credentials and payment card information. It’s very unlikely for criminals to piggyback on GDPR for their own gain.

What is a GDPR Breach Notification?

As per GDPR rules, it is crucial for companies to report data breaches that involve loss of personal data to the relevant supervisory authority or any unauthorized access. In some cases, organizations must inform individuals affected by the breach. Organizations must also report any breaches that are likely to result in a risk to the rights and freedoms of individuals and lead to discrimination, financial loss, damage to reputation, loss of confidentiality, or any other social or economic disadvantage.

In simpler words, if the name, date of birth, address, health records, bank details, or any personal data about customers is breached, the organization is obliged to report those affected along with the relevant regulatory body so that possible measures can be taken to restrict the damage.

This is done via a breach notification that must be delivered directly to the victims. The information should not be communicated only in a press release, on social media, or on a company website. It must be a one-to-one correspondence with those affected. The breach must be reported within 72 hours of the company first becoming aware of it. And, if the breach is serious enough to mean customers or the public must be notified, the same should be done without undue delay.

GDPR Fines & Penalties for Non-Compliance

If an organization fails to comply with GDPR, it will result in a fine ranging from 10 million euros to 4% of the company’s annual global turnover. Fines and penalties depend on the severity of the breach. It also depends on whether the company is deemed to have taken compliance and regulations around security in a serious enough manner.

A maximum fine of 20 million euros or 4% of worldwide turnover, whichever is greater, is for breaches of the rights of the data subjects, failure to put procedures in place, and unauthorized international transfer of personal data.

A lower fine of 10 million euros or 2% of worldwide turnover is applied to companies that mishandle data in other ways. For instance, failure to build in privacy by design, ensuring data protection is applied in the first stage of a project, failure to report a data breach, and be compliant by appointing a data protection officer.

Biggest GDPR Fines so Far

The biggest GDPR fine issued so far is to Google for a €50m. The French data protection watchdog, CNIL, issued the fine to Google after coming to the conclusion that the organization was breaking GDPR rules around transparency and having a valid legal basis while processing people’s data for advertising purposes. Prior to this, the largest GDPR penalty stood at €400,000 when a Portuguese hospital was fined for deficient account management practices. Currently, data protection watchdogs across Europe are investigating thousands of cases.

Either due to cyberattack, human error, or anything else, if a company loses data, it is obliged to deliver a breach notification, which includes approximate data about the breach, including categories of information and number of individuals compromised as a result of the incident. It should also include the categories and approximate numbers of personal data records concerned.

Companies must provide a description of the potential consequences of the data breach. For instance, theft of money, identity fraud, all the measures that are being taken to deal with the data breach and to counter any negative impacts that might be faced by individuals. The contact details of the data protection officer or main point of contact dealing with the breach must be provided.

Is it Necessary to Appoint a Data Protection Officer?

As per GDPR guidelines, an organization must appoint a Data Protection Officer (DPO) if it carries out large-scale processing of special categories of data, is a public authority, or carries out large scale monitoring of individuals like behavior tracking. Public authorities can appoint a single DPO for a group of organizations. While it is not necessary for organizations outside of those above to appoint a DPO, other companies must ensure that they have the necessary skills and staff in order to be compliant with GDPR legislation.

As per the Information Commissioner’s Office, a Data Protection Officer should have professional experience and data protection law proportionate to what the organization carries out. If the organizations fail to appoint a Data Protection Officer, as required by GDPR, this could count as non-compliance and may result in a fine.

GDPR Compliance is Necessary

Ultimately, these measures are meant to minimize the risk of breaches and uphold the protection of personal data. This may look like more policies and procedures for organizations, but many companies would have already put good governance measures in place.

Under the GDPR provisions that promote governance and accountability, organizations should implement appropriate technical and organizational measures like, data minimization and pseudonymization, allowing individuals to monitor processing, data protection provisions (review of HR policies, staff training and internal audits of processing activities) and keeping documentation on processing activities. All organizations must ensure that they have carried out all the necessary impact assessments and are GDPR compliant.

Neumetric, a cyber security services, consulting & products organization, can help you reduce your security cost without compromising your security posture. Our years of in-depth experience in handling security for organizations of all sizes & in multiple industries make it easier for us to quickly execute cost-cutting activities that do not bring value to you, while you continue focusing on the business objectives of the Organization.

Scroll to top