The EU General Data Protection Regulation (GDPR) is a regulation that was approved in 2016 and scheduled to be enforced by May 25, 2018. Many customers ask, what is GDPR? It was developed to strengthen the rights of individuals in the European Union (EU). The regulation was implemented to control EU citizens’ personal data and requires organizations to ensure their privacy and data protection measures adhere to healthy security practices. Organizations that are found in violation could face fines up to the greater of €20 million or 4% of annual global turnover (revenue).
1. The first step for GDPR and most other types of compliance assessments is to identify where personal data resides across all devices, applications and system platforms. This will include consideration of where that data is collected and stored, understand why it was collected, how it is processed and shared, and how long it is retained. Note that personal data doesn’t need to be stored in the EU to be subject to the GDPR. All data tied to EU residents applies.
2. The scope of what constitutes “personal data” for GDPR extends beyond the other well-known compliance frameworks such as SSAE18, NIST, or HIPAA. Some additional items are a person’s photo, email address, bank details, posts on social networking websites, or even a computer IP address. Special provisions also exist when processing other types of data such as:
- Personal data related to criminal convictions and offenses
- Personal data of minors under sixteen (16) years
- Special categories of data (e.g. racial or ethnic origin, political opinions, religious or philosophical beliefs, genetic data, biometric data, and sexual orientation to name a few)
3. Organizations must ensure the data is protected by establishing security controls to prevent, detect, eradicate and respond to vulnerabilities and data breaches. Under the new regulation, companies (referred to as “Controllers” in the regulation) and third-party processors need to rapidly respond to intrusions with built-in controls and tools to detect and respond to data breaches.
4. Data subjects have the right to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed, where and for what purpose. Further, the company shall provide a copy of the personal data, free of charge, in an electronic machine-readable format.
5. Breach notification must be done within seventy-two (72) hours of first becoming aware of the breach. Service providers regulated by GDPR will also be required to notify their customers “without undue delay” after first becoming aware of a data breach.
To find out more information about GDPR, please refer to http://www.eugdpr.org and https://gdpr-info.eu. If you are looking for help in assessing your current status or mitigation assistance, please contact TrustedSec – your trusted source for information security.