WHAT IS GDPR?
One year on and GDPR is still a hot topic in every organisation! Understanding the legislation and ensuring your organisation is fully compliant is as important as ever. The EU General Data Protection Regulation is a regulation through which the European Commission intends to strengthen data protection for individuals within the European Union. These regulations focus on protecting individual’s rights when it comes to personal data processing.
GDPR Summary: GDPR is an evolution of the EU’s previous data rules, the Data Protection Directive. It addresses many of the shortcomings in the DPD, adding requirements for documenting IT procedures, performing risk assessments under certain conditions, notifying the consumer and authorities when there is a breach, as well as strengthening rules for data minimisation.
MAIN CONCERNS OF THE NEW REGULATION
Below are some of the differences between the Data Protection Directive and new GDPR legislation. These highlights from the published legislation are just some of the ways in which GDPR can affect you and your business:
- The “right to be forgotten”: When an individual no longer wants her/his data to be processed, and if there are no legitimate grounds for retaining it, the data will be deleted. This is about protecting the privacy of individuals, not about erasing past events or restricting freedom of the press.
- Easier access to one’s data: In the new GDPR guidelines, individuals will have more information on how their data is processed and this information should be available in a clear and understandable way. A right to data portability will make it easier for individuals to transmit personal data between service providers.
- The right to know when one’s data has been hacked: Companies and organisations must notify the national supervisory authority of data breaches which put individuals at risk and communicate to the data subject all high-risk breaches as soon as possible so that users can take appropriate measures.
- Data protection by design and by default: ‘Data protection by design’ and ‘Data protection by default’ are now essential elements in EU data protection rules. The GDPR guidelines state that data protection safeguards will be built into products and services from the earliest stage of development, and privacy-friendly default settings will be the norm – for example on social networks or mobile apps.
- Stronger enforcement of the rules: data protection authorities will be able to fine companies who do not comply with EU rules up to 4% of their global annual turnover.
- Data transfers outside the EU: currently the DPD applies to all EU countries as well as Norway, Iceland and Liechtenstein. With new GDPR regulation, any country processing or interacting with the personal data of an EU citizen will have to comply with the data protection laws.
There are several new injunctions that must be understood in order to avoid non-compliance. Adhering to GDPR should be of paramount importance when it comes to moving forward with global communications.
HOW CAN WE HELP?
Below are just a few examples of how Asystec and Varonis could be vital in helping your organisation address the General Data Protection Rules:
- GDPR requires organisations to respond to subject access requests and delete personal data on request- Article 15 states ‘right of access by the data subject’. Varonis DatAnswers allows you to index information, search information, and find the right information.
- Article 33 of GDPR requires all companies to be able to report a data breach in 72 hours? Varonis’ User Behaviour Analytics and DatAlert suite detects abnormal data breach activity policy violations and real-time alert as it happens.
- Article 35 of GDPR requires all organisations to conduct regular data protection impact/risk assessments. Varonis DatAdvantage and Data Classification Framework allows you to conduct regular quantified data risk assessments.
- GDPR requires organisations to respond to subject access requests and delete personal data on request. Article 17 states the subjects right to erasure and to be ‘forgotten’. Varonis DatAnswers and Data Transport Engine allows you to find it, flag it, and remove it!
GDPR requires privacy by design, and accountability by design for personal data. This means there must be data owners in the business and policies for least privileged access to personal data. There is a budget of 439 million for training activities available to businesses that pertain to GDPR matters for member states that Asystec and Varonis can facilitate your participation in. Article 30 states you must keep records of processing activities. Varonis DatAdvantage and Data Classification framework allows you to create an asset register of sensitive files, understand who has access to it, know who is accessing it and know when data can and should be deleted.
WHAT HAPPENS IF I DON'T COMPLY?
The GDPR has a tiered penalty structure that will take a large sum of money from the offenders funds. Also, the EU GDPR rules apply to both data controllers and processors, that is ‘the cloud’, therefore huge cloud providers are NOT off the hook when it comes to GDPR enforcement.
NON-COMPLIANCE RESULTS IN FINES OF UP TO 4% OF GLOBAL REVENUE.
If you need help in complying with GDPR contact the Asystec security team who will be happy to carry out a Data Risk Assessment to assess your organisations compliance with all relevant data regulations.