The General Data Protection Regulation (GDPR), which was adopted by the European Parliament and Council in April 2016, will replace the Data Protection Directive 95/46/ec as the principal rule governing how enterprises protect the personal data of EU individuals in spring 2018. Companies who are already in compliance with the Directive must ensure that they also comply with the GDPR's new criteria before it takes effect on May 25, 2018. Companies that fail to achieve GDPR compliance by the deadline will face severe penalties and fines. The following blog talks about GDPR data protection principles and how to prepare for GDPR.
The GDPR's main privacy and data protection regulations include
GDPR standards apply to all member states of the European Union, with the goal of ensuring more consistent consumer and personal data protection across the EU. The GDPR has several essential privacy and data protection provisions, including:
- Requiring people' consent for data processing
- To ensure privacy, collected data is anonymized.
- Providing data breach notifications
- Safely transferring data across borders.
- Certain firms must designate a data protection officer to manage GDPR compliance.
Who is required to comply with the GDPR?
The GDPR's goal is to enforce a uniform data security regulation on all EU members, eliminating the need for each member state to establish its own data protection rules and ensuring that laws are consistent throughout the EU. In addition to EU members, the legislation applies to any corporation that promotes goods or services to EU people,
regardless of location. As a result, GDPR will have an impact on worldwide data protection standards.
Requirements of General Data Protection Regulation
The GDPR itself consists of 11 chapters and 91 articles. The following are some of the chapters and articles with the highest potential impact on security operations:
Articles 17 and 18 of the GDPR provide data subjects greater control over personal data that is processed automatically. As a result, data subjects can more freely transfer their personal data between service providers (also known as the "right to portability"), and they can request that a controller erase their personal data under specific conditions (also known as the "right to erasure").
Articles 23 and 30 - Companies must use appropriate data protection measures to protect consumers' personal data and privacy from loss or disclosure.
Articles 31 and 32 - Data breach notifications play an important part in the GDPR legislation. Article 31 specifies requirements for single data breaches: controllers must notify Supervising Authorities (SAs) of a personal data breach within 72 hours of becoming aware of it, and they must provide specific details about the breach, such as its nature and the approximate number of data subjects affected. Article 32 compels data controllers to notify data subjects as soon as feasible of breaches that put their rights and freedoms at risk.
GDPR Enforcement and Penalties for Failure
In comparison to the previous Data Protection Directive, the GDPR has raised penalties for noncompliance. SAs have more authority than in prior legislation since the GDPR establishes a standard across the EU for all enterprises that handle EU citizens' personal data. SAs have investigative and corrective powers and may issue warnings for noncompliance, conduct audits to verify compliance, demand corporations to make specified improvements by prescribed timeframes, order data to be destroyed, and prohibit companies from transferring data to other countries. Data controllers and processors are subject to the SA's authorities and sanctions. The GDPR also empowers SAs to impose higher fines than the Data Protection Directive; fines are determined by the facts of each case, and the SA can choose whether to use their remedial powers with or without fines. Companies that fail to comply with certain GDPR standards may face fines of up to 2% or 4% of their global annual revenue, or €10 million or €20 million, whichever is greater.
Best practices for GDPR
All organisations, from small businesses to huge enterprises, must be aware of all GDPR regulations and be prepared to comply with them in the future. For many of these businesses, the first step in GDPR compliance is to appoint a data protection officer who will develop a data protection programme that meets GDPR regulations. Once compliant, it is critical to stay current on changes to the legislation and enforcement tactics. The BBC has a GDPR topic page that includes current news reports about enforcement and other issues.
Steps to ensure GDPR compliance.
Physically Read the GDPR.
While certain sections are harder to understand and contain more legal language, everyone who is touched by GDPR should read and understand this momentous legislation.
Look to Other Organisations.
GDPR affects businesses worldwide, not only in the European Union. If you or others in your organisation still don't grasp the actions required to achieve compliance, seek out others who have. Many organisations will likely reveal the procedures they took to achieve compliance.
Pay Close Attention To Your Website
Cookies, opt-ins, data storage, and other features are simply configured on a website. Their GDPR compliance is another story entirely. While various solutions for collecting and storing contact data have made compliance possible, it is ultimately up to you to ensure compliance.
Pay closer attention to your data.
If your organisation has a presence (either digitally or physically) in the EU, all of its data must comply with GDPR. Plan out how data enters, is stored, transmitted, and discarded. Knowing every possible path personal information can take is critical for preventing breaches and ensuring accurate reporting in the event of data loss.
Small firms cannot often afford to develop their own IT or technical solutions for data protection. In many circumstances, they would benefit from end-to-end encrypted services that keep data unavailable to all except the owner.
Contact Praeferre to know more about GDPR data protection principles and how to prepare for GDPR.
No comments yet