GDPR: What is it anyway?

We have all seen the security breaches in the media.  In fact, it has become a significant issue.  To give some clarity on the seriousness of these turbulent times:

  • 2 billion records have been compromised in the last year.
  • 140+ Days between infiltration and detection in some cases.
  • An estimated $15 Million of average cost/business impact per breach.

It’s a threat you can’t ignore, and very soon you won’t be allowed to!

The General Data Protection Regulation (GDPR) imposes rules on organisations that offer goods and services to people in the European Union (EU), or that collect and analyse data tied to EU residents, no matter where they are located.

Providing clarity and consistency for the protection of personal data.

The regulations were agreed in 2016 and will come in to force from 26th May 2018.  Noncompliance will result in fines of €20 Million or 4% of revenue (whichever is higher) and their sole purpose was to acheive:

  • Enhanced Personal privacy rights
  • Increased duty for protecting data
  • Mandatory breach reporting
  • Significant penalties for non-compliance

What are the key changes with GDPR?

The key changes coming in with the regulation can be split into four sections:

 

Personal privacy

Individuals have the right to:

  • Access their personal data
  • Correct errors in their personal data
  • Erase their personal data
  • Object to processing of their personal data
  • Export personal data

 

Controls and notifications

Processors will need to:

  • Protect personal data using appropriate security policies
  • Notify authorities within 72 hours of breaches
  • Receive consent before processing personal data
  • Keep records detailing data processing

 

Transparent policies

Processors are required to:

  • Provide clear notice of data collection
  • Outline processing purposes and use cases
  • Define data retention and deletion policies

 

IT and training

Processors will need:

  • Train privacy personnel & employee
  • Audit and update data policies
  • Employ a Data Protection Officer (for larger organisations)
  • Create & Manage processor/vendor policies

Over the next few blog articles we will take a look at the Myths associated with GDPR and dig deeper so we can understand what we need to do to get our business compliant.