What Does GDPR Mean for Your Organization?
GDPR ,or the General Data Prevention Regulation, is a new law that has been enforced by the European Union since May 25, 2018. The goal of this regulation is to update the Data Protection Directive of 1995; this was was enacted before the widespread use of the internet, which has drastically changed the way data is collected, transmitted, and used.
Another key component of the GDPR is to update regulations about data protection for sensitive personal information. It places an emphasis on the need to protect any and all collected data.
At the core of this new regulation, it aims to simplify, update, and unify the protection of personal data.
Why Does GDPR Matter to You?
The main changes from GDPR mean that companies can no longer be lax about personal data security. In the past, they can get away with simple tick-boxes to achieve compliance. This is no longer the case.
Here are the top points to consider regarding the General Data Prevention Regulation.
- A company does not have to be based in the EU to be covered by the GDPR. As long as they collect and use personal data from citizens of the EU, they must adhere to this regulation.
- The fines for violating the regulations set forth by the GDPR are huge. Serious infringements such as not having the right customer consent to process their data can net the violating company a fine of 4% of their annual global income, or 20 million Euros — whichever one is bigger.
- Personal data definition has become wider and now includes items such as the IP address and identity of their mobile device.
- Individuals now have more rights over the use of their personal data for security purposes. Companies can no longer use long-worded terms and conditions in order to obtain explicit consent from their customers to process their data.
- GDPR has made technical and organizational measures of protecting personal data to be mandatory. Companies now need to hash and encrypt personal data in order to protect them.
- Registries relating to data processing are now mandatory as well. What this means is that organizations need to have a written record (electronically) of all the activities they would do with the personal data, which captures that lifecycle of data processing.
- Impact assessments for data protection, such as data profiling, will now be required.
- Reporting any and all data breaches is now mandatory. Organizations have a maximum of 72 hours to report a breach in their security, which places personal data at risk. If it poses a high risk for individuals, then it should be reported immediately or without delay.
- If an organization processes a large amount of data, they will be required to have a Data Protection Officer, who is in charge of monitoring compliance with the regulation and reports directly to the highest management level of the company.
- The GDPR is mainly focused on data protection by design and by default.
There is no doubt that the legal and technical changes the GDPR requires in order to comply at an organizational level is big. Achieving compliance takes more than information security or legal teams alone. It takes the creation of a GDPR task force to find an organization that understands the changes and effects on its operation. They will work together in order to meet compliance requirements set forth by the new regulation.