GDPR or General Data Protection Regulation is a regulation that requires companies to protect personal information of EU citizens about transactions occurring within EU member states. In addition, you may be sacrificed to the company if you do not abide by the provisions. Below are all the things you need to know about GDPR for all companies doing business in Europe.
Companies collecting data on citizens of the European Union (EU) member countries must comply with strict new rules on the protection of customer data by May 25. General Data Protection Regulation (GDPR) is expected to establish new standards for consumer data, but companies face challenges with situations that require compliance with systems and processes.
It will create concerns and new expectations of the compliance security team. For example, GDPR takes a broad perspective on the elements that make up the personal identification information. As well as name, address and social security number, the company needs the same level of protection as personal IP address and cookie data.
GDPR has a lot of influence on interpretation. For example, a company needs to provide “reasonable” level of protection for personal data, but does not define a “rational” component. This is nonconformity, giving the competent authorities of GDP a lot of leeway in evaluating the surcharge of data leakage.
Due to lack of time to deadline, CSO needs to know about GDPR and gathered advice to meet the requirements. Most requirements must be complied with the information security and not directly related process and system changes may affect existing security systems and protocols.
What is General Data Protection Regulation?
The European Parliament adopted GDPR in April 2016 and replaced the old data protection guidelines in 1995. This includes clauses that require companies to protect EU citizens’ personal and personal information about transactions occurring within EU Member States. GDPR also regulates the export of non-EU personal data.
This clause is consistent throughout the 28 EU member states, which means that it has only one standard that can be met within the EU. But this standard is fairly expensive, most companies invest a lot to meet and manage.
According to the Ovum report, about two-thirds of US companies should think that GDPR should rethink its strategy in Europe. 85% GDPR is in a disadvantageous position in competition with European companies.
Why does GDPR exist?
The short answer to that question is public concern over privacy. Europe generally has more stringent rules on how companies use personal data from citizens. GDPR replaces the EU data protection directive that came into effect in 1995. The Internet has improved long before becoming a hub of today’s online business. As a result, the procedure is spherical and does not describe many ways to store, collect and transmit today’s data.
How reality is public attention to privacy? Each time there is a leak of significant new remarkable data, it becomes big. According to RSA data privacy and security report, RSA surveyed 7,500 consumers in France, Germany, Italy, and the United Kingdom, and 80% of consumers are concerned with banking losses and financial data issues. 76% of respondents were concerned that they lost security information (eg, passwords) and identification information (passport or driver’s license).
Amazing statistics of a company dealing with consumer data say that 62% of the respondents in the RSA report condemn the company to loss of data in the event of an infringement, not a hacker. The author of this report concluded, “As consumers better know, we expect data stewards to be more transparent and responsive.”
Due to lack of reliability of the way the company handles personal information, some consumers have adopted their own countermeasures. According to the report, 41% of respondents said that they intentionally forge data when joining online service. The security problem was the wish to avoid unnecessary marketing, the risk of data resale was the biggest concern.
This report also shows the fact that consumers are not allowed to easily forgive individual information leakage incidents. 72% of respondents in the US said they would boycott companies that seemed to have ignored data protection. 50% of all respondents said that they are more likely to shop at companies that can prove that data protection is important.
“The company has the responsibility to monitor and protect daily data when companies continue to digitally convert digital assets, services, large amounts of data more efficiently,” the report concluded.
What type of protected data protects personal data?
- Basic identifying information such as name, address, and ID number
- Web data such as location, IP address, cookie data and RFID tag
- Health and genetic data
- Biological data
- Race and ethnic data
- Political view
- Sexually oriented
Which company will affect GDPR?
Companies that store and process EU citizens’ personal information in EU member states should comply with GDPR even if they do not exist in the business within the EU. Companies need to comply with the company’s specific criteria as follows.
- Presence in EU countries.
- It does not exist in the EU, but it handles personal data of resident in Europe.
- More than 250 employees.
Although the number of employees is less than 250 people, data processing influences the rights of data subjects freely, is not intermittent, contains a certain kind of important personal data. That means almost all companies. According to PwC survey, 92% of US companies are considered GDPR, the most important data protection priority.
In a new study by Propeller Insights and by Netsparker Ltd., industries most affected by GDPR are Online retailers (45%), software companies (44%), financial services (37%), online services / SaaS (34%), retail / consumer goods (33%).
When should the company comply?
Companies need to prove compliance by May 25, 2018.
Who is responsible for compliance?
GDPR defines several roles responsible for ensuring compliance like data controllers, data processors and DPOs (data protection officers). The data controller defines the way the personal data is processed and the purpose being processed. The controller is responsible for confirming that there is an external contractor.
The data processor has an internal group that holds and processes personal data records or an outsourcing company that performs all or part of such activities. GDPR holds processors responsible for violations or defaults. Therefore, penalties may be applied even if the company and processing partner such as the cloud provider are all defective in the processing partner.
GDPR requires the controller and the processor to specify the data security strategy and the DPO overseeing GDPR compliance. The company processes or stores data of many EU citizens, processes or stores special personal data, periodically monitors data entities, or DPO if it is a public institution. Certain public institutions such as law enforcement agencies may be exempt from DPO requirements.
According to a survey by Propeller Insights, 82% of responding companies have already implemented DPO with employees and 77% who are planning to adopt new or replacement DPOs before the deadline of May 25. That employment will not stop at DPO. Approximately 55% of survey respondents reported that they adopted at least six new recruits to achieve GDPR compliance.
How much is GDPR preparation expenses?
As we approached the deadline of May 25th, the expectation would have been higher. According to the latest Propeller Insights survey of March 2018, most companies will spend less than $1 million. In fact, 36% of respondents talk about using 50,000 to 100,000 dollars and 24% write 100,000 to 1 million dollars. Only about 10% is expected to spend less than $10,000.
How will GDPR affect contracts with third parties and customers?
GDPR grants equal responsibility for data controllers (organizations that own data) and data processors (external organizations that help manage the data). Third-party processors that are not compliant mean that the organization does not comply with the regulations. New regulations have strict rules for reporting violations if all members of the chain have to comply. The organization notifies customers their rights based on GDPR.
What this means is that all existing processors (eg cloud providers, SaaS vendors, or salary service providers) and customers must specify responsibilities. The modified contract also needs to define a consistent process of how data is managed and protected methods and how violations are reported.
Larger companies as well as offshore software development companies need to renew thousands of contracts. Complicating these difficulties is something you have to do in the second half of the compliance process. Before defining responsibility, it is necessary to know exactly the processing position and method, data flow, and data flow of the data that it holds.
“In order to solve technical problems and operational problems and to enforce this, many agencies are competing for the deadline of having to pursue when making an appropriate contract. The company had not renegotiated the contract terms. ”
Operation: If you do not agree with the vendor process, it is not clear how it will be managed under GDPR.
Vendor management: It is necessary to know the operation method of supplier, including the security framework and data management method of supplier under GDPR. In the absence of that knowledge, they do not know the dangers they present.
Regulatory penalty: EU is well-known for its will to impose a sharp fine for breaking the regulations. In the event of a violation, you can compete with the company without having to sign a contract.
What if the company does not comply with GDPR?
GDPR permits a sudden penalty of 20 million Euros (4% of annual turnover, whichever is higher) for regulatory violations. According to Ovum’s report, 52% of companies will pay a penalty fine. Oliver Wyman, a management consulting firm, predicts that the EU will collect $6 billion in fines for the first year.
It is not alone if the organization does not comply with the deadline of May 25. Estimates are different, but there are views that about half of the US companies that need to agree do not meet all requirements. According to a survey of Solix Technologies announced in December, 22% of companies were still unaware that they had to comply with GDPR. 38% answered that the personal data they handle is not protected from abuse or unauthorized access at all stages of the life cycle.
The particularly difficult requirement is the right to be explained below and forgotten. About two-thirds (66%) of respondents said that they cannot confirm whether individual privacy can be deleted forever by the deadline.
This makes many organizations microscopically vulnerable. The question not answered big is how the fine is evaluated. For example, how about a fine change in a violation that has little influence on individuals? Consensus will act quickly on some companies that regulators have found to be not early compliant to send messages. Thereafter, the organization can more accurately evaluate anticipated matters if it does not comply with the provisions.
Do some GDPR requirements affect our company?
The GDPR requirement allows US companies to change the way they process, store and protect their personal data. For example, an enterprise can save and process personal data only when there is consent of the individual and says, “For personal purposes the purpose is to be processed, it will not be more than necessary.” Personal data must be portable from the company to another company, and the company erases personal information on request.
The last item is also called a forgotten right. There are some exceptions. For example, General Data Protection Regulation does not replace the legal requirement that an organization holds certain data. Here, the requirement of HIPAA’s health record is included.
Several requirements directly affect the security team. One is that companies need to be able to provide “reasonable” levels of data protection and privacy to EU citizens. The meaning of “reasonable” for GDPR is not clearly defined.
The strict requirement is that companies must report facts of data leakage to regulators and individuals who are affected by the violation within 72 hours after the infringement is detected. Another requirement to implement impact assessment is to identify vulnerabilities and to use solutions to help mitigate the risk of violation.
How does a successful GDPR project look?
It is not easy to imagine a company more affected by GDPR than ADP. This company provides cloud-based human capital management (HCM) and business outsourcing services to more than 650,000 companies worldwide. ADP holds PII for millions of people worldwide and customers expect their company to support General Data Protection Regulation and to do the same work. If it turns out that ADP is not in compliance with GDPR there is a risk that a fine will be imposed due to the loss of the business of the customer who expects to pay ADP its cost.
What should we do to prepare for GDPR?
Please express the sense of urgency of the top management. Marsh, a risk management company, emphasizes the importance of leadership of management who think cyber preparation as top priority. Compliance with global data hygiene standards is part of that contrast.
Involve all stakeholders. IT alone is not ready to meet the requirements of GDPR. Marketing, Finance, Sales, Administration – Start a special research team that includes all the groups within the organization that collects, analyzes, or uses your personal identity. The GDPR Task Force team representative can better share information that is useful to people implementing the necessary technology and procedural changes, and better handle the impact on the team.
DPO Employment and Place Name: GDPR tells us whether the DPO is in an individual position, so the company can guarantee the protection of PII and nominate a person who already has the same role as the position can conflict of interest. Otherwise you need to hire a DPO. Depending on the organization, the DPO need not be full time. In this case, the virtual DPO is optional. GDPR rules allow DPOs to work with multiple organizations, so virtual DPOs can do the same as consultants working as needed.
Data protection plan: Most companies have already planned, but they need to consider and update to comply with General Data Protection Regulation requirements.
If the size of the organization is small, please request assistance as necessary. Small businesses are affected by GDPR and are much more affected than some others. There may not be enough resources to satisfy the requirement. You can provide advice and technical experts who can assist external processes with the resources and can minimize internal confusion.
Accident response plan test: GDPR requires the company to report a violation within 72 hours. Minimizing the damage by the response team will directly affect the penalty for company violations. Please make sure to properly report and respond within that period.
Process setting for ongoing evaluation: It is necessary to confirm compliance, monitoring and continuous improvement. Some companies are considering incentives and penalties so that employees comply with the new policy. According to a study of Veritas Technologies, 47% of respondents are expected to add obligations to comply with the GDPR policy to contracts of workers. In the event of a GDPR violation, 25% could withhold bonuses and benefits and 34% responded to employees to comply with GDPR.
According to a survey by Varonis Systems, 74% of respondents think that compliance with General Data Protection Regulation requirements will be a competitive advantage. Compliance enhances consumer confidence. More importantly, by improving the technology and processes necessary to meet the GDPR requirements, we need to improve the effectiveness of the way we manage and protect the data within the organization.