Last year, the European Parliament approved what is arguably the biggest game-changer in data protection and privacy legislation for decades. The General Data Protection Regulation (GDPR) will impact upon all organizations which process an EU citizen’s personal data, and aims to encourage organizations to construct a data protection strategy with privacy at the core.
Superseding all previous national laws (such as the Data Protection Act of 1998) GDPR aims to unify data protection throughout all EU member states. From the mainstream approval of the Internet to the dawn of social media, the world has changed significantly since 1998, but data protection regulations have not.
Essentially, it signifies a shift in the risks associated with data protection and data breaches. The primary objective is to transform the way that organizations confront processing of personal data. Businesses have been given until 25th May 2018 to get up to speed with these new expectations; and organizations will be expected to abide by the terms outlined in the GDPR or meet tough penalties.
I’ve mentioned the phrase ‘personal data’ a few times now, but what does this mean? Under the wording of the new legislation, it encompasses all personally identifiable information, or PII. That is, any data which may be used to identify, contact, or locate a single person. This can be anything from phone numbers and emails, to passport details and medical records. Broadly speaking, GDPR seeks to revise the ways organizations approach the handling of a customer or employee’s PII.
Data retention and data erasure form the basis of this law. Anyone who has their personal data held by a company now has the right to access, view and erase this data, and all companies must comply with this. A Subject Access Request (Article 15) grants every EU citizen the right to a copy of all their personal data. Businesses must provide them with this in an electronically transportable format, usable by them. Furthermore, the Right to be Forgotten (Article 16 & 17) grants every EU citizen with the entitlement to have this data erased. Any company who cannot fulfil requests will be violating GDPR – and hence will be subject to penalties. These articles are particularly likely to provide difficulties to organizations possessing tape libraries.
As well as data retention and erasure, changes to the consent required by companies to process an individual’s data are outlined in the GDPR. Such record keeping has been suggested by the GDPR as mitigating circumstances should a company suffer a data breach – possibly easing the otherwise significant penalties.
A Data Breach would be a nightmare for any business, but under the new legislation, it will be mandatory to inform data subjects should the breach pose any kind of threat to their PII, and do so within 72 hours. Therefore, breach detection software is likely to be embraced by more IT departments in the lead up to GDPR going live.
In a bid to motivate businesses to take full notice of the new legislation, and tackle those who previously under-valued the importance of data protection, GDPR has given rise to much tougher sanctions than previous iterations of these laws. Businesses who fail to comply with GDPR face fines of up to 4% of their annual global turnover, or €20 million -whichever is of greater value.
For those questioning the relevance of this should the UK leave the EU, the vote for Brexit will not impact on how applicable GDPR is to British businesses. Any company handling EU citizen data is within the scope of GDPR. Moreover, it’s likely that the UK government will adopt its own equivalent law should we leave the European Union to reach their legislation standards. Ultimately, the new law will not only impact EU organizations, but also anyone wanting to trade with the EU.
Tectrade have been data protection specialists for over 25 years, and are currently assisting our clients prepare for compliance with GDPR laws. We are running an initiative to run a gap analysis on our clients’ systems, at zero cost.
This allows us to produce a comprehensive data risk assessment, helping our clients to gain insights into global user permissions; and suspicious activity using machine learning. From this, high risk areas can be exposed, and access to this data can be safely and swiftly pulled back.
As well as this, data which is kept beyond a pre-determined retention period, especially sensitive PII data, can be identified. From this, clients have the needs to choose whether it should be archived, or deleted (if no longer required).
Non-expiring passwords, a common Ransomware target, allow unlimited time for malicious software to crack them. Tectrade’s report outlines how many user accounts have such passwords, allowing you to change the processes involved and prevent it exposing your environment to unwanted visitors.
From the findings, recommendations can begin to be made, specific to an individual client’s IT environment, allowing compliance to become a focus before the regulation comes into effect. As Data Protection experts, we feel strongly about helping organizations to transition into full compliance, and thwart any chance of GDPR becoming an issue for you.
Learn more about The General Data Protection Regulation and how it may affect your business. Download a copy of our GDPR Practical Guide