Source: “Convert GDPR”
According to a report by PwC, cybercrime was the second most reported crime in 2016. In addition, the National Crime Agency reports that cybercrime now accounts for more than 50% of all crimes in the UK. Unfortunately, it takes 146 days for security experts to detect that an attack has occurred, according to Microsoft. As a result, the GDPR was passed into law in the European Union n April 2016.
The General Data Protection Regulation (GDPR) is a privacy regulation that will apply to all companies that sell to and store personal information about citizens in Europe, including non-EU companies around the world. Non-EU organizations will be subject to the GDPR where they process personal data about EU (European Union) and EEA (European Economic Area) citizens It will provide citizens of the EU and EEA greater control over their personal data and assurances that their information is protected. It is composed of 99 Articles and 173 Recitals which provide explanatory text to help with the interpretation of the Articles.
According to the GDPR portal, personal data is “any information related to a natural person or ‘Data Subject’ that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, and posts on social networking websites, medical information, or a computer IP address.”
Although the GDPR was approved and adopted by the EU Parliament in April 2016, the regulation will take effect after a two-year transition period which means that it will be in force on May 25, 2018. Unlike a directive (a legislative act that sets out a goal that all EU countries must achieve), this regulation does not require any enabling legislation to be passed by the government.
According to a PwC survey, 24% of American corporation respondents say they plan to spend under $1 million USD. According to 68%, however, they will invest between $1 million to $10 million USD for GDPR preparations. Nine percent say they expect to spend more than $10 million to ensure that they are GDPR-compliant.
Organizations can be fined anywhere from 2% to 4% of annual global turnover (net sales generated by a business of the preceding financial year) for breaching GDPR or €20 million (approximately $24.6 million USD), whichever is greater. There is a tiered approach to fines. For example, 2% for not having their records in order (article 28) or for not notifying the supervising authority and data subject about a breach. If the company does not conduct an impact assessment, it can also be fined 2%. However, for the most serious infringements, a company may be fined the maximum of €20 million or 4% annual global turnover whichever is greater. It is important to note that rules apply to data controllers and data processors which means “clouds” are not exempt.
Many organizations have been eagerly anticipating this development but to others, this may seem a daunting undertaking. With this article, Netswitch would like to provide you with:
All employees, including senior management, should know what GDPR is and what it entails. Executives are responsible for making major decisions and, therefore, should be well-informed on what they need to do and what the consequences are if the company fails to comply. All employees should know what the organization’s obligations are, under the GDPR with regard to collecting, processing, and storing data.
To ensure that everyone in the organization is knowledgeable on GDPR, you need to consider training management and rank and file employees. Training employees will help them understand the organization’s responsibilities and greatly reduces the probability of your staff doing something that may result in a data breach.
You may need to organize an information audit. All personal data that the organization holds should be documented. You must know what personal data is held, where it came from, how it was collected and with whom it was shared. You need to identify all sources of data and all types of data relationships (e.g. third-party tools and tags on websites).
You need to make a full review of your current privacy notices and make sure that they are aligned with GDPR requirements before it takes effect in May.
All processes and procedures within the organization should be checked to ensure that they cover all individuals’ rights. Under the GDPR, the following individuals’ rights should be included:
All procedures on subject access requests should be updated. You need to plan how requests will be handled under the GDPR. Following are new rules you need to take into account:
If your organization handles a large volume of access requests, consider whether it is feasible to develop systems that allow individuals to gain access to their information easily online.
Your organization should identify and document the legal basis for all processing activities in the GDPR. Your privacy notice should also be updated to explain it.
Review how you seek, record and manage consent and check if you need to make changes. Existing consents should be refreshed if they do not meet the GDPR standard.
It is important to remember that consent must be freely given. It should be specific, informed and explicit. There must be positive opt-in and it should be separate from other terms and conditions. If people want to withdraw consent, there must be simple methods for them to be able to do so.
All consent must be verifiable. Generally, individuals have more rights where organizations rely on consent to process their data.
The GDPR brings in special protection for children’s personal data specifically in the context of commercial internet services such as social networking. If your company offers online services to children and relies on consent to collect their personal data, you may need a parent or guardian’s consent to be able to process their information lawfully.
Under the GDPR, the age when a child can give their own consent to this processing is set at 16 although it may be lowered to a minimum of 13 in the UK. If the child is younger, you need to get consent from an individual holding “parental responsibility.”
Another important note – your privacy notice must be written in such a way that children will understand what your organization is saying.
Your organization must have the right procedures in place to detect, report, and investigate a personal data breach.
If a breach is likely to result in a high risk to the rights and freedoms of individuals, the organization has to notify the individuals concerned directly in most cases. Failure to report a breach when required to do so could result in a fine, as well as a fine for the breach itself.
Under the GDPR, privacy by design is an express legal requirement under the term “data protection by design and by default.” Private Impact Assessment (PIA) is referred to as “Data Protection Impact Assessment” or DPIA and are mandatory in certain cases.
For example, a DPIA is required where data processing is likely to result in high risk to individuals:
The organization should designate a Data Protection Officer (DPO) who will be responsible for data protection compliance.
You are required to formally designate a DPO if you are:
You need to determine your lead data protection supervisory authority if your organization operates in more than one EU member state. The lead authority is the supervisory authority where your main establishment is in the EU or where decisions about processing are taken and implemented.
This is only relevant if you have establishments in more than one EU member state or if you have a single establishment in the EU that carries out processing which substantially affects individuals in other EU states.
If you need assistance regarding GDPR compliance, contact Netswitch today to schedule a consultation.
Source: https://www.flickr.com/photos/61811776@N05/36758416341/sizes/m/
Although passwords are still used for internet security, other measures need to be taken to protect your data. In several cases, experts have found that passwords are often compromised even by advertisers that grab data from an online browser’s integrated password manager.
Time and again, users are instructed to come up with strong passwords – long and complex passwords. In most cases, users are also encouraged to change passwords at regular intervals (i.e. every 6 months). A better option is enabling two-factor-authentication (2FA) which requires users to use a secondary means of logging into their account, typically through a smartphone.
To ensure that your network data is protected, contact our experts at Netswitch today.
The post What is GDPR? Why is it Important for Business? appeared first on Netswitch Technology Management.
*** This is a Security Bloggers Network syndicated blog from News and Views – Netswitch Technology Management authored by Press Release. Read the original post at: https://www.netswitch.net/gdpr-important-business/
Authors/Presenters: *Shradha Neupane, Grant Holmes, Elizabeth Wyss, Drew Davidson, Lorenzo De Carli Many thanks to USENIX for publishing their outstanding…
What really is cyber security and why doesn't the traditional CIA triad of confidentiality, integrity, and availability work? And what's…
The widespread adoption of cloud services has introduced cybersecurity challenges and compliance complexities due to various privacy regulations in different…
The RSA Conference 2024 is set to kick off on May 6. Known as the “Oscars of Cybersecurity”, RSAC Innovation…
Last week, we hosted Michael Tapia, Chief Technology Director at Clint ISD in Texas, and Kobe Brummet, Cybersecurity…
Authors/Presenters: Binbin Zhao, Shouling Ji, Xuhong Zhang, Yuan Tian, Qinying Wang, Yuwen Pu, Chenyang Lyu, Raheem Beyah Many thanks to…