GDPR: How Your Company Should Prepare For The EU General Data Protection Regulation
You may have never heard of a new European legislation called General Data Protection Regulation (GDPR) that will be implemented on May 25. If you're the owner or manager of a business located in the European Union (EU) or with customers in the EU, this legislation could cost you 4% of your total global turnover or $20 million!
This new European legislation is less than two months away from coming into force, and your business needs to be prepared.
What GDPR Really Is
General Data Protection Regulation is European legislation approved in 2016. Legislators gave European and non-European companies a two-year period to comply with it, and that period is almost over: GDPR will become effective on May 25, 2018.
GDPR is a modern piece of legislation that will replace a previous law called the Data Protection Directive from 1995. The new law also intends to harmonize rules across all the European Union. The aim of GDPR is to give consumers, and not companies, control of personal data collected from websites, applications and APIs.
The General Data Protection Regulation will not only have effects on companies and organizations located within the European Union but also foreign companies and organizations who have any sort of behavior monitoring - such as offering goods or services - with people within the European bloc.
Why GDPR Matters for Companies
According to GDPR, personal data is any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.
The General Data Protection Regulation puts the consumer in control of their own personal data, but it's the businesses and organizations who are responsible for implementing the regulation.
The penalties for companies who fail to comply with GDPR consist of fines of up to 4% of annual global revenue or 20 million Euros, whichever is greater.
Some might think that the General Data Protection Regulation is just another tech regulation, but this is far from true. GDPR has profound implications for several areas of a company, particularly marketing and sales. In order to better how GDPR affects businesses, it is necessary to explain its technical details.
Techincal Details of the GDPR Directive
There are 99 articles in the GDPR. These can be split into 6 different types of regulations:
1) Data Subject Rights: The consumer has the right to be informed about the processing of its personal data, to have access to the data, to be forgotten, to be notified about a data breach, and so on. The rights along with privacy principles dictate the implementation of security controls and managing personal data lifecycle.
2) Privacy Principles: Companies should implement in their systems such privacy principles as integrity and confidentiality, accountability and compliance, data minimization and others by design and default.
3) Data Protection Officer: The GDPR requires companies to hire a Data Protection Officer (DPO) to oversee the data protection strategy and implementation. The duties of a DPO include advising the organization of their obligations pursuant to the regulation and monitoring compliance with the regulation. Organizations must provide ways and means for the DPO to monitor compliance of IT systems.
4) Data Protection Impact Assessment: DPIA includes such tasks as identification of data flows, evaluation of security controls, assessing effects of a presumed data breach and mitigating privacy risks.
5) GDPR Technical Cybersecurity Requirements: GDPR requires that “controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk”. This includes 4 classes of the measures:
6) Data Breach Notification Finally, it is mandatory for organizations to monitor access to personal data and effectiveness of security controls in order to detect data breaches in their systems. If a data breach is likely to result in a risk to the rights of natural persons, the organization must notify supervisor authority. If the risks are high, the organization must also notify affected data subjects.
How Intelligems Can Help Your Business With GDPR
Most auditing companies offer a basic GDPR compliance service, which consists of just completing a checklist of the new requirements. Afterward, they leave you and your team on your own to apply the necessary changes.
At Intelligems, we are extremely dedicated to helping our clients achieve their best results. This often includes updating services to comply with new regulations. And this is exactly what we are offering your business now that the implementation of GDPR is less than two months away.
We can help your business comply with GDPR from start to finish. How? First, our engineers would review your business, do the compliance check with you and then suggest the technical changes that need to be made. But that's not all! We would then cooperate with your technical team and guide them in the process of implementing, developing and deploying the adapted systems.
Are you looking for a team of professionals to help your business comply with the General Data Protection Regulation? Get in contact with us, we are looking forward to helping you!