What is GDPR?
The General Data Protection Regulation (GDPR) is a directive from the European Union (EU) to regulate the exportation of personal data outside of EU. It is intended to provide protection for European Citizens private information.
Below are some of the types of privacy data that the GDPR protect.
● Basic identity information such as name, address and ID numbers
● Web data such as location, IP address, cookie data and RFID tags
● Health and genetic data
● Biometric data
● Racial or ethnic data
● Political opinions
● Sexual orientations
Any organization that processes personal information about EU citizens within EU states must comply with GDPR, even if they do not have a business presence within the EU. Industries that are most likely to comply with GDPR are online retailers, software companies, financial services, business process outsourcing firms, online services/SaaS and retail/consumer packaged goods.
Why is GDPR a concern for non EU countries?
The GDPR places equal liability on data controllers and data processors. Data controllers are organization that owns the data. Data processors can be within the organization or outside the organization that help manage that data. A third party processor that is not in compliance means that your organization is also not in compliance. So, in the event that a breach is identified and you do not comply with GDPR, then your organization may be subject to class lawsuits, penalties and hefty fines.
What is mandated by GDPR?
Below are some of the new obligations being introduced by this regulation:
Data Control:Organizations must ensure data accuracy and integrity, must minimize the exposure of subject identities and must implement data security measures.
Data Security:Organizations must implement safeguards to protect data and keep data for additional processing.
Right to Erasure: Organizations must completely erase data from all repositories it is requested for subject deletion by the owner of data, when a service or agreement has ended and when consent is not given by the data subject. Except for those with legal reasons, as specified in the regulation, data can be retained.
Risk Mitigation and Due Diligence: Organizations must conduct a full risk assessment and implement measures to ensure and demonstrate compliance. They must also prove full data control and proactively help third-party customers and partners to comply.
Breach Notification:Organizations are required to notify the authorities within 72 hours when a breach occurs. They must describe the consequences of the breach and must communicate the breach directly to all affected parties.
What can your organization do to prepare for GDPR?
1. Executive leadership is important in prioritizing risk management and compliance with global data standards. Start a task force that includes any group in the organization that collects, analyzes and makes use of customers’ personal information. With everyone involved, they can better share information that will be useful to implementing the changes required and they will be better prepared to deal with the impact on their teams. 2. Conduct a risk assessment because you want to know what data you store and process on EU citizens and understand the risks around it. It must also outline the measures taken to mitigate the risks and ensure that those measures are implemented. 3. Test incident response times because the GDPR requires organizations to report breach within 72 hours. The timeliness of how the team can respond to minimize the damage can affect the organization’s risk for penalties and fines.
4. Set up a process for ongoing assessment to ensure that you remain in compliance. It will require you to monitor movement of transactions and information in case of breach and continuous improvements.
5. Do all this with the objective of improving your business. Compliance to GDPR is a competitive advantage. Consumer will most likely transact with organizations that put a high value on security of information.
If you want to know more how GDPR can impact your business, reach out to us at Upaya - The Solution Inc, for more information.
Till Next Time,