The European Union General Data Protection Regulation (GDPR) deadline for compliance is May 25, 2018. The legislation, which sets a new standard for consumers regarding the use and storage of their personal data, technically went into effect in 2016 and is an update on the existing 1995 EU directive (95/46/c).
Who Does GDPR Apply to?
The GDPR applies to every company or "data controller" that deals with personal data originating in the EU, has employees that are citizens of the EU, or has employees who are not citizens, but are working and residing in the EU. Neither the size of the company nor the industry that it operates in plays a part in determining whether or not compliance is necessary.
Personal data means any information relating to an identified or identifiable natural person, e.g. someone who can be identified, directly or indirectly.
Here, we breakdown some of the main factors of the GDPR and how they may relate to your organization. A complete summary of the legislation and what is required to become compliant can be found on the GDPR Information Website.
Processing of Data
Under GDPR, personal data should be processed fairly and lawfully, collected for specified legitimate purposes and not used for purposes other than those identified. The data should be kept for no longer than is necessary for the purpose of which the data was gathered.
The data controller is responsible for the information and must be able to demonstrate that appropriate technical and organizational measures to ensure compliance have been implemented. The controller is a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
When personal data is collected, the owner of that data must be provided with information on what was collected and for what purpose.
Processing of data is only acceptable where the owner has given explicit consent for the use of their personal information or, where it is absolutely necessary, as part of a contract, legal obligation, or public interest.
The data controller must also be able to show when and how the data subject has given clear consent for the use of their personal data. The data subject can at any time withdraw consent.
Provision of Information
Appropriate measures must be taken to provide any information in relation to the personal data of a person/data subject that is held upon request of that person and can be reported either in writing or orally.
Any information provided must be given free of charge. Similar measures also apply to the rectification of inaccurate personal data and the request for deletion of that data by the data subject. If the controller rectifies inaccurate data or deletes information, the data subject must be also notified.
Gathering and Retention of Customer Data
With GDPR, consent will be required to be given by individuals on the gathering of information related to what they search, buy, and visit, and a purpose must be given for what the gathered data will be used for. This relates largely to targeted advertising on web browsers that track a user's activity (also know as "tracking cookies") and displays adverts that are deemed relevant to that user's specific interests.
Limits will also be set on what information can be gathered and processes must be put in place to monitor how this information is stored and how secure the storage of that data is.
Notification of a Data Breach
When a breach occurs that is likely to have a significant impact on the owner of the data compromised, the owner should be notified without delay (within 72 hours) unless sufficient measures have been previously applied to protect that data (such as that provided by MDR Services) and renders the information unintelligible to those who have accessed it unlawfully.
Use of Information Outside the EU
If information originates in the EU and is subsequently taken out of the area, it must still comply with specific European Commission rules.
Data Protection Officer
All organizations that are impacted by GDPR must employ a Data Protection Officer (DPO) to manage GDPR compliance. The DPO must also implement and oversee a defined process for vendor and supplier management with regard to GDPR.
Codes of Conduct
Organizations are advised to prepare or amend existing codes of conduct in order to ensure the proper application of the legislation and, in particular, with regard to:
- the fairness and transparency of data processing,
- the purpose for which the controller is collecting information,
- processes for randomizing information (pseudonymisation of data),
- the rights of the data subjects,
- the provision of information to minors and confirmation of the consent received by a parent or guardian,
- the measures employed to ensure security of personal data, and
- the procedures for resolution of disputes between a controller and data subject.
What are the Costs of Non-Compliance?
The fines for non-compliance can be up to 20 million euro, or 4% of the company's global revenue from the previous year; whichever is the highest of the two. This means that it can have a significant impact on the operations of an organization, should it fall short of the compliance requirements.
How Can ActZero MDR Enhance my Compliance with GDPR?
Managing the security of information collected will require a comprehensive approach to safeguarding the data and the systems used to process it. ActZero Managed Detection and Response (MDR) offers a unified approach to addressing multiple areas of security without the burden of acquiring technology, by integrating and monitoring in various ways including:
- Continuous Vulnerability Analysis: Examine all systems for known-vulnerabilities and remediate to prove to auditors information is on protected systems.
- Audit Logs for Access, Changes and Modification: Offer a single logging platform to collect information from critical systems housing data including applications, firewalls, servers and operating systems used to collect and store this information.
- EndPoint Detection and Response (EDR): Offer endpoints the ability to track and monitor access of any system component with a team to investigate potentially malicious activity with files, the network or processes on all systems.
- Threat Intelligence: Offer an off-network collection of malicious hosts to ensure your systems are not communicating with malicious sources.
- Regular review and Virtual CISO: Have a senior officer shared as part of the service to communicate to stakeholders, auditors and personnel about the status of compliance and safeguards implemented for your organization.
Download a sample of our Prevention Posture Assessment (PPA) report and find out how you can use it to determine if you have been breached or can be breached by malware.
Related Content: Check out our other Regulatory Compliance posts!