After years of adjustments, it’s finally here – the European Union’s General Data Protection Regulations have just come into effect. The new regulation substantially affects both the businesses in the EU and the business outside the EU working with EU companies and clients. Without the further ado, let’s have a closer look at what’s new.
Do you need to comply with GDPR?
The requirements GDPR sets affect all organizations doing businesses in the EU and all organizations working on data that originated in the EU, whether it’s the data of residents or visitors. The Internet knows no borders and no regulations which in the case of GDPR makes things a little bit interesting, not to say complicated. To cut the long story short, organizations of all sizes in any countries that process data from within the EU are subject to the GDPR regulations. Some time ago we already discussed the details of the newly revised General Data Protection Regulations.
Summary of GDPR
GDPR is long and hard to read that's why we prepared a summary of the most important articles for you:
Article 25 – Data Protection by Design and by Default:
Controller has to provide appropriate technical and organizational measures to make sure the data protection principles in the GDPR are met.
Article 32 – Security of Processing:
Controllers and processors have to implement adequate technical measures both now and into the future.
Article 33 – Notification of a Personal Data Breach to the Supervisory Authority:
Controller should notify the supervisory authority about the breach of personal data within 72 hours. Information, however, can be delivered in bits and pieces but has to be accompanied by reasons for the delay.
Article 34 – Communication of a Personal Data Breach to the Data Subject:
Companies have to communicate the personal data breach to the data subject without a delay.
Article 35 – Data Protection Impact Assessment (DPIA)
Controllers must carry out DPIA prior to implementing new technologies to avoid breaches of the rights and freedoms of individuals.
How to get ready?
Before the the GDPR came into life in May 2018, businesses had to revise current policies and adjust to meet the requirements of the new regulations. Learn more about it here. To adjust, they had to look into the following areas: Identification, Analysis and Execution, and Report. Here’s what they had to do exactly:
Analyze Current Policies:
- Inventory data repositories and personal data;
- Analyze existing policies and procedures influenced by GDPR regulations;
- Review data flows within systems.
Review Existing Technologies and Processes:
- Conduct inventory and gap analysis of existing technology, controls and processes;
- Review the status of third-party vendors that are included in your process;
- Consider the need of a data protection officer (dpo) and determine the need to transfer data to other countries;
- Conduct a privacy impact analysis
Carry out Revisions and Report the Results:
- implement compliance technology;
- develop and implement new or revised policies, procedures and resulting controls;
- conduct compliance audits and management reporting;
- specify the role and responsibilities of a dpo, if required, and/or train existing team members for this position;
- establish violation detection, response and notification processes;
- negotiate agreement and process updates with third-party vendors;
- revise legal contracts and agreements to provide compliance coverage to external parties;
- develop certifications to ensure trust**
The Consequences of Non-Compliance
Failure to ensure GDPR compliance can result in severe fines depending of the character of infringement.
This time, the enforcement of GDPR has been standardized and implemented consistently across all the EU. Failure to apply core principles of data processing, infringement of personal rights or the transfer of personal data are liable for a fine of €22 million, or four percent of global annual turnover from the prior year, whichever is greater.
What's more, failure to ensure technical and organizational requirements such as impact assessments, breach communications and certificates might cost you €11 million, or two percent of global turnover from the prior year, whichever is greater.
How can Grey Wizard help you protect from data breaches?
Grey Wizard decreases the risk of data leaks by protecting your infrastructure and internet environment against hacking attacks. Grey Wizard protects websites and web applications from data leaks.