In this new electronic age, the key to freedom is privacy. Internet, in the name of connecting with different people, has struck hard on privacy. Personal data of several million users stored electronically is a very valuable asset which is later used by the companies to create complicated algorithms which, in the end, help them to market their product/service better. The very same electronic data, if leaked or it is easily accessible, can help scammers to set a trap.
On 27th April 2016, the European Parliament adopted a new regulation, GDPR, to strengthen and unify data protection for all residents in the European Union (EU). It will be enforced from 25th May 2018 and will replace the data protection directive (officially Directive 95/46/EC) of 1995.
GDPR is a single set of rules which will be applied to all EU member states. Each member state will establish an independent Supervisory Authority (SA) to hear and investigate complaints, sanction administrative offenses, etc. SAs in each member state will cooperate with other SAs, providing mutual assistance and organizing joint operations.
The goals of GDPR are to seek harmonized data protection law framework across the EU and aims to give citizens back the control of their personal data by giving them the following power:
- Right to Erasure: It is a clarified version of “Right to be forgotten”. The data subject has the right to request erasure of personal data related to them. The legitimate interests of the controller are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.
- Easier access to your own data: Individuals will have more information on how their data is processed, and this information should be available in a clear and understandable way
- Data portability: It will be easier for a person to transfer their personal data from one service provider to another.
- The right to know when your data has been hacked: When companies don’t inform the client about the leaked details, this can lead to duping. The right to know when your data has been hacked protects the client from scammers.
Roles & Responsibilities
In GDPR, Business is classified based on the responsibilities regarding the protection of personal data – the “Controllers” and the “processors”. A data controller is an organization that collects data from EU residents (Data Subject). A data processor is an organization that process data on behalf of the data controller.
If a business has multiple establishments in the EU, it will have a single SA (Supervisory Authority) as its “lead authority”, based on the location of its “main establishment”. The lead authority will supervise all the processing activities of that business throughout the EU.
Controls for Data Protection
The controller and the processor have to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of GDPR and ensure the protection of the rights of the data subject. Data protection can be achieved by implementing:
- The pseudonymization and encryption of personal data;
- The ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
- The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
- A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.”
The Processor has to provide sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of GDPR and ensure the protection of the rights of the data subject.
Any organization that controls or processes personal data of EU residents has to follow these regulations religiously.
Personal Data Breach
Under the GDPR, The controller must be reported to the Supervisory Authority within 72 hours of the data breach. The processor will inform the controller as soon as the processor becomes aware of a personal data breach. Individuals have to be notified if adverse impact is determined
For example, a company like Facebook, not complying with regulations would mean a potential maximum fine of $500 million. For Google’s parent company, Alphabet, it would be about $2.5 billion.
According to Article 83, fines shall be imposed based on “the degree of responsibility of the controller or processor taking into account technical and organizational measures implemented by them.”
Got comments? Did I miss something? Comment below…
If your organization falls under the GDPR, time is running out. You need to at least start with Gap Analysis.
Kumar Jishu is a Cybersecurity Analyst working as Business Development Executive of VISTA InfoSec, a PCI QSA company providing vendor neutral consulting services in the areas of Information Risk Compliance and Infrastructure Advisory Services. For more information, follow me at www.linkedin.com/in/kumarjishu/