By 2018, Businesses Must Comply With The New GDPR
– What is GDPR ?
GDPR (EU General Data Protection Regulation) is a legislative that gives individuals more control over their personal data, impose stricter rules to companies handling it and make sure companies embrace new technology to process the influx of data produced and protect it from cyberattacks.
This directive will replace the current 1998 Data Protection Act. As with most major legislative change it will not be enforced immediately and will likely become compulsory at the first half of 2018.
– What are the major changes and how will it affect my business ?
Consent: Controllers must keep a record of how and when an individual gave consent, and that individual may withdraw their consent whenever they want.
Breach notifications: Data controllers must notify the Data Protection Authorities within 72 hours after discovery,even if the breach occurs at the level of the (third party) processor. The notification obligation should be inserted in the processor contracts.
Wider Geographic expand: Regulations also apply to non EU companies that process personal data of individual in the EU.
Data Transfer : The International transfer of data will continue to be governed under EU GDPR rules
Sanctions : Fines are up to 4% of annual global revenue or 20M euros PER CYBER ATTACK. This is expected to speed up the enforcement process, making it more effective and consequently making the GPDR’s regime (even more) dissuasive for those who have been disregardering personal data protection concerns.
Role of data processors: Data processors will be obligated to implement technical and organisation measures to ensure data protection.
Accountability: The GDPR requires you to show how you comply with the principles – for example by documenting the decisions you take about a processing activity.
The one-stop-shop mechanism: An undertaking with several establishments in the EU can designate one national data protection authority as the competent authority for its activities in its BCR’s.
Removal of notification requirement: The requirement of notifying or seeking approval from a Data Protection Authority is going to be removed in many circumstances. This decision is made to save funds and time. Instead of notification the new directive requires data controllers to put in place appropriate practices for large scale processing in the form of new technology.
Right to erasure : Individuals also have the right to demand that their data is deleted if it’s no longer necessary to the purpose for which it was collected. The controller is responsible for telling other organisations (for instance, Google) to delete any links to copies of that data, as well as the copies themselves.
– How can you be compliant ?
Anthony Merry, head of data protection at Sophos, said firms should start by reviewing the current state of their data protection policies, before updating them.
« Be proactive and protect the data you hold, encrypt it and always keep up to date with your security solutions. Data breaches occur every day – and the EU have just increased the consequences of inadequate security. »
– Our advice ?
Your IT Network is the exfiltration point from where cyberattackers will aim to exit with stolen data. Clearly, knowing where your data resides is going to be incredibly important—especially that of customers, which is by and large the most important asset of modern organisations, yet has been subject to significant security threats in recent times. Visibility and control of its location is vital.
Multiven‘s unprecedented Network-based cyber defense, powered by its lifetime software integrity maintenance service, will dramatically reduce your exposure to data theft, especially from attackers that seek to exploit vulnerabilities in the portion of your network software that equipment manufacturers no longer support.