Return to site
Return to site

And Gdpr

broken image


  1. Gdpr Requirements
  2. Gdpr And Cctv
  3. And Depressed
  4. Gdpr Overview
  5. And God Present Eve

What is the GDPR? Europe's new data privacy and security law includes hundreds of pages' worth of new requirements for organizations around the world. This GDPR overview will help you understand the law and determine what parts of it apply to you.

Google Cloud & the General Data Protection Regulation (GDPR) Compliance with the GDPR is a top priority for Google Cloud and our customers. The GDPR aims to strengthen personal data protection in. Pseudonymized data also enjoys more freedom under the GDPR than non-pseudonymized, fully identified personal data. For instance, Article 6(4) of GDPR lists pseudonymization (and encryption) as a possible exception to the general rule that a controller cannot process data for a purpose other than for which it had been collected.

The General Data Protection Regulation (GDPR) is the toughest privacy and security law in the world. Though it was drafted and passed by the European Union (EU), it imposes obligations onto organizations anywhere, so long as they target or collect data related to people in the EU. The regulation was put into effect on May 25, 2018. The GDPR will levy harsh fines against those who violate its privacy and security standards, with penalties reaching into the tens of millions of euros.

The General Data Protection Regulation (GDPR) is a new European privacy law which became enforceable on May 25, 2018. Another reason is the extraterritorial reach of the GDPR. UK companies continuing to do business with the EU after Brexit will need to comply with the Regulation to avoid infringements. Although the UK is intending to exit the EU within the next few years, the GDPR will still have an impact.

With the GDPR, Europe is signaling its firm stance on data privacy and security at a time when more people are entrusting their personal data with cloud services and breaches are a daily occurrence. The regulation itself is large, far-reaching, and fairly light on specifics, making GDPR compliance a daunting prospect, particularly for small and medium-sized enterprises (SMEs).

We created this website to serve as a resource for SME owners and managers to address specific challenges they may face. While it is not a substitute for legal advice, it may help you to understand where to focus your GDPR compliance efforts. We also offer tips on privacy tools and how to mitigate risks. As the GDPR continues to be interpreted, we'll keep you up to date on evolving best practices.

If you've found this page — 'what is the GDPR?' — chances are you're looking for a crash course. Maybe you haven't even found the document itself yet (tip: here's the full regulation). Maybe you don't have time to read the whole thing. This page is for you. In this article, we try to demystify the GDPR and, we hope, make it less overwhelming for SMEs concerned about GDPR compliance.

History of the GDPR

The right to privacy is part of the 1950 European Convention on Human Rights, which states, 'Everyone has the right to respect for his private and family life, his home and his correspondence.' From this basis, the European Union has sought to ensure the protection of this right through legislation.

As technology progressed and the Internet was invented, the EU recognized the need for modern protections. So in 1995 it passed the European Data Protection Directive, establishing minimum data privacy and security standards, upon which each member state based its own implementing law. But already the Internet was morphing into the data Hoover it is today. In 1994, the first banner ad appeared online. In 2000, a majority of financial institutions offered online banking. In 2006, Facebook opened to the public. In 2011, a Google user sued the company for scanning her emails. Two months after that, Europe's data protection authority declared the EU needed 'a comprehensive approach on personal data protection' and work began to update the 1995 directive.

The GDPR entered into force in 2016 after passing European Parliament, and as of May 25, 2018, all organizations were required to be compliant.

Scope, penalties, and key definitions

First, if you process the personal data of EU citizens or residents, or you offer goods or services to such people, then the GDPR applies to you even if you're not in the EU. We talk more about this in another article.

Second, the fines for violating the GDPR are very high. There are two tiers of penalties, which max out at €20 million or 4% of global revenue (whichever is higher), plus data subjects have the right to seek compensation for damages. We also talk more about GDPR fines.

The GDPR defines an array of legal terms at length. Below are some of the most important ones that we refer to in this article:

Personal data — Personal data is any information that relates to an individual who can be directly or indirectly identified. Names and email addresses are obviously personal data. Location information, ethnicity, gender, biometric data, religious beliefs, web cookies, and political opinions can also be personal data. Pseudonymous data can also fall under the definition if it's relatively easy to ID someone from it.

Data processing — Any action performed on data, whether automated or manual. The examples cited in the text include collecting, recording, organizing, structuring, storing, using, erasing… so basically anything.

Data subject — The person whose data is processed. These are your customers or site visitors.

Data controller — The person who decides why and how personal data will be processed. If you're an owner or employee in your organization who handles data, this is you.

Data processor — A third party that processes personal data on behalf of a data controller. The GDPR has special rules for these individuals and organizations. They could include cloud servers like Tresorit or email service providers like ProtonMail.

What the GDPR says about…

For the rest of this article, we will briefly explain all the key regulatory points of the GDPR.

Data protection principles

If you process data, you have to do so according to seven protection and accountability principles outlined in Article 5.1-2:

  1. Lawfulness, fairness and transparency — Processing must be lawful, fair, and transparent to the data subject.
  2. Purpose limitation — You must process data for the legitimate purposes specified explicitly to the data subject when you collected it.
  3. Data minimization — You should collect and process only as much data as absolutely necessary for the purposes specified.
  4. Accuracy — You must keep personal data accurate and up to date.
  5. Storage limitation — You may only store personally identifying data for as long as necessary for the specified purpose.
  6. Integrity and confidentiality — Processing must be done in such a way as to ensure appropriate security, integrity, and confidentiality (e.g. by using encryption).
  7. Accountability — The data controller is responsible for being able to demonstrate GDPR compliance with all of these principles.

Accountability

The GDPR says data controllers have to be able to demonstrate they are GDPR compliant. And this isn't something you can do after the fact: If you think you are compliant with the GDPR but can't show how, then you're not GDPR compliant. Among the ways you can do this:

  • Designate data protection responsibilities to your team.
  • Maintain detailed documentation of the data you're collecting, how it's used, where it's stored, which employee is responsible for it, etc.
  • Train your staff and implement technical and organizational security measures.
  • Have Data Processing Agreement contracts in place with third parties you contract to process data for you.
  • Appoint a Data Protection Officer (though not all organizations need one — more on that in this article).

Data security

Gdpr

You're required to handle data securely by implementing 'appropriate technical and organizational measures.'

Technical measures mean anything from requiring your employees to use two-factor authentication on accounts where personal data are stored to contracting with cloud providers that use end-to-end encryption.

Organizational measures are things like staff trainings, adding a data privacy policy to your employee handbook, or limiting access to personal data to only those employees in your organization who need it.

If you have a data breach, you have 72 hours to tell the data subjects or face penalties. (This notification requirement may be waived if you use technological safeguards, such as encryption, to render data useless to an attacker.)

Data protection by design and by default

From now on, everything you do in your organization must, 'by design and by default,' consider data protection. Practically speaking, this means you must consider the data protection principles in the design of any new product or activity. The GDPR covers this principle in Article 25.

Suppose, for example, you're launching a new app for your company. You have to think about what personal data the app could possibly collect from users, then consider ways to minimize the amount of data and how you will secure it with the latest technology.

When you're allowed to process data

Article 6 lists the instances in which it's legal to process person data. Don't even think about touching somebody's personal data — don't collect it, don't store it, don't sell it to advertisers — unless you can justify it with one of the following:

  1. The data subject gave you specific, unambiguous consent to process the data. (e.g. They've opted in to your marketing email list.)
  2. Processing is necessary to execute or to prepare to enter into a contract to which the data subject is a party. (e.g. You need to do a background check before leasing property to a prospective tenant.)
  3. You need to process it to comply with a legal obligation of yours. (e.g. You receive an order from the court in your jurisdiction.)
  4. You need to process the data to save somebody's life. (e.g. Well, you'll probably know when this one applies.)
  5. Processing is necessary to perform a task in the public interest or to carry out some official function. (e.g. You're a private garbage collection company.)
  6. You have a legitimate interest to process someone's personal data. This is the most flexible lawful basis, though the 'fundamental rights and freedoms of the data subject' always override your interests, especially if it's a child's data. (It's difficult to give an example here because there are a variety of factors you'll need to consider for your case. The UK Information Commissioner's Office provides helpful guidance here.)

Once you've determined the lawful basis for your data processing, you need to document this basis and notify the data subject (transparency!). And if you decide later to change your justification, you need to have a good reason, document this reason, and notify the data subject.

Consent

There are strict new rules about what constitutes consent from a data subject to process their information.

  • Consent must be 'freely given, specific, informed and unambiguous.'
  • Requests for consent must be 'clearly distinguishable from the other matters' and presented in 'clear and plain language.'
  • Data subjects can withdraw previously given consent whenever they want, and you have to honor their decision. You can't simply change the legal basis of the processing to one of the other justifications.
  • Children under 13 can only give consent with permission from their parent.
  • You need to keep documentary evidence of consent.

Data Protection Officers

Contrary to popular belief, not every data controller or processor needs to appoint a Data Protection Officer (DPO). There are three conditions under which you are required to appoint a DPO:

  1. You are a public authority other than a court acting in a judicial capacity.
  2. Your core activities require you to monitor people systematically and regularly on a large scale. (e.g. You're Google.)
  3. Your core activities are large-scale processing of special categories of data listed under Article 9 of the GDPR or data relating to criminal convictions and offenses mentioned in Article 10. (e.g. You're a medical office.)

You could also choose to designate a DPO even if you aren't required to. There are benefits to having someone in this role. Their basic tasks involve understanding the GDPR and how it applies to the organization, advising people in the organization about their responsibilities, conducting data protection trainings, conducting audits and monitoring GDPR compliance, and serving as a liaison with regulators.

We go in depth about the DPO role in another article.

People's privacy rights

You are a data controller and/or a data processor. But as a person who uses the Internet, you're also a data subject. The GDPR recognizes a litany of new privacy rights for data subjects, which aim to give individuals more control over the data they loan to organizations. As an organization, it's important to understand these rights to ensure you are GDPR compliant.

Below is a rundown of data subjects' privacy rights:

  1. The right to be informed
  2. The right of access
  3. The right to rectification
  4. The right to erasure
  5. The right to restrict processing
  6. The right to data portability
  7. The right to object
  8. Rights in relation to automated decision making and profiling.

Conclusion

We've just covered all the major points of the GDPR in a little over 2,000 words. The regulation itself (not including the accompanying directives) is 88 pages. If you're affected by the GDPR, we strongly recommend that someone in your organization reads it and that you consult an attorney to ensure you are GDPR compliant.

Related Posts

  • Art. 68 GDPR - European Data Protection Board
  • Art. 39 GDPR - Tasks of the data protection officer
  • Art. 38 GDPR - Position of the data protection officer
Share on:

NOTE: This article is intended to inform our readers about the current data privacy and security challenges experienced by companies in the global marketplace. It is in no way intended to provide legal advice or to endorse a specific course of action. For advice on your specific situation, consult your legal counsel.

No matter your views on regulatory and governing bodies as a whole, I think we can agree that the world finds itself at a tipping point regarding personal data and the internet.

According to a survey from IT Security Central and the Breach Level Index, nearly two million data records are lost or stolen over the course of a single work day. Two billion people willingly hand over data to Facebook every day, and nearly 90 million of them were affected by the Cambridge Analytica scandal.

As a society, we've come to the rapid and jarring realization that the misuse of our data isn't limited to spam calls and credit card theft. Personal data in the wrong hands can sway national elections and international politics.

Enter the General Data Protection Regulation (GDPR), the European Union's updated personal data privacy law.

If nothing else, GDPR is an attempt to assign responsibility to someone—or, in most cases, some business or corporation—when something goes wrong with our data. At its basis, it establishes an EU citizen's right to expect that their data will be reasonably managed and protected.

And if it isn't, it also establishes an EU citizen's right to expect consequences for bad and negligent actors.

If you read that and thought, 'This only applies to European companies,' guess again. The GDPR applies to any company that collects an EU citizen's personal data.

Complying with GDPR is going to require lots of hard work. And finding yourself in noncompliance will result in hefty fines that could very well put you out of business.

I'll go into more detail about the consequences of noncompliance below, but first, it's imperative that you understand the basics of GDPR and how it applies to your business.

I'll answer some frequently asked questions about GDPR, as well as give you some information about how your IT team can help you prepare for GDPR with better database management and cybersecurity so you won't find yourself blindsided.

FAQs about GDPR

It's hard to get used to any new regulation, but GDPR is actually a simplification of an older set of rules: Directive 95/46/EC. In addition to being harder to abbreviate, the argument is that this directive was harder to comply with, as it gave each EU member country some wiggle room to interpret data protection differently.

GDPR helps bring all the rules from these various countries under the purview of one mandate and one regulatory body.

But enough European legal history. Let's get to the future of the internet as we know it.

What is GDPR?

The GDPR (the European Union's General Data Protection Regulation) gives EU citizens more control over their personal data and how it's used by third parties.

In short, if you're collecting personal data from citizens in the European Union, you'll have to follow strict guidelines about what data you're collecting, how you manage that data, and how that data is stored and protected once it's in your company's possession.

When does GDPR go into effect?

Friday, May 25, 2018.

So you need to put the last touches on your compliance efforts now.

Who does GDPR apply to?

If your business offers goods or services to EU citizens, you're subject to GDPR. Monkey kingdom. The end.

Map of EU member countries. Note: This map still contains the United Kingdom, as it won't leave the European Union until 2019 and its own data protection laws will incorporate GDPR. (Source)

'Aha!' you might say. 'I offer my goods and services free of charge, so GDPR doesn't apply to me, right?'

Wrong. Even if no money changes hands, you're still subject to GDPR.

That means that most large corporations will be affected by these new regulations. However, these rules even trickle down to freelancers and independent bloggers. One example of the widespread effects of GDPR: If you have mailing lists for newsletters or promotions, and some of your prospects or customers are EU citizens, GDPR applies to you.

It's estimated that more than half of U.S. businesses will be affected by GDPR.

How does GDPR affect your business?

Depending on how your business currently handles its customers' personal data, you could be looking at a lot of work to ensure that you're compliant with GDPR.

If you're handling any EU citizen's data, you'll need to rethink how you're collecting, storing, and protecting it, which could have a ripple effect on how you collect, store, and protect all of your customers' data.

From my perspective covering small business IT management, the biggest change coming for companies responsible for GDPR compliance is the liability you'll face for data breaches.

Depending on the scale of the breach, preventative and retroactive actions taken, and whether you disclosed the breach within 72 hours of its occurrence, you could be subject to fines of up to €20 million (about $24 million) or four percent of your business's annual global revenue.

I'm not trying to be a fearmonger with this point, but I think it serves to illustrate the seriousness of GDPR compliance. While €20 million is the maximum fine for, presumably, the maximum crime, smaller mishandlings of data could result in smaller fines of €10 million (nearly $12 million), which is hardly a small fine for small businesses.

The good news is that, once you've gone through the effort of becoming GDPR-compliant, the new regulations should help streamline data handling for EU citizens.

Instead of keeping track of its 28 member countries' data protection laws, your company will have to comply with only GDPR, and everything associated with the new regulation will be overseen by a single supervising agency.

How can your IT department help with GDPR compliance?

Before we get into the specifics of the role your IT department can play in GDPR compliance, let me say that responsibility for complying with the new EU regulations shouldn't fall solely on IT.

Especially when it comes to collecting customer data, for example, your sales and marketing teams should be cognizant of how these new rules affect them and how they conduct and manage their campaigns.

However, when it comes to storage and protection of personal data, that's where IT can help direct your compliance efforts.

Data storage and handling

GDPR mandates that you appoint a data protection officer (DPO) if your company practices 'regular and systematic monitoring of data subjects on a large scale.'

Fun fact: Both 'regular and systematic monitoring' and 'large scale' are up for debate in terms of when one or both metrics require you to appoint a DPO.

However, if you have any customers in the European Union and you're tracking their online behavior to serve targeted ads or promote algorithmically determined products to them, you should consider bringing a DPO on board.

Even if you don't meet this criteria, I'd still suggest that your company start thinking differently about how it handles data—Mark Zuckerberg's testimony in front of Congress signals that U.S. regulation of personal data handling will be coming down the pipeline in the near future.

And to be frank, a lot of the things that DPOs will be responsible for are things your company should be doing anyway, even if only to protect your proprietary data.

So what can you do to make sure your data is properly stored and managed?

1. Educate all your employees about data best practices

Gdpr Requirements

Data governance encompasses all aspects of data management

Even if you don't have to hire a DPO, I suggest you go ahead and establish a data governance committee. Part of their job will be to establish data management standards and educate all employees on data best practices.

Plus, if you think you'll have to consider GDPR compliance in the future when your company grows or expands internationally, you'll already have a cross-team group set up that's familiar with compliance laws.

Gdpr And Cctv

I've written a more in-depth piece on data governance, so head over there for more tips on how to create your committee.

2. Restrict data access to very specific employees and roles

In a perfect world, employees would always handle data according to best practices. But that's not the world we live in. While you should make every effort to educate employees about those best practices, it's also best practice to restrict access to sensitive data to only employees who absolutely need it.

And Depressed

Setting up identity management software can help you restrict access to databases or specific data sets within a database.

3. Find out what data you have

This might sound like the easiest part of this process, but, according to a survey from Veritas, over half of the data that organizations hold is 'dark' data … meaning they have no idea what it contains, if they're even aware that they're holding on to it in the first place.

My colleague Tirena Dingeldein has a great explanation of how dark data and 'databergs' are damaging for business, as well as some in-depth tips for how to find and mine them.

Take a look at data mining software to get a handle on what data is lurking in the shadows, and talk to your IT team about possible locations of dark data.

4. Back up your data

GDPR ensures that EU citizens have the right to request access to their data, as well as request that a company transfer ownership of or delete their data. For that reason, it's imperative that you back up your data to ensure that it's on file if or when your EU customers request it.

I've already written about some great options for backing up your small business's data here, so I'd suggest checking that out. Scanmaster keygen free. Bottom line, you should invest in business continuity software to ensure that your data is always backed up and available.

Discuss best practices for backup schedules and backup storage with your IT team, as every company's needs will be different.

Cybersecurity

Another way your IT team can help you get ready for GDPR is in the cybersecurity arena.

Gdpr Overview

No company wants to get hacked, but it happens. In fact, it happens successfully two times per week, and that's not considering the thousands of thwarted attempts your security team fends off.

Under GDPR, companies are required to report data breaches involving personal data directly to those affected within 72 hours of detecting it, or face hefty fines.

By requiring direct communication with victims of data breaches, along with such severe consequences for failures to report them, the hope is that some rapid and dramatic cybersecurity innovations will take place.

Even if you're not legally required to comply with GDPR, you should act fast when it comes to beefing up your IT security staff. The job market is already ridiculously competitive.

And God Present Eve

In the meantime, make sure that your organization is employing some sort of cybersecurity or network security solution to keep your data safe from hackers and intruders.

Capterra also has lots of resources to help you stay on top of cybersecurity trends if you're interested in learning more:
  • Tips specifically for small businesses to improve their cybersecurity
  • How human-centered design could improve the cybersecurity industry
  • Lessons from small businesses that were victims of cyberattacks
  • How you can start using AI in your cybersecurity strategy

Ready or not, GDPR is happening

Whether you like the idea of GDPR or not, you'll be responsible for adhering to it starting May 25 if you hold any personal data on EU citizens.

My guess is that, if GDPR proves effective for the European Union in preventing cyberattacks or giving citizens more of a sense of control over their personal data, other countries will adopt similar policies.

Consider the United Kingdom, for example, which has already stated that it will adopt similar laws regarding personal data after Brexit. It's the largest market in the world for U.S. service exports.

And if your company ever wants to expand, the United Kingdom's large economy and population of English-speaking consumers makes it one of your best bets as an American company.

Finally—and if you take nothing else away from this article, please remember this—you should already be doing most of what GDPR is now legally mandating for their citizens.

Put aside your feelings about international business regulations and consider the fact that backing up and protecting any and all business data, personal or not, is already considered best practice. Transparency with your customers, including on issues such as data breaches, is recommended so that affected customers can take appropriate action to prevent further data theft.

Organizations such as Facebook are already providing more information on what data they collect on their users. That's not a widespread business practice yet, but it might be after Zuckerberg's congressional hearings.

So whether you're taking measures for GDPR compliance or for the betterment of your business, go and protect your data, and respect your customers' right to data privacy and transparency.

Other helpful resources:
  • Access the EU GDPR portal for more in-depth information on GDPR
  • Pay attention to how GDPR affects other companies you might do business with
  • Look on the bright side with this possible benefit of GDPR

Looking for IT Management software? Check out Capterra's list of the best IT Management software solutions.





broken image
PreviousNext
Cookie Use
We use cookies to improve browsing experience, security, and data collection. By accepting, you agree to the use of cookies for advertising and analytics. You can change your cookie settings at any time. Learn More
Accept all
Settings
Decline All
Cookie Settings
Necessary Cookies
These cookies enable core functionality such as security, network management, and accessibility. These cookies can’t be switched off.
Analytics Cookies
These cookies help us better understand how visitors interact with our website and help us discover errors.
Preferences Cookies
These cookies allow the website to remember choices you've made to provide enhanced functionality and personalization.
Save