With the General Data Protection Regulation (GDPR) taking effect in 2018, it seems that everyone is finally coming to the realization that they have to take it seriously – in the EU that is, but not outside. This is a problem, because anyone / entity that offers its services, or services to any company or entity in the EU or to a EU Citizen (including post Brexit) needs to abide by the rules. In the USA, websites such as the LA Times have already blocked their sites to EU audiences whilst compliance procedures are being implemented.
Does it effect businesses in the GCC Region?
- Although this is a EU initiative, it does effect all companies situated around the world. It applies to any EU Citizen - that means anyone that is from a country in the EU, and resides in a country in the GCC.
- The bottom line is an entity in the World that provides a service for any representative to any EU Citizen, must be compliant with this initiative, and that includes all companies in the GCC.
- The GDPR protocols apply to them and to you.
Firstly, remember the terms below:
- Data Controllers = A Company
- Data Processors = A Cloud or Software Vendor
- Data Subjects = Users or Website Visitors
What does GDPR actually mean for data?
To understand the required security for GDPR, let’s start by looking at the actual requirements:
- Security – GDPR requires processors and controllers to take into account the “state of the art” and “implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.” This includes risks that arise with the processing of information that could lead to “physical, material or non-material damage.”
- Consent – User opt-in consent is the “new normal” under GDPR. Users (data subjects/ people, site visitors) must give clear consent for data controllers to collect and use their data. Data controllers and data processors are allowed to use the data subjects’ information solely for the purposes consented to. Data controllers can’t extend the use of a user’s data for more purposes than what they initially consented to. If data controllers ignore this, then the user can complain.
- Notification – The local supervisory authority must be informed of any occurrence of data loss within 72 hours, while users should be informed “as soon as possible.” This means there will be more data breaches that the affected users must be notified about, and each of these notifications should take place without delay.
- Objection – Data subjects have the right to object to having their data processed for the purposes of marketing or profiling.
- Erasure – Similar to the objection requirement, users have the right to be forgotten and have their information removed on demand. Any request for data to be deleted has to be complied with. Additionally, data should only be retained for the period that it is needed and then purged from all systems thereafter. According to the current understanding of the rules, this can include backup and archive copies of customer records.
- Transfer – Transfers of data outside the EU should only be done if they are “necessary.” A transfer happens as soon as data leaves the current EU boundary of 28 countries, or goes outside any of the 11 countries that have “adequate” data protection mechanisms in place according to the EU requirements. If data has to be transferred outside the EU or the “adequate” countries, contracts that enforce data protection requirements must be in place down the chain. The unifying theme throughout the GDPR requirements is the security of data.
Organizations can effectively meet those requirements only if they can answer these three questions:
- To ensure proper data mapping, does my organization have visibility as to where all our data lives?
- Can my organization protect and secure that data, so that our data processors and their subcontractors do not have access to it?
- Can my organization proactively apply policy to that data in all the places that it lives, up to and including data erasure?
What should business teams be doing, beyond what IT does?
- In order to secure something, you have to be able to see it. This visibility comes from knowing where that asset lives, as well as all the authorized and unauthorized copies of that asset data. In legacy data center environments, that visibility was fairly simple to maintain.
- As more line-of-business applications move into the cloud — and more users access their cloud apps from their phones or tablets as well as endpoint PCs — the spread of data represents a bigger risk. For long-term compliance with GDPR, it will be essential for an organization to be able to successfully track such data as it spreads so that the data can be protected and adequate records of where customer data is stored can be compiled. Cloud-based services can help an organization build these records and automatically keep them up to date, whereas internal platforms cannot.
What is the deadline and the Penalties?
- Full compliance is required by May 25th 2018
- Penalties: Under GDPR organizations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater)
This is where we can help, we have created some packages that will help you:
- Be prepared with your online business
- Ensure Process’s are being followed internally
- Making sure your website is up to scratch and meets the Requirements
- Most importantly making sure your DATA follows the GDPR criteria
- Making sure your employees understand what they Can and Cannot do.
- Ensuring that Policies and Procedures are followed.
GDPR Compliance and Support Packages
Take a look at our packages below, if you require NEXA to assist with an Internal Audit as well as help implement Policies and Procedures within your business, we can definitely help, please fill in the enquiry form below to contact us.