GDPR is “Disrupting” Privacy Exploitation
The EU GDPR (General Data Protection Regulation) represents the most significant change to data protection laws in the EU since 1995, aiming to unite data protection regulations across the entire EU.
Replacing the existing Data Protection Directive (95/46/EC), some of the most noteworthy changes in the EU GDPR are:
- The requirements imposed upon “joint controllers” (multiple businesses that jointly utilize personal data)
- The inclusion of non-EU businesses that store or process personal data of EU residents
- More extensive data security demands (technical, organizational and management processes
- Enhancements in the areas of transparency, consumer notification, documentation and accountability
- The severity of fines and criminal prosecution that will be enforced on offending organizations (penalties of up to 4% of global revenues or €20 million and possible prison sentences)
The EU GDPR is expected to be officially adopted by all EU member states in mid-2018, so all companies (European or otherwise) that store or process the personal information of EU residents need to get started now preparing their compliance with the new Regulation.
A Guide to EU GDPR Concepts
Here is a glimpse into some of the key components of the EU GDPR that you should already be thinking about:
“Personal data” redefined – The EU GDPR expands the meaning of Personally Identifiable Information (PII) to include any information that can uniquely identify (directly or indirectly) a particular person (e.g. name, identification number, phone number, photograph, email address, IP address, browser cookie).
Appointing a data protection officer – Any public authority (other than a judicial court) or organization that processes PII on a large-scale, ongoing basis is required to appoint a data protection officer to be responsible for monitoring and advising on compliance, training staff, and processing requests from individuals regarding their personal data.
Privacy management – A “risk-based approach” to privacy protection has been stipulated by the GDPR, meaning that deployed controls must reflect assessments of the degree of risk associated with each data collection and processing activity.
Transparency and consent – Individuals must be provided with detailed, accessible information at the time their personal data is collected, including the reasons for collection, the legal basis, how long the data will be retained, whether the data will be transferred to a third party or to another country, how to withdraw consent for the data being held and the identity and contact details of the entities that will be storing and processing the personal data. Organizations must obtain consent to process PII, be able to demonstrate when and how this consent was granted and provide an easy way for individuals to withdraw their consent.
Profiling to become a greater challenge – Individuals have the right to block automated analysis of their personal data for the purpose of determining additional information about them (e.g. health status, personal preferences, behaviors, location and movements).
Quick confession of a breach – A breach of personal data is defined as being the “accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.” In the event of discovering a breach, an organization is obligated to report the incident to the relevant supervisory authority within 72 hours. If the breach “is likely to result in a high risk to the rights and freedoms of individuals,” the organization must also notify the affected individuals.
With the enforcement of the new EU GDPR, organizations will need to assess and re-assess their security culture, processes and tools in order to meet compliance requirements. The outcome is sure to better safeguard the privacy rights of individuals and to equally enhance security hygiene and culture for organizations that store or process PII.
To get a better understanding about the new GDPR and learn how ObserveIT’s User Behavior Monitoring and Analytics Solution can help you meet multiple GDPR requirements, download this informative whitepaper.