What is GDPR?
The European Parliament adopted the GDPR in April 2016, replacing a 1995 directive on the protection of obsolete data 1995. It contains provisions requiring companies to protect the personal data and privacy of European citizens for transactions occurring within EU. The GDPR also controls the transfer of personal data outside of the EU.
The provisions are consistent across the 28 EU member states, which means that companies only have one standard to be respected within the EU. However, this standard is quite high and will require that most companies make a large investment to meet and manage it.
Why does GDPR exist?
The short answer to this question is the public interest in privacy. Europe, in general, has established stricter rules on how companies use their citizens’ personal data. The GDPR replaces the EU Data Protection Directive, which came into force in 1995. This was before the Internet became the online shopping center it is today. It is significant and growing with each new violation of high-profile data.
The lack of trust in the way companies process their personal information has led consumers to take their own countermeasures. According to the report, 41% of respondents said they intentionally falsified data by signing online services. Security concerns, and the risk of the reselling of their data have been some of their main concerns. The report also shows that consumers will not easily forgive a company for a violation exposing their personal data. Seventy-two percent of US UU respondents. They said they would boycott a company that seemed to ignore the protection of their data. Fifty percent of all respondents said they would be more likely to buy from a company that could prove that they were taking data protection seriously. The report concluded that as companies continue their digital transformations, making greater use of digital resources, services, and big data, they should also be responsible for monitoring and protecting these data daily.
Time is running out to meet the deadline, so CSO has compiled what any company needs to know about the GDPR, along with suggestions to meet its needs. Many of the requirements are not directly related to information security, but the processes and system changes required for compliance could affect existing security systems and protocols.
What types of privacy data does the GDPR protect?
- Basic information on identities, such as name, address, and identification numbers
- Web data such as location, IP address, cookie data, and RFID tag
- Health and genetic data
- Biometric information
- Racial or ethnic data
- Political opinions
- Sexual orientation
Which companies does the GDPR affect?
Any company that stores or processes personal information about EU citizens within EU states must comply with the GDPR, even if they do not have a commercial presence in the EU. The specific criteria for companies that must comply are:
- A presence in an EU country.
- No presence in the EU, but the processing of personal data of European residents.
- More than 250 employees.
- Less than 250 employees, but processing of data which affects the rights and freedoms of the parties involved, is not occasional, or includes certain types of confidential personal data. This basically means almost all companies. A PwC survey showed that 92% of companies in the United States UU believes that the GDPR is one of the main data protection priorities.
How does GDPR influence third-party and customer contracts?
The GDPR imposes the same responsibility on data controllers and data processors. A third-party processor that does not meet the requirements means that your organization is not compliant. The new regulation also provides strict rules for reporting offenses that all members of the chain must be able to comply with. Organizations must also inform customers of their rights under the GDPR.
“The biggest exercise is on the side of home acquisitions: their external suppliers, their sourcing relationships that process data on their behalf,” says Mathew Lewis, global head of banking and regulatory practices at the legal service provider Axiom. “There is a whole group of suppliers who have access to this personal data and GDPR clearly states that it must ensure that all third parties adhere to GDPR and process the data accordingly.”
Contracts with customers should also reflect regulatory changes, says Lewis. “Contracts with customers take a variety of forms, whether they are online clicks or formal agreements where you commit to seeing, accessing and processing data.”
Before these contracts can be reviewed, business leaders, IT departments, and security teams must understand how data is stored and processed and agree on a compatible reporting process. “The technology groups, the CISO, and the data governance team require considerable effort to understand which data fits the company, where it is stored or processed and where it is exported outside the company.” says Lewis.