What is GDPR?
GDPR is a regulation to protect the personal data and privacy of EU citizens for transactions within 28 member states of EU or even outside. It regulates the exportation of personal data outside EU. Also, it give users more control over how the organizations use their personal data. If companies fail to comply with the rules, they have to pay hefty penalties.What all data does GDPR protect for the users?
Identity information like name, address and ID numbers
- Web data such as location, IP address, cookie data etc.
- Health data and genetic data
- Biometric data
- Racial data or ethnic data
- Political opinions
- Sexual orientation
Why did EU Parliament adopt this regulation?
The users in EU were doubtful on how companies treat their personal data, creating a mistrust in the users. According to the WARC survey, 85% users say they would boycott a company that showed disregard for protecting consumer data.Are you under the risk of GDPR?
Any company that stores or processes personal information of EU citizens within EU states will drop under GDPR. Even if your company does not have a business presence within EU, but processes personal data of EU residents you are under the GDPR. A company with more than 250 employees or less, whose data processing impacts the freedom of data subjects will also be affected. A survey from PwC showed that about 92% of the US companies consider GDPR a top data protection policy.What will the General Data Protection Regulation cost your company?
According to a PwC survey mentioned above, 68% of the US-based companies expect to spend $1 million to $10 million to meet GDPR requirements. Another 9% expect to spend more than $10 million. There’s a huge group of third party vendors that have access to this personal data across the globe. GDPR made it very clear that the companies need to ensure that all their third party vendors adhere to GDPR and process the data accordingly.The client contract must reflect the regulatory changes such as:
- Regulatory fines: EU is long known about its willingness to levy steep fines for regulatory non-compliance. In case a data breach is reported, not having contracts in place might work drastically against the company.
- Operational: Have you decided the plan of action or the data flow with the third-party vendors? If not, it is not clear how you will be operating under GDPR.
- Vendor management: According to GDPR, you must know how your vendors operate, what security framework they use, and how they process the user data. Without such critical knowledge, you don’t know the risk they present.
Implications to breach of contract:
In case of non-compliance with GDPR a company can be penalized up to €20 million or 4 percent of global annual turnover, whichever is higher. The question is how the penalties will be assessed? According to the agreement, the regulators will swiftly act on a few companies found to be not in compliance with the GDPR to send out a message. This will help organizations to assess the penalties related to GDPR. The companies must report data breaches to supervisory authorities and individual affected by a breach within 72 hours of threat detection. The GDPR requirements will also force the companies to change they way they process, store and protect user’s personal information.Are you ready with a robust data protection framework?
Here is what you need to do:- Involve all the stakeholders — Just IT cannot set-up a data security infrastructure. Get hold of anyone and everyone in your organization who collects client’s information.
- Conduct a session for all your stakeholders in the process — Explain your stakeholders what is the importance of GDPR and how can it make a change in the organization’s process. Tell about the consequences and how regulation can affect the company.
- Create a data protection plan — Many companies have already created a data protection plan, but it’s time to review them once again.
- Identify risks on EU data that mobile devices can present
- Implement risk-based conditional access policies
- Prepare GDPR’s “72 hours threat notification” process
- Apply powerful security features around data transfer.
