The EU General Data Protection Regulation (GDPR) is the most important change in data privacy regulation in 20 years. In the past 20 years technology advancement had enabled users with products, tools ,devices for ease of access to data and had completely complicated enterprise data protection.
CIO’S need to pay attention to this regulation, under GDPR organizations in breach can be fined up to 4% of annual global turnover or €20 Million (whichever is greater). So if you are leading a business worth billion dollars, if breached, you owe 40$ Million Dollars .
Let’s talk about Equifax with 3 billion in revenue, if Equifax had been breached after May 25th, 2018, they would have owed 40 Mill X 3 = 120 Million, apart from brand damage, congressional hearings and stock fell (EFX) 30%.
There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting impact assessment.
Key GDPR articles –
Article 4 defines data controllers and data processors which are the crux of the regulation.
(7) ‘Controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
(8) ‘Processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
GDPR treats the data controller as the principal party for responsibilities such as collecting consent, managing consent-revoking, enabling right to access, etc. A data subject who wishes to revoke consent for his or her personal data therefore will contact the data controller to initiate the request, even if such data lives on servers belonging to the data processor. The data controller, upon receiving this request, would then proceed to request the data processor remove the revoked data from their servers.
Controllers and Processors also have an obligation to regularly test, assess and evaluate the effectiveness of their security measures (Article 32(1)(d).
Security and breach reporting requirements are covered in Articles 32-34 of the GDPR.
- 32 GDPR Security of processing
- 33 GDPR Notification of a personal data breach to the supervisory authority
- 34 GDPR Communication of a personal data breach to the data subject
Companies that GDPR affect?
Any company that stores or processes personal information about EU citizens within EU states must comply with the GDPR, even if they do not have a business presence within the EU.
Reminder clock is ticking to be complainant May 25th 2018.
Ovum Analyst report “When we asked about the pending European Union (EU) General Data Protection Regulation (GDPR), 52% said they think it will result in business fines for their company, and two-thirds expect it to force changes in their European business strategy. “ https://www.ovum.com/analyst-opinion-gdpr-will-force-changes-in-strategy/
Next Blog : Prepare for GDPR #2