As frequent data breaches occur, individual privacy has become an increasingly critical concern for many and governments have begun taking up regulations that respond to popular sentiment – this is clearly evident with the announcement of the European Union General Data Protection Regulation (EU GDPR).
This new regulation has broad implications for every business. As it is set to replace the two decade old EU Data Protection Directive on May 25, 2018, it is also imperative that IT managers understand the adjustments they need to make, particularly before they face any legal liability.
The GDPR is being rolled out with the intention to help the EU citizens’ control their own personal data; this new policy will be aimed at strengthening the controls around how data is collected and stored on different servers by both public and private actors.
What does the EU Data Protection Regulation entail?
In order to understand the change better, let’s delve deeper into what the EU Data Protection Regulation is and what guidelines it puts forth for the storage of data and data privacy.
The EU Data Protection Regulation covers the whole of the European continent, thereby, creating one central law aimed at enhancing data protection. This will help replace different (and sometimes inconsistent) data protection laws within each country of the European Union, making GDPR compliance easier compared to previous regulations.
Within the constraints of GDPR, companies and businesses alike can expect a series of changes in their internal data control strategies. Following implementation, every business in the EU region will be required to appoint a Data Protection Officer in order to ensure compliance with the Regulation’s norms. GDPR’s purview does not end with the countries within the European Union only. It will also encompass all companies in other countries which have access to EU’s residents’ data.
Failure to comply with the rules and regulations of the GDPR can have very heavy consequences on your business. If your business is found to be non-compliant with the rules and regulations, you can be fined up to €10m or 2% of the annual turnover of your company.
Reading between the lines – GDPR Regulations
As established, organizations and individuals will be extensively covered under the GDPR umbrella; this makes it all the more important to take note of the changes needed. In order to comply with the GDPR, every company needs to take both organizational and technological measures, which are highlighted below:
- Organizational changes: These changes include hiring or appointing a Data Protection Officer designated to handle personal and sensitive data, as well as administer training and execute GDPR’s Data Protection Impact Assessment (DPIA).
- Technological changes: Technological changes are required to ensure proper data classification, data encryption, data loss prevention, and data transfer limitations, along with incorporating other technologies required by GDPR. This also entails deleting personal data on request of a customer or the parties involved.
The new GDPR rules are directed towards protection of data itself, not just protecting the privacy of customers whose data is being stored. Since the expected launch date of GDPR is still 18 months away, organizations and individuals still have enough time to devise strategies for data protection and enforce data privacy as per the new GDPR guidelines.
GDPR’s compliance requirements
Requirements laid out by GDPR include:
- Compliance to the GDPR: Organizations have to be in sync with the Compliance rules of the GDPR to prevent any data loss or security breaches. These can be accomplished by following the organizational and the technological measures listed above. Such measures, if followed to a tee, will help reduce the severity of fines which might be caused due to non-compliance.
- Increased levels of consent: Organizations need to gain the consent of the people whose personal information they are storing. The consent needs to be received “by a statement or by a clear affirmative action.” People, whose information is stored, continue to have the power to withdraw their consent at any time, following which their personal data can no longer be stored on any company servers.
As per GDPR’s new rules, businesses have to get an explicit opt-in from the customers’ before being able to gather their data. Since emails are often more personal than professional, they are of more value to cyber criminals rather than organizations. Keeping this thought in mind, it’s imperative to treat email archives as sacred and go to any lengths to protect the data. Always. Email marketers will only be allowed to mail customers who have opted for receiving messages. At the time of subscription, subscribers have to be provided the details of the brand collecting the information and the purpose for which the information is being collected.
- Notification of security breaches to be reported within 3 days: As soon as an organization with EU citizen data is made aware of a security breach, they are under an obligation to report it to EU authorities within 72 hours of the breach. This means there is an imminent need to report any security breaches to the designated Data Protection Officer without further delays. The nature of the breach, along with the individuals or customers impacted, also must be reported to the Data Protection Officer.
- Getting consent to move personal data from organization to another: Personal data, as and when required, can be moved from one organization to another, with the prior consent of the people. This transaction has to be in “a structured, commonly used and machine-readable format”.
- Right of data scrubbing: Individuals with data held by any organization have the right to ask for erasure of said data. This means that all traces of the data will need to be removed from all possible sources when requested by the relevant party. There are some exceptions to this rule, wherein the right to erasure does not apply. Some exceptions include, but are not limited:
- To exercise the right of freedom of expression and information;
- To comply with a legal obligation or for the performance of a public interest task or exercise of official authority;
- For public health purposes in the public interest;
- Archiving purposes in the public interest, scientific research historical research or statistical purposes; or
- The exercise or defence of legal claims.
GDPR and Email Security
With email proving to be the first point of entry for many cyber attacks, data loss prevention and other security measures are crucial when it comes to data protection. A robust email security service is absolutely necessary to enhance protection and maximize compliance with GDPR.
A few of the necessary elements of an email security solution for successful GDPR compliance include:
- Advanced Threat Protection: Protect your organization from malicious URLs, attachments, phishing attacks, imposter emails, BEC attacks and more of the most common attacks that compromise customer data.
- Email Encryption and Data Loss Prevention: Automatically encrypt emails that contain sensitive personal data like credit card, social insurance, health reference numbers and other types of data that could be inappropriately or inadvertently shared, ensuring that your organization is not at risk of losing sensitive information or being fined in the process.
With the launch of GDPR approaching, there are a lot of changes which are going to be coming forth for IT managers at every type of company. As these changes go into place, the way personal data is stored and protected will have to change, and every individual/company dealing with EU citizens’ personal data will have to use an advanced email security solution to maximize their confidence in compliance with GDPR.
To learn more about an email security solution that can help you ensure GDPR compliance, click here to discover modusCloud.