General Data Protection Regulation (GDPR)

May 25th 2018 is right around the corner, are you ready?

The aim of General Data Protection Regulation (GDPR) is to create a uniform level of data protection in the European Union (EU). Before this regulation becomes enforceable, organizations must ensure their compliance with the GDPR requirements. GDPR applies to all organizations that process personal data of EU citizens and will allow EU citizens to continuously monitor personal data breaches.

GDPR doesn’t just apply to companies in the European Union; organizations outside of the EU, which are targeting consumers in the EU, or have customers in the EU, are subject to the regulation.

GDPR was approved and adopted in April 2016, and will be enforceable starting May 25th 2018.

ISMS Solutions is uniquely positioned to help organizations become GDPR compliant. To schedule a conversation and see how ISMS can help, click here.

If you maintain any of the data types below, you’re required to be GDPR compliant!

  • Basic identify information such as name, address and ID numbers
  • Website data such as location, IP address, cookie data and RFID tags
  • Health and genetic data
  • Biometric Data
  • Racial or Ethnic Data
  • Political Opinions
  • Sexual Orientation

Watch out for massive fines!

In cases where organizations fail to comply with the GDPR requirements, the fines can reach up to $10 million or 2% of an organizations annual turnover, whichever is greater. Also, in the case of more serious infractions, penalties can reach up to $20 million or 4% of organizations annual revenue, whichever is greater. Under certain circumstances, the GDPR obliges organizations to appoint a Data Protection Officer (DPO). The DPO may be a full-time employee or work under a service based contract.


Are you DPA Compliant? If so, you still have some work to do.


In 1998 the UK passed the Data Protection Act (DPA) legislation, which replaced the EU Data Protection Directive of 1995. The Data Protection Act will be replaced with the enforcement of GDPR.


Scope
The DPA applied only to those inside of the UK, while GDPR applies to any organization that holds or processes EU citizens personal data, without taking into consideration if the company is based in the EU or not.
Opt-In
The DPA requires a negative-opt, whereas with GDPR in place, organization will be allowed to send e-mails only to people who have opted-in to receive messages.
Fines
The DPA carried fines up to $500k. GDPR can carry fines up to $20 Million.
Personal Data Requests
Under the DPA, organizations were allowed to charge a reasonable fee for data requests and the rights for erasure were a matter of common law. Under GDPR these data requests are free and individuals have the explicit right to ask for data erasure.
Breach Reporting
Under DPA, the reporting of data breaches was only required if the breach was also covered by the Privacy and Electronic Communications Regulations of 2011. However, under the GDPR, reporting a data breach is mandatory in cases when breaches put at risk the freedom and rights of the individual user.

Additional GDPR Insights

Requirements of GDPR Include:

  • Data Control
  • Data Security
  • Right to Erasure
  • Risk Mitigation & Due Diligence
  • Breach Notification

Additional Personal Data Requirements Include:

  • Processed lawfully, fairly and in a transparent manner
  • Collected only for specified, explicit and legitimate purposes
  • Adequate, relevant and limited to what is necessary
  • Accurate and kept up to date
  • Held only for the absolute time necessary and no longer
  • Processed in a manner that ensures appropriate security of the personal data
Be prepared for May 25th 2018!

We here at ISMS Solutions believe that compliance doesn’t just stop at the waters edge. To truly become compliant you have to understand your risks, your obligations, and most of all the potential impact of non-compliance. In that light, GDPR falls right into our sweet spot and is grouped in our Information Security family, which also consists of NIST 800-171 Compliance and ISO 27001 Certification.


Our partnership with NSF International can help provide you with all the necessary tools to assess, update, and meet the requirement. For more information on how we can help your organization become GDPR compliant, click below.


Contact a Specialist