The year 2017 is on its way to becoming the worst year in our history for cyber attacks. From threats that begin internally to creative ransomware and onward to the vast industrial Internet of Things, businesses and security experts all agree that this year there are going to be more creative and devastating attacks than ever before.
To combat these cyber attacks, the General Data Protection Regulation (GDPR), was formulated by the European Union in January 2012. The plan grew out of an EU directive adopted in 1995, the Data Protection Directive, which regulated the processing of personal data within the European Union.
The GDPR is due to take effect on 25th May 2018. It applies new rules on companies, government agencies, non-profit and other organisations that offer goods and services to the people who live in the European Union or who collect and analyze data which is associated with EU residents.
If a business or organisation is associated with collecting, hosting or analyzing the personal data or EU residents, the GDPR regulations require that you guarantee their ability to implement all of the GDPR requirements.
The GDPR requires that organisations controlling or processing personal data that is tied to EU residents to use only third-party data processors designed to meet the requirements of the GDPR for processing personal data.
The GDPR data protection authorities are still in the process of putting the final touches to the regulations and intend to approve more specific certification mechanisms, codes of conduct, and standardized clauses.
Encryption is defined by the GDPR as a protective measure which changes personal data so that it becomes unintelligible after being affected by a breach. Whether the encryption is used or not can impact the notification requirements. Additionally, the GDPR considers encryption as technically or organisationally appropriate to use in certain cases.
The GDPR applies to “controllers” and “processors”. Controllers are defined as an entity that says how and why personal data can be processed. Processors act on the controller’s behalf. The GDPR requires a processor to maintain records of personal data and processing activities and assigns penalties if one is responsible for a breach.
A controller, however, is not relieved of his obligations where a processor is involved. The GDPR also places obligations on controllers to ensure that their contracts comply with the regulations.
The GDPR applies to “personal data” such as an online identifier using an IP address. The regulations apply to both automated data and manual filing systems when personal data are accessible.
Personal data is defined by the GDPR as any information which is related to an identifiable person. It can include the following:
More sensitive personal data is also included in the GDPR definition such as genetic and biometric data that is normally processed to uniquely identify a person. Personal data that relates to criminal convictions and offences are not included in the definition, but there are extra safeguards built in to the regulations that apply to its processing. Personal data should be:
GDPR will apply in the UK from 25th May 2018. The GDPR contains hundreds of requirements concerning the collection, storage and use of personal information and how businesses should identify and importantly, secure personal data. In addition, it also directs how businesses should detect and report breaches of personal data and how to train employees and personnel.
If a business fails to comply with the GDPR regulations, they could face substantial fines and harm to their reputation.
The GDPR allows residents of the EU to have control over their own personal data through the use of “data subject rights.” A company can be fined up to either €20 million (approximately £17 million) or four percent of the company’s annual world-wide turnover, depending on which has the greater value. These company rights include the following:
The GDPR defines lawful processing as having a lawful basis to process, such as consent of the data subject, the necessity of processing for performance of a contract, legal obligation or to protect the vital interests of a person or data subject or another person. Processing should also be necessary when it’s needed to carry out a task in the public interest or in the exercise of an official authority.
The GDPR requires that consent must be given freely as an affirmative action, be specific in nature, informed and be the unambiguous indication of the wishes of the individual. Consent can’t be simply inferred from being silent and must be separate from any other terms or conditions.
The GDPR provides the following rights for individuals:
In most ways, the GDPR will only enforce the fact that individuals are in charge of their own data use. Many organisations have already benefited from adopting similar privacy notices allowing their customers to have real control over the destiny of their data.
Individuals who have not braced themselves to the increasing cyber attack menace may soon find themselves forced to pay attention by consumers, privacy activists, and the regulations of the GDPR.