BY Stephen Cavey | 3 April 2020
Enforceable since 2018, the General Data Protection Regulation (GDPR) requires companies across the European Union (EU) to protect the privacy of, and safeguard the data they keep on their employees, customers and third-party vendors—also referred to as data subjects. Companies are under legal obligation to keep the information of their data subjects safe and secure.
GDPR shepherded in a new era of data privacy law that offers a much higher level of protection for EU citizens and their data. Since its inception, GDPR has become the model for many other privacy laws now in effect around the world. Similar data protection security standards are being adopted in Brazil, China, Japan and many other nations, including the US implementation of the California Consumer Privacy Act (CCPA) in January 2020 and the California Privacy Rights Act (CPRA) which will go into effect in 2023.
Under GDPR, companies are no longer permitted to be as negligent with personal data. This security standard has forever changed how the personal information of data subjects is protected—and for the better. Companies who carelessly allowed personal data to be lost are now accountable for the security and careful management of personal EU citizen data.
Any company that markets or sells goods to EU citizens, regardless of location, is subject to the GDPR. More specifically, companies that are required to comply with the GDPR include:
GDPR guidelines apply to any enterprise, inside the European Economic Areas, that processes personal information—regardless of its location and the citizenship or residence of its data subjects. The European Economic Areas consist of the Member States of the EU and three countries of the European Free Trade Association (Iceland, Liechtenstein and Norway; excluding Switzerland).
If your business offers services or products to EU citizens in Europe, then you are subject to GDPR guidelines. Because of this, businesses must appoint a Data Protection Officer (DPO) who is solely in charge of GDPR compliance.
GDPR has a specific set of regulations that deal with the definition of personal information— any data that can be used to clearly identify an individual. Some examples include national insurance numbers in the UK, mailing addresses, email addresses and phone numbers. The scope has grown considerably and now includes IP addresses, login ID details, social media posts and digital images, as well as geolocation, behavioural and biometric data, which is now all considered to be Personal Identifiable Information (PII).
Here is a breakdown of some GDPR basics to know:
GDPR is not for the faint of heart. Its data protection guidelines are dense—there are 11 chapters and 91 articles in total. However, the following articles are arguably the most important to know:
It’s important that your company review GDPR guidelines carefully with the help of a legal advisor or legal counsel. The key takeaway is that GDPR has serious implications for non-compliance. Taking the time to plan for and address each of the measures applicable to your business is worth the extra effort.
GDPR is based on seven principles that establish how personal data should be managed, and guide how to implement compliance measures to meet GDPR guidelines.
DPOs are responsible for complying with these seven principles. They are also accountable for the processing of the regulations and must be able to demonstrate a company’s compliance.
Companies are required to comply with a data subject’s request for access to their data no later than one month after receiving it. If the request is received digitally, a response needs to be provided in a commonly used file format, such as CSV, XML or JSON.
In the event of a data breach, all affected parties must be notified in no more than 72 hours. All data breaches must be reported to GDPR regulators, and even small quantities of data loss or minor cybersecurity issues must be communicated within the specified timeframe.
Strong penalties have been outlined for failing to comply with GDPR guidelines. Fines can be as high as 4% of the company’s global yearly revenue or 20 million Euro, whichever sum is the greatest.
With more and more data protection guidelines being implemented, it is a continual challenge to keep pace and fully comply with fast-changing global security and privacy standards. Companies need to take a data-centric approach to secure data directly and make sure they don’t expose it to potential threats. Understanding what personal data you have and where it is will allow you to put processes in place to protect the vast amounts of data that you store, process and collect.
Technology such as Enterprise Recon enables you to quickly and easily discover, remediate and report on more than 300 predefined and variant personal data types across multiple systems, and makes compliance much easier to achieve. With Enterprise Recon, you have the information you need to take measures to ensure personal data is appropriately secured.
At Ground Labs, we work closely with our customers to help them navigate the ins and outs of GDPR’s data protection guidelines and many other data security standards. We’d be happy to help identify the areas of GDPR you need to address and customize a strategy that can take care of the first step of complying—finding personal data across your systems.
Ready to mitigate your company’s risk? Request a demo with one of our experts.
Share this article!
Want to keep up with all our blog posts? Subscribe to our newsletter!
As companies all around the world continue have large portions of their workforce remote, the need to keep their data safe and protected is even more critical. To help companies navigate this new reality and mitigate security risks, we are providing a 90-day complimentary version of our flagship solution—Enterprise Recon. Learn more about it here.
Please submit the form below and we’ll contact you to schedule a discovery call. Want to skip the email? Go here to schedule a meeting directly on our calendar.