BY Niall Rooney | 12/12/2018
GDPR requires companies across the EU to protect the privacy of, and safeguard the data they keep on, their employees, customers and third party vendors. Companies are now under legal obligation to keep this personally identifiable information (PII) safe and secure. But first, we need to understand what PII is.
PII or Personal Identifiable Information is any data that can be used to clearly identify an individual. Some examples that have traditionally been considered personally identifiable information include, national insurance numbers in the UK, your mailing address, email address and phone numbers. As technology has improved, the scope of PII has grown considerably to now include IP addresses, login ID details, social media posts and digital images, as well as geolocation, behavioural and biometric data.
Companies are now faced with more challenges in relation to security and privacy than they have ever had before. GDPR has laid out a specific set of regulations that deal with this broad and expanding definition of PII. For a clear understanding of the specifics of the General Data Protection Regulation (GDPR) check out the link to understand if you store or process PII on EU citizens, what steps you have to take to become compliant and where to get started.
GDPR also references sensitive personal data. The legislation requires organisations that store this kind of data to ensure that it is kept securely via encryption and meets several strict compliance requirements.
The new regulations are firmly putting the consumer in the driving seat, and placing the onus of compliance, and proving said compliance, on the companies and organisations that collect and handle that data. No action means non-compliance which isn’t an option for any business that wants to do business in the EU, either now or in the future.
Listed below are some common questions about how the GDPR will impact your business:
Under the GDPR, Personally Identifiable Information (PII) now includes IP addresses. It also includes:
EU citizens now have more rights and policies in place to ensure their data is kept securely. Organisations must have a lawful purpose to store and process the sensitive personal data of a data subject. There must be a document of explicit consent from the individual in regards to what data is being collected, for how long, and what it is being used for.
If an organization that stores data does not have the correct processes in place to manage it in a secure manner, then citizens have the lawful right to request that their information is securely deleted.
Organisations must maintain detailed reports of when consent to store data was given, the security precautions in place and they must notify the individuals if their data is being used and the manner in which it is being processed.
In the event of a data breach, all affected parties must be notified in no more than 72 hours. All data breaches must be reported to GDPR regulators and even small quantities of data loss or minor cyber instances must be communicated within the specified time frame.
GDPR applies to every single business and organization within the EU. Even if your business is located outside of the EU but still offer services and products to EU citizens in Europe then you are subject to its laws. For this fact, businesses must appoint a Data Protection Officer who is solely in charge of GDPR compliance. Strong penalties have been outlined with fines as large as 4% of the organisation’s global yearly revenue or 20 million Euro, whichever sum is the greatest. The biggest data breaches and the shocking fines (that would have been) sheds light on what the potential harm a data breach would have on a business by not adhering to GDPR. The days of this being an IT issue are no longer valid. The implications on the whole business must be communicated from the management down, especially with the way in which companies handle marketing and sales data.
The conditions around obtaining consumer data are stricter under the new GDPR than ever before because the data subject can withdraw their consent at any time and the onus is on the company to obtain separate consents for different processing activities. What this means is that companies will have to prove that the individual agreed to a certain action, for example, to receive their monthly newsletter. It is no longer enough to assume or add a disclaimer and simply providing an opt-out is not enough. Sales and Marketing teams now have to change how they operate which will result in a significant change to business policies, procedures and forms to make sure they are compliant with double opt-in rules and email marketing best practices.
Ground Labs’ mission is to help companies of all sizes, from multinational telco’s to local SMEs, to discover where in their networks they have sensitive data that could potentially put them at risk if they were to suffer a data breach. Enterprise Recon, our forensic data discovery tools can natively search across your operating systems, servers, databases, workstations, cloud and email. Putting you back in control of your customer and employee data. Enterprise Recon has been designed with global compliance standards in mind by helping you to find over 200 types of PII and giving you powerful remediation options to protect that data.
Now the definition of personal data has expanded to include a customer number in a cookie, a device ID or an IP address, to name a few. It’s extremely unlikely that your organisation does not process personal data on any kind. Remember GDPR clarifies and defines personal data far better than its predecessor and it incorporates far more than the American conception of PII. Ultimately, there is now more personal data under the scope that you need to protect, so the responsibility is greater.
It is becoming more challenging to comply with global security and privacy standards. So utilising solutions and technologies like Enterprise Recon enables you to accurately discover and remediate personal data and makes it much easier to achieve compliance.
Companies need to take a data-centric approach to secure data directly and making sure they do not expose it to potential threats. By understanding what data you have and where it is will allow you to put processes in place to protect it as you will be surprised and the vast amount of personal information you store, process and collect.
Ready to start protecting your organization’s PII? Book your free risk assessment with one of our data experts.
Share this article!
Want to keep up with all our blog posts? Subscribe to our newsletter!
As companies all around the world continue have large portions of their workforce remote, the need to keep their data safe and protected is even more critical. To help companies navigate this new reality and mitigate security risks, we are providing a 90-day complimentary version of our flagship solution—Enterprise Recon. Learn more about it here.