Toggle search

Close search

close

Understanding GDPR

The new European privacy regulation called The General Data Protection Regulation (GDPR) officially went into effect on May 25th of this year.

This regulation strengthens and unifies data protection for all individuals within the EU and alsoapplies to all companies selling to and storing personal information about citizens in Europe. It provides citizens of the EU and EEA with greater control over their personal data offering assurances that their information is being securely protected.

What Data is Covered by GDPR?

According to the GDPR, personal datais any information related to a person – name, a photo, an email address, banking information, location details, or a computer IP address.

However, that’s not all the GDPR is intended to safeguard. This legislation also protects user-generated data such as social media posts (including individual tweets &Facebook updates), as well as personal images uploaded to any website. GDPR also covers medical records and other personal information commonly transmitted online.

Essentially, this regulation protects any and all personal user data across virtually every conceivable online platform.

Who will this impact?

The GDPR regulation not only applies to organizations located within the EU but also applies to organizations located outside of the EU if they offer goods or services. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location. Yes, even if your located in the United States.

Your company can be fined up to 4% of annual global turnover or $20 million for breaching GDPR. These Rules apply to both controllers and processors. Clouds will not be exempt from this enforcement.

How EPC Group Can Help

There are many things a company has to do in order to be compliant with GDPR. If you have yet to to take the next step towards compliance, here are just a few ways EPC Group can help you to get started.

Map your company’s data

Map where all of the personal data in your entire business comes from and document what you do with the data. Identify where the data resides, who can access it and if there are any risks to the data.

Determine what data you need to keep

Don’t keep more information than necessary and remove any data that isn’t used. If your business collects a lot of data without any real benefit, this may be a time for a more disciplined approach.

Ensure that security measures are in place

EPC Group can implement safeguards throughout your infrastructure to help contain any data breaches. This means putting security measures in place to guard against data breaches, and taking quick action to notify individuals and authorities in the event a breach does occur. Outsourcing does not exempt you from being responsible and liable.

Review your documentation

Under GDPR, individuals have to explicitly consent to the acquisition and processing of their data. Pre-checked boxes and implied consent will not be acceptable anymore. You will have to review your privacy statements and disclosures and adjust where appropriate.

Establish new procedures for handling personal data

As we mentioned earlier, individuals have new rights under GDPR.
You will need to establish policies and procedures for how you will handle each of these situations.
For example:

  1. How will individuals give consent in a legal manner?
  2. What is the process if an individual requests his data be deleted?
  3. How will you ensure that it is done across all platforms and that it is entirely deleted?
  4. If someone wants his data to be transferred, what is the correct way to accomplish that?
  5. How will you confirm the identity of the person who is requesting to have his data transferred.
  6. What is the communication strategy in case of a data breach?

Conclusion

When first announced in 2016, it felt like there was plenty of time for new businesses to take the necessary steps. But, this time has flown by and many companies are still scrambling, even after the deadline has passed. So, if you haven’t already started your journey, we urge you to give us a call right away and start now.

EPC Group will dedicate time to understand what your organization needs to do in order to become compliant. We will then create a plan of action so you can ensure you and your company are complaint sooner, rather than later.

EPC Group’s GDPR Infographic

General Data Protection Regulation (GDPR): What You Need to Know

The new EU General Data Protection Regulation (GDPR) laws are scheduled to come into effect on May 25th, 2018. Both the GDPR and proposed UK Data Protection Bill will make tremendous changes to how businesses collect, process and make use of an individuals personal data. Because of this, businesses are now scrambling to see how this will affect the way they do business and how they handle customer information.

The EU GDPR replaces the Data Protection Directive 95/46/EC and has been designed to protect and empower the data privacy of all EU citizens and change the way organizations across the region approach data privacy. Once the legislation is brought into effect, it will provide greater control to the European citizens as to how, where and for what purpose their personal data is being used and as well as certain norms that will provide rights for easier access to their personal data which could be anything like name, home address, photograph, bank account details or medical information etc.

GDPR does not apply to the personal data being used for national security reasons or law enforcement. However, as a part of this new regulation, there is a separate Data Protection Directive for the police and criminal justice department that lays down very stringent rules on the exchange of any personal data at any level regardless of whether its National, European or International.
 

The Key Aspects of GDPR

The main aim of GDPR is to protect the EU citizens from any kind of data breaches that can compromise the privacy of an individual. Below are the key changes and discussion on how they will impact individuals and businesses once brought into effect.

  • Impact on Businesses – Increased Scope in terms of Regions where the Law will apply as there has been an expansion in the scope pertaining to what regions the new laws applies in. We are talking about the extended jurisdiction of GDPR and it now applies to all the companies processing the personal data of individuals residing in the EU, irrespective of where the company is located. Previously, it used in context of the establishment, which resulted in a lot of ambiguity regarding the scope of the laws applicability. Now it does not depend on whether the processing of data is taking place within the EU or not and whats important is that the data subjects should reside in EU.
  • Conditions for Consent – The rules around conditions for obtaining consent are more stringent than before now. The request for consent needs to be given in clear and easily understandable terms. It should be in the form of an easily accessible and comprehensive form with everything mentioned in clear, concise and simple language. And it will also be important to attach the purpose of data processing along with the consent form. For processing the personal data of a children, it is required that they should be at least 16 years of age. If the child is below the age of 16 years, then the processing of personal data will be considered lawful only if and to the extent that consent is given or by the holder of parental responsibility over the child.
  • Heavy Penalty for Non-Compliance – An organization that does not comply with the new legislation will incur a huge penalty that can be as high as 4% of annual global turnover or $20 Million (whichever is greater). So one can imagine the amount of money any big organization (such as Google or Apple) with a huge global turnover can end up paying as fine if there are serious infringements like not taking the consent of the customer while processing personal data and violating privacy.

Data Subject Rights

  • Privacy Breach Notification – Under the changes in the law, it will be mandatory to provide a data breach notification to the concerned data subject, clearing specifying what has happened. Moreover, this must be done within 72 hours of becoming aware that a privacy/data breach has happened.
  • Right to be Forgotten – This is also known as Data Erasure. It entitles the data subject to have the data controller completely delete all of the personal data in their possession and stop any further processing or distribution of data in any form.
  • Data Subject Access Requests – The data subjects will be able to submit Data Subject Access Requests to the organizations and data controllers wherein they will have the right to enquire about anything related to their personal data – whether the organizations hold any of their personal data, for what purpose it is being held, how and where it is being processed etc. Moreover, the controller also needs to provide a copy of the personal data, completely free of cost to the data subject, in an electronic format. The data controller is also obliged to respond within 30 days of receiving such a request.
  • Privacy By Design – This concept implies that the data protection aspect should be taken into consideration right from the initiation and inception of system design and should not be considered as merely an addition. The law states that – ‘The controller shall..implement appropriate technical and organisational measures..in an effective way.. in order to meet the requirements of this Regulation and protect the rights of data subjects’. Article 23 of the law also states that organizations should hold and process only the data that is absolutely necessary for completing their tasks, a concept called Data Minimization.
  • Data Portability – GDPR also introduces data portability wherein the data subjects can request back the personal data that they had initially provided and transmit the same to another data controller.
  • Data Protection Officers – Currently, data controllers must report all of their data processing activities to local DPAs which can be very difficult. Under GDPR this will not be necessary anymore. Instead, there will be a need for internal record keeping and DPO appointment will be mandatory.

How We Can Help

Our data loss prevention (DLP) consulting strategies and processes help protect your data endpoints, networks, servers, and the cloud, including the transfer of data between locations. Our strategies are centered around central policy information, so there’s no need to have a number of disparate technologies across multiple security layers.

Our advanced network security team offers strategies and solutions around centralized data and policy management that gives IT administrators granular control and visibility to monitor, evaluate, and take appropriate action on unusual network activities based on their specific needs.