close

Understanding GDPR

The new European data privacy and security law, the General Data Protection Regulation (GDPR), came into effect on May 25, 2018. The GDPR aims to protect personal data and levy hefty fines on organizations failing to meet its compliance requirements.

The digital transformation gave rise to a data-driven culture where data analytics plays a huge role in business interactions. GDPR is a universal rule and not just limited to the EU. Its high time for businesses to adopt a customer-first mindset and start implementing an effective compliance environment. Nevertheless, no data-driven business should consider GDPR a threat; instead, they must accept it as an opportunity. An opportunity to future-proof your business and to earn the trust of your customers.

What Data is Covered by GDPR?

GDPR came into effect to protect personal data. By personal data, we mean all the information that relates to an identified or identifiable natural person. The GDPR calls it a ‘data subject’ under compliance policies.

GDPR applies to personal data processed in one of the two ways mentioned below:

  1. Personal data processed wholly or partly using automated means (or information in electronic form); and
  2. Personal data processed using a non-automated process forming a part of or intends to form part of a ‘filing system’ (or written records in a manual filing system).

The data that is covered and protected by GDPR

  • Basic identity information such as name, address, and ID numbers.
  • Web data such as location, IP address, cookie data, and RFID tags.
  • Health and genetic data.
  • Biometric data.
  • Racial or ethnic data.
  • Political opinions.
  • Sexual orientation.

What Companies Will Be Impacted?

GDPR will affect all the companies storing personal information of EU citizens within the EU states, even if they do not have business operations within the EU territory. It means all American companies must follow appropriate GDPR compliance procedures by default.

The best-fit data compliance framework for companies are,

  • Presence in EU country.
  • No presence in the EU region but processes personal data of European residents.
  • A company with more than 250 employees.
  • A company having less than 250 employees, but its data processing objective impacts the rights and freedom of the data subject (includes sensitive data).

How EPC Group Can Help

To comply with the GDPR standards, an organization needs to have an in-depth understanding of the compliance purposes and compliance challenges. The GDPR aims to protect the data privacy rights of European citizens.

EPC Group has been offering GDPR compliance services to all its clients starting from 2018. Before GDPR came into existence, EPC Group was offering data governance strategies compatible with then American Data Privacy laws. Their experience in cybersecurity and advanced risk management empowers them to create a compliance strategy that is best suited to meet today’s GDPR law.

Here are some ways EPC Group can help you establish a comprehensive governance structure,

Mapping company data

We will map sources of all the data you collect and document how you use it or process it. We will locate the data storage points and check your existing data access policy to create a GDPR compliant data protection policy.

Identify data you need to keep

We will help you identify and remove redundant data that adds no value to the business. Storing relevant and worthy data helps in companywide policy implementation of better data access and processing policy.

Ensure proper security controls are in place

We will implement proven cybersecurity methods throughout your infrastructure to help contain any data breaches. It means we will put together solid data security programs capable enough to prevent data breaches and immediately notifying authorities if any breach does occur.

Review compliance risks

Our experienced data protection consultants will review existing privacy policies and will alter privacy requirements if needed. They will create a seamless consumer consent process and also automate consumer requests to ensure GDPR compliant systems.

Establish new procedures for handling personal data

Until now, it is clear that GDPR keeps consumers or data subjects at the forefront, giving them astounding rights. We will establish new procedures to handle personal data ensuring they can tackle challenges of compliance.
For example:

  1. Establishing a procedure that allows individuals to give consent with legal compliance.
  2. Setting up a process to delete the personal information of a subject upon receiving such requests.
  3. The process to take appropriate action is against each data deletion request and recheck its progress.
  4. Creating a compliance strategy to deal with data transfer requests.
  5. Drafting privacy controls to communicate emergency events such as data breaches.

Importance of GDPR Compliance in New Remote-Working Normal

The onset of the Pandemic has forced a massive swath of the global workforce to work remotely. It has shifted organizational focus away from the office environment, pushing them to revisit their GDPR compliance strategy to check whether it will survive in the new normal or needs updating.

When GDPR came into existence, many organizations implemented detailed data security protocols to enhance data privacy and safety. During that time, the focus was predominantly limited to GDPR compliance within the office boundaries. Now, with the new social distancing guidelines and employees working from home, a new compliance strategy to meet GDPR laws has become pivotal.

Technology has played a dominant role in keeping employees productive even though they are working out of the office. However, the sheer problem is to maintain the privacy and security of stored and processed data. Organizations, therefore, need to re-evaluate data security risks and provide a safe remote working experience. Apart from addressing vulnerabilities in their networks and physical data storage facilities, organizations need to face compliance challenges when remote workers move data between the corporate network, the cloud, and the personal laptop.

EPC Group has achieved excellence in Data Protection Impact Assessment (DPIA) to identify data protection gaps and privacy risks. Our assessment and knowledge of risks and gaps empower us to deal with and address each issue accordingly. If needed, EPC will enroll impudent data security controls to access and process personal information from the home environment. Besides, we will also ensure the data is handled differently than it was being handled in the office.

General Data Protection Regulation (GDPR): What You Need to Know

The new EU General Data Protection Regulation (GDPR) laws came into effect on May 25, 2018. Both the GDPR and UK Data Protection Bill made tremendous changes to how businesses collect, process, and use personal data.

The EU GDPR replaces the Data Protection Directive 95/46/EC and vows to protect and empower the data privacy of all EU citizens. The GDPR wanted to change the way organizations across the region approach data privacy. After the legislation came into effect, it offered greater control to the European citizens on the data that belonged to them. The GDPR forced organizations to develop a customer-first mindset. It gave data subjects rights to know where, when, and how the specific organization uses their data. Besides, it granted them rights for easier data access like name, home address, photograph, bank account details or medical information, etc.

GDPR does not apply to the personal data used for national security reasons or law enforcement. However, as a part of GDPR policy, a separate Data Protection Directive for the police and criminal justice department was set. It lays down very stringent rules on exchanging personal data at any level, regardless of whether it is National, European, or International.

The Key Aspects of GDPR

The objective of GDPR is to protect EU citizens from all sorts of data breaches that would compromise their privacy or identity. Below are the substantial changes and discussions on how the new GDPR Compliance environment impacts individuals and businesses once brought into effect.

  • Impact on Businesses – Increased scope in terms of regions where the law is applicable. We are speaking about the extended jurisdiction of GDPR and how it applies to all the companies processing personal data of EU citizens, irrespective of the company location. Previously data regulations and privacy policies used to be in the context of the establishment that resulted in a lot of ambiguity regarding the scope of applying the new law. However, now it does not matter whether companies process the data within or outside the EU, and EU citizenship of the data subjects is also absolutely irrelevant.
  • Conditions for Consent – The conditions set for customer consent in GDPR are more stringent than before. Companies collecting personal data must provide consent forms to the subject with clear and easily understandable terms. Consent forms need to be easily accessible and comprehensive, mentioning everything in clear, concise, and simple language. Besides, the consent form needs to address the purpose of collecting and processing data. To collect and process the personal data subject must be at least 16 years of age. If the data subject is below 16 years of age, then the processing of personal data will be considered lawful only if the parent or legal guardian of the child gives consent.
  • Heavy Penalty for Non-Compliance – An organization that does not comply with the new legislation will incur a huge penalty that can be as high as 4% of annual global turnover or $20 Million (whichever is greater). So, one can imagine the amount of money any big organization (such as Google or Apple) with an incredible global turnover can end up paying a fine if they fail to comply with the new GDPR norms.

Data Subject Rights

  • Privacy Breach Notification – Under the changes in the law, it will be mandatory to provide a data breach notification to the concerned data subject, clearly specifying what has happened. Within 72 hours after a privacy/data breach occurs, the individual has to be notified.
  •  Right to be Forgotten – This is also known as Data Erasure. It entitles the data subject to have the data controller completely delete all of the personal data in their possession and stop any further processing or distribution of data in any form.
  • Data Subject Access Requests – Individuals can submit Data Access Requests to the organization or the concerned data controller. He has the right to know why the organization stores his data and what they intend to do with it, etc. Moreover, the controller also needs to provide a copy of the personal data, completely free of cost to the data subject, in an electronic format. The data controller is also obliged to respond within 30 days of receiving such a request.
  • Privacy by Design – Organizations should adopt the GDPR compliant data privacy policy altogether from the initiation and inception of system design. The law states that – ‘The controller shall implement appropriate technical and organizational measures effectively. To meet the requirements of this Regulation and protect the rights of data subjects. Article 23 of the law also states that organizations should hold and process only the essential data required to complete their tasks, a concept called Data Minimization.
  • Data Portability – GDPR also introduces data portability, wherein the data subjects can request back the personal data they had initially provided and transmit the same to another data controller.
  • Data Protection Officers – Currently, data controllers must report all of their data processing activities to local DPAs, which can be very difficult. It will not be necessary anymore under GDPR. Instead, there will be a need for internal recordkeeping, and DPO appointments will be mandatory.

How We Can Help

The GDPR Consulting Services offered by EPC Group is well-known and trusted by our clients. Our data loss prevention (DLP) consulting strategies and processes help protect your data endpoints, networks, servers, and the cloud, including data transfer between locations. Our consulting services aim to create a compliance strategy centered around central policy information, eliminating the need to have several disparate technologies across multiple security layers.

Our advanced network security team and experienced privacy professionals use their data privacy expertise to draft strategies and solutions around centralized data policy management. It gives IT administrators granular control and visibility to monitor, evaluate, and take appropriate action on unusual network activities based on their specific needs.