SecPoint Logo

What is the General Data Protection Regulation GDPR?

The new General Data Protection Regulation (GDPR) EU Regulation 2016/679 is coming in 2018.

The GDPR is a regulation that the European Parliament the Council of the EU & the European Commission purpose to make it simple via unifying the data protection laws and regulation.

This effects all individuals within the European Union (EU). The regulation has been adopted on the 27 April 2016.

It will be in full force from 25 May 2018.

Businesses not following the regulation can be hit with large fines. Including up to 20.000.000 million Euro or 4% of the world wide turnover of the business.

 

Is GDPR good or bad?

The idea behind GDPR is to radically improve the privacy of all EU citizens.

There are still some questions about the effectiveness.

Are the privacy / security measures economically reasonable?

Will the expenses by administration be practical?

Who will be paying the extra costs?

Tax payers or data controllers?

Can we morally define the new privacy rights and simple externalize all costs involved by the legalisation to third party or tax payers?

New expenses increase for everybody by GDPR

GDPR is in the EU globally enforced.

It can be a higher burden for small low budget companies.

It can increase their expenses and must force final prices to be higher than competitors outside the EU.

Is it fair for companies inside the EU to compete with companies outside of the EU?

What are the positives about GDPR?

  • New positive rights for EU citizens includes:
  • Right of erasure
  • Right to be forgotten
  • Right to access of all data of the person
  • Right to rectification
  • Right to restriction of processing
  • Right to object
  • Right to data portability
  • Of course all the cost of the positive rights must be beared by a party.

Large GDPR fines if violated

GDPR imposes large fines for infringements:

Up to 4% of the annual worldwide turnover and EUR 20 million if breach of requirements relating to an international transfer of basic principles for processing.

Such as conditions for consent.

Up to 2% of annual worldwide turnover and EUR 10 million for missing encryption, failed obligation to notify the customer/state, missing Data Protection Officer.

Will companies leave the EU?

The threat of existential GDPR fines

They must still protect the EU citizens or pay the fines for ignoring this duty.

But companies outside of the EU it can be technically difficult to enforce any penalties at all.

How does the EU really want to make it impossible for international companies outside of the EU to process online data of EU customers without enforcing censorship?

Large incentive for international companies to simply leave the EU. 

If their expenses for GDPR compliance are to high and the right of GDPR fines for non compliance.

Can we expect another Internet Censorship of websites from international companies that delivers their products to EU Citizens and decide not to follow GDPR rules?

This is already happening with online gambling companies.

How can a breach be notified?

Notification by data controllers of data breached  must be done to the DPA the government.

It must be done without undue delay and within 72 hours of awareness.

Can governments be trusted?

According to different EU statistics there were multiple breaches & leaks in governments from Denmark, Germany, Slovak and other EU countries.

There might be great concern not to trust the government and their ability to be able to protect citizens data when it can not secure its own data.

Another fear that institutions might have is the increased risk of a bad reputation such as what happened recently with UBER.

 

How can businesses be affected?

All companies that store data on citizens in the European Union (EU) even if there is no presence in the EU is forced to comply.

All organizations are forced to implement processes and procedures about collecting and storing of identifiable data (PII)

This means any data related to private, public, or professional life of an EU resident.

Including IP addresses, bank information, e-mail addresses, social network information and more.

It must be ensured that PII is stored with permission of an authorized person and only used for specific purpose.

Non-compliance implies heavy fines 20 million Euro or 4% of global revenues.

 

Tips on how to prepare your organisation

Educate human personnel and raise awareness of the new EU Directive

Closely monitor information.

Have sensitive data at local location.

Have secure verification & identification mechanism and only allow secure communication.

Have data leak prevention policies

Deploy data leak prevention systems.

Common misconceptions about GDPR

Small businesses can’t be exempted, there is no real exclusion for any business, no matter the size following the current GDPR law.

When GDPR is in effect from May 25 2018  there can be large data auditing

There might be a small group of specific companies that are on the target list to be audited first.

What will trigger GDPR are data breaches such as in the UBER case.

If your operation is outside of the EU, will you still be affected?

All companies, even outside of the EU will be affected if they are handling EU citizen data.

Personal Data is personal data under GDPR

There are some differences between private data and sensitive data.

  • Private data includes IP addresses, name, street address.
  • Sensitive data includes: Religion sex, political view, union membership, level of education, medical records.
  • There are differences about what you can do with each type of data and how it can be stored.
  • Sensitive data, for instance is not allowed to be used for business situations such as getting a mortgage or bank loan.

Companies outside the EU cannot be sued under GDPR

This is wrong. For example; an Italian business can file a class action suit against a company in Florida if they abused personal data.

GDPR only relies on user provided data

Again this is not true since it applies to all the sensitive data generated or collected from the user.

There is user consent of only one kind

We can use the ‘cookie law’ as an example. Sites that collect cookies must have a disclaimer that the user must accept.

Data privacy establishment behind the GDPR is only limited to Europe

It has been pointed out that regulations like GDPR will come to Asia, Japan, Singapore and Australia.

Something similar can be found in US states like: California, New York and Massachusetts.

How can Encryption help with enforcing GDPR for a company?

Nowadays it easier than ever before to enable encryption for desktops, servers and smartphones. This makes it difficult for attackers to obtain sensitive data during a breach.

It will help to increase your GDPR compliance

It will help to possible lower fines that could be put out by the government

In some cases you might have to notify affected users during a breach where you still have to notify the DPA.

It is really recommended to use encryption on everything.

Right to data portability

Data portability feature.

Is it all positive or are there a critical aspect?

GDPR is a too expensive and complex legalislation for most companies to follow it correctly.

GDPR is vague and can be subject to corruption

New technologies will appear to help companies stay compliant.

GDPR can overrule end to end mutually contracts between data subjects and data controllers.

GDPR will externalize all expenses.