Question

Assume you are an IT security specialist for a large U.S. online retail organization that does business internationally. Your CIO has asked you to thoroughly review the new General Data Protection Regulation (GDPR) recently implemented in the European Union. He wants to understand exactly what the organization must do to comply with this regulation when doing business with EU customers.

Provide a detailed discussion about the rules for businesses and the rights of the EU citizens.

Include a discussion of the following:

• What does the GDPR govern?
• What rights do the EU citizens have with regard to their data?
• What is considered personal data under this regulation?
• What is considered data processing under this regulation?
• Describe the role of the data protection authorities (DPAs).

Discuss, in detail, how the GDPR will change business and security operations for your organization. Provide the CIO with a recommended checklist for GDPR compliance and discuss processes and policies that may need to be changed in order to comply with GDPR.

In your conclusion, address what you think will be the financial impact to the organization, both in terms of compliance and any lack of compliance.

Answer 1

#What does the GDPR govern?

“Everyone has the right to respect for his private and family life, his home and his correspondence.”

European Union has sought to ensure the protection of this right through legislation.

As technology progressed and the Internet was invented, the EU recognized the need for modern protections.

The GDPR is an EU data privacy law that went into effect on May 25, 2018 and all organizations were required to be compliant.

The GDPR is an EU data privacy law designed to give individuals more control over how their data are collected, used, and protected online. It also binds organizations to strict new rules about using and securing the personal data they collect from people, including the mandatory use of technical safeguards like encryption and higher legal thresholds to justify data collection.

First, if you process the personal data of EU citizens or residents, or you offer goods or services to such people,then the GDPR applies to you even if you’re not in the EU.

Second, the fines for violating the GDPR are very high. There are two tiers of penalties, which max out at €20 million or 4% of global revenue (whichever is higher), plus data subjects have the right to seek compensation for damages.

# What rights do the EU citizens have with regard to their data?

According to the GDPR directive, following are the rights of EU citizens with regard to their data:

    The right to be informed

    The right of access

    The right to rectification

    The right to erasure

    The right to restrict processing

  The right to data portability

    The right to object

    The right not to be subject to automated decision-making including profiling.

# What is considered personal data under this regulation?

According to the GDPR directive, personal data is any information that relates to an individual who can be directly or indirectly identified, such as a name, a photo, an email address, bank details, updates on social networking websites, location details, medical information, or a computer IP address.

Pseudonymous data can also fall under the definition if it’s relatively easy to ID someone from it.

# What is considered data processing under this regulation?

Data processing includes, any action performed on data, whether automated or manual. The examples cited in the text include collecting, recording, organizing, structuring, storing, using, erasing.

If you process data, you have to do according to seven protection and accountability principles, such as,

Lawfulness fairness and transparency, Purpose limitation, Data minimization, Accuracy, Storage limitation, Integrity and confidentiality, and Accountability.

DPOs are responsible for educating the company and its employees about compliance, training staff involved in data processing, and conducting regular security audits.

Well, GDPR applies to all businesses and organizations established in the EU, regardless of whether the data processing takes place in the EU or not. Even non-EU established organizations will be subject to GDPR. If your business offers goods and/ or services to citizens in the EU, then it’s subject to GDPR.

All organizations and companies that work with personal data should appoint a data protection officer or data controller who is in charge of GDPR compliance.

There are tough penalties for those companies and organizations who don’t comply with GDPR fines of up to 4% of annual global revenue or 20 million Euros, whichever is greater.

And while GDPR does create challenges and pain for us as businesses, it also creates opportunity.

Companies who show they value an individual’s privacy (beyond mere legal compliance), who are transparent about how the data is used, who design and implement new and improved ways of managing customer data throughout its life cycle build deeper trust and retain more loyal customers.

When first announced in 2016, it felt like there was plenty of time for new businesses to take the necessary steps. But, this time has flown by and many companies are still scrambling, even after the deadline has passed. So, if you haven’t already started your journey to compliance, we urge you to start now.

CHECK LIST to be follwed :

> Record checklist details :Use this section to record the details of who is completing the checklist and why.

>Make your team or company aware of GDPR: It is important to make sure other members of your team or organization are aware of GDPR and its potential ramifications.

> Document information held by the company : it is important to make sure all activities related to data are well documented.

> Review existing privacy notices: The GDPR requires certain changes to privacy notices and these should be reviewed alongside your existing practices.

The privacy notices codes of practice can be found here: Privacy Notices, Transparency and Control.

When you collect data you normally inform the subject who you are and how you intend to use the data. This is common practice.

>Review how you seek, record, and manage consent: Consent plays a big role in the GDPR and its outline should be understood by all members of the team.

The Financial Impact and Gains Of GDPR....

Breach charges

Impact of reputation: While a data breach is considered the highest financial impact of non-conformation to GDPR, it is essential also to consider the cost impact for a bad reputation. With modern technology, customer-effecting incidents rarely stay out of the news.

The financial gain of GDPR...

Running costs

Many international companies invest considerable funding for country-specific officers in charge of monitoring the company’s data protection and liaising with government officials to ensure they are regularly updating and monitoring accordingly. Having an EU-wide policy will enable organisations to have less staff working on the data protection side as there is now only one regulation for all. This opens up opportunities for companies to deploy personnel to excel other aspects of the business.

Reputation

As previously discussed, the negative impacts of reputation are critical contenders in the cost element of GDPR; however positive reputational results are essential to consider when looking to reap financial gain. Customers are going to be using their research to find out which companies they can trust, and this will be reflected by the publication of data protection procedures and how prepared a company is to comply.

Reap the rewards today

As GDPR comes into legislation on 25th May 2018, there is no time to waste. It is important to ensure you are prepared well in advance and have spent enough time broadening your knowledge on the topic to ensure there are no nasty surprises. To make sure you are ready, get in touch with the experts at Cyan Solutions today to provide your business with the tools you need to see the benefits of GDPR.