What is GDPR?

The EU regulation, General Data Protection Regulation (GDPR) is a set of laws and regulations, that is designed to give transparency for everyone, provide a framework that helps define which data is considered sensitive or “personal data” and how data should be protected.

Along with that, came a lot of new options for the consumers, like understandable consent (without legal gobbly goop), data portability, right to be forgotten, right to access, and information about breaches.

GDPR brought a set of very serious conseqences for the companies found guilty of breaking the regulations within GDPR – thus giving companies an incentive to treat data with more care and protect it better.

Definitions

  • Personal Data: “Personal Data” is defined as “any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.”
    This definition provides for a wide range of personal identifiers to constitute personal data, including name, identification number, location data or online identifier (IP address, Screen names, email addresses etc.).

  • Controller: The company / organization that controls the data and has the legal responsibility for the data. This cannot be signed over to a 3rd party.

  • Processor: A 2nd or 3rd party company / oganization, which processes the data for the controller.

  • Data Subject: The end-user / customer / owner of the data.

  • Consent: The consent of the Data Subject must be obtained explicitly and unambigious. This means that you have to be specific in exactly what data you collect and what you do with it – and that you cannot hide behind uncompresensable legal speak. It also means that you cannot get consent for “everything” and getting consent for what you defined does not give you the right to use or process the data outside the scope of the definitions of the consent.

  • Right to Access: The Data Subject always has the right to know exactly what data (everything) the Controller has about them.

  • Right to be Forgotten: The Data Subject always has the right to be forgotten, so if the Data Subject retracts their consent or in other ways request to be forgotten, the Controller has to delete everything that they are not required by law to keep (financial records, orders, relevant emails etc)

  • Data Portability: The Data Subject has the right to have all their data ported between companies / organizations at will. If the Data Subject requests it, the Controller must extract all the data they have about the Data Subject (that is not trade secrets) and deliver it to the requested company / organization.

  • Privacy by Design: GDPR is designed as a framework and a mindset to work after so future implementation and investment is easy. This means that you have to design your current and future systems and processes to work within GDPR.

  • Supervising Authority: The Controllers local Supervising Authority. A list can be found here: https://www.varonis.com/blog/gdpr-data-protection-authority-supervisory-listing/

  • Breach Notification: In case of a data breach (something gets physically or digitally stolen or in other ways falls into the hands of someone or a company / organization without proper authorization to view and / or process the data, the Data Subject and the Supervising Authortiy must be informed within 72 hours becoming aware of the breach.
    Data Protection Officer:

  • Annual turnover: the money you made after expenses and tax, but before – so your total annual turnover

Why is it important to be GDPR compliant?

We all know that our data is being collected for marketing purposes, so that for example Google, Amazon and Facebook can target specific audiences effectively for their customers (the companies buying the advertisement).

It is always important to protect the data you collect and manage, especially today with how everything is entangled cross-platform – and even meta data can be used to profile and target people or even impersonate and commit fraud from the obtained data.

Pre-GDPR there was little incentive for companies of all sizes to spend money on security and data protection – but after GDPR, it can get expensive really fast for ANYONE breaking the regulatives.

GDPR is a major win for individual security and privacy.

What are the consequences?

The consequences of not adhereing to the regulatives within GDPR are defined as the following:

  • 4% of annual global turnover or €20 Milion fine for serious infringements (for example not having sufficient customer consent to process the data or violating the “Privacy by Design” concepts of GDPR).
  • 2% of annual turnover or €10 Milion, for not having your records in order (article 28). This includes, but not limited to;
    • Failure to notify the Supervising Authority.
    • Failure to notify the Data Subject about a breach
    • Failure to conduct an impact assessment of a breach.

The rules and regulations apply to both the processors and the controllers – this means that no company / organization that handles or has the legal responsibility for the data is exempt from GDPR.

Does GDPR apply to me?

The short answer is Yes

The longer answer is that GDPR applies to every organisation that handles data from citizens within the EU.

That means that even if you are not operating from a EU Memberstate, you still have to comply with GDPR.

What can I do?

If you are not compliant at the moment, you should take very serious steps to become compliant as quickly as possible, as neglect is a serious offence in the eyes of the Supervising Authority and instead of a warning and a small fine, you can end up in the big boy bracket and get slapped with either of the big fines defined within the GDPR.

You can take the following steps:

  • Obtain consent.
  • Identify what data you store and if it is important for you to run your business – if not, delete it.
  • Identify your potential risks of leaks and fix them.
  • Implement processes for how you handle, how you keep and for how long you keep data. Work it into your routines so keep being compliant, and not just at the point of implementation of GDPR in your company / organization.
  • Make sure you review your consents regularly and that you are handling data within the definitions of the consents recived.
  • Hire a consultant with experience with identifying Personal Data and implementing processes that can easily be adopted into your daily workflow.

Share This Information

SECURITY
IS IN OUR DNA.

GET STARTED