May, 25 will certainly be a key date for the history of the European Union. On this day, the new version of General Data Protection Regulation (GDPR) will take full force. It expands both Controllers and Processors’ commitments to the data privacy issues. According to the rules this document activates, all the companies and organizations across the EU will have to enhance their transparency and accountability measures. To put it simply, unless they are ready to receive a fine of up to 20 million euros in accordance with the new General Data Protection Regulation, they will need to revise their security policies and launch new data protection measures to reduce the risks of a data breach.
As every business is unique and has its own system of protective measures, it is impossible to predict what you as an entrepreneur will have to do to be perfectly ready for the EU GDPR compliance. However, in this article, we will tell you more about the principles of General Data Protection Regulation 2018 and propose a short GDPR summary of changes so that you can understand what actions you should undertake.
10 facts your company needs to note about the GDPR
- GDPR concerns you, anyway. The most crucial fact about the General Data Protection Regulation of 2018 is that it applies to all organizations across the world processing any data of the citizens of the European Union. It is actually the first regulation of the European Union that will expand its legitimacy upon non-affiliated countries. Authors of the new law believe that it will change the way of dealing with personal information in the whole world.
- GDPR offers a new understanding of “personal data”. It has always been rather difficult to identify a piece of information as “private” or not. With new regulations coming into force, the notion of personal data will broaden even more. For example, the GDPR changes include expansion of its protective function on location data and online markers (such as IP address and cookie files, as it takes into regard the cloud-based nature of many modern organizations). Moreover, it identifies genetic and biometric data, such as gene sequences or fingerprints, as sensitive information.
- Valid consent is more important than ever. According to the GDPR of May 2018, companies will have to ensure the conditions of their agreements are written in very clear and precise terms. What is more, the client’s inactivity will not mean consent by default. The organizations must explain what kinds of personal data they will collect and why. Without clear personal consent, it will be impossible to use this information.
- Please welcome DPO – Data Protection Officer. In accordance with the European data privacy regulation a new person of authority called Data Protection Officer should be created in companies to deal with the personal data. The GDPR principles aren’t based on the number of the company’s employees working with the personal information, as it was widely accepted before. They concentrate on the processes of data usage instead. For that reason, definite specialists should be assigned to control them.
- Data Protection Impact Assessments. General Data Protection Regulation text also includes the issue of activating obligatory PIAs (privacy impact assessments) that can indicate the risks of collecting and processing sensitive data. PIAs will be required in situations where data processing is likely to result in high risk to individuals: if a new technology is being deployed; if a profiling operation is likely to significantly affect individuals; if there is processing on a large scale of the special categories of data. According to the EU GDPR of 2018, PIAs should define the consequences of collecting and processing data, protective actions in case of a leak risk, and methods of handling personal data issues for clients. As there will be people responsible for data breach risks evaluation, in the cases where information leaks are possible, extra measures should be undertaken.
- Notifications for control. To achieve the best possible level of control over the performance of the GDPR data protection laws, all of the companies will need to send data breach notification to the local authorities.
- Burn after reading. One of the GDPR data protection principles includes the client’s right to demand data deletion after the time period it is absolutely necessary. What is more, the company will have to ensure the client’s consent before altering the way of information usage.
- Liability expansion. The EU data protection regulation applies also to the companies that provide any kinds of services to the ones handling the GDPR sensitive personal data.
- Erase a record. One more requirement of the data protection changes of 2018 is the capacity of all software systems to completely delete all the data from the servers. In such a way there will be ensured privacy by design.
- Reduction to one ultimate authority. The GDPR data security measures bring a significant advantage for businesses: they won’t need to address various services for regulating their data leaks. Starting from May 2018, there will be united supervisory system for all of the EU members.
How to prepare your business for the GDPR
One of the main reasons to launch the EU General Data Protection Regulation was the increased amount of cybercrimes. The situation was bad enough even at the dawn of the XXI century, and nowadays the rules of the Budapest Convention on Cybercrime, that was signed in 2001, seem to be outrageously outdated. That is why the data protection changes of 2018 aim at elimination the possibilities of information processing which may lead to discrimination, any kinds of fraud, as well as disclosure of racial, religious, genetic and other GDPR sensitive data. To ensure the appropriate level of its functioning, any company liable to the new data privacy regulations will need to take some steps. We have divided them into three categories: technical, organizational, and security practices.
One of the most crucial issues for ensuring cyber security is compliance to technical requirements of the EU data protection regulation of 2018. Here is the short summary of them:
- Separation of concerns. Corporate accounts with administrator rights, that many workers have access to, should be prohibited. It is even recommended to split the accounts of the administrator for him or her to use the one dealing with the sensitive data only when resolving problems that require it.
- Importance of the password. Passwords may be quite tricky. Too lengthy and complicated ones are a bad idea as they usually involve reusage of the old one and facilitates hacker attacks. According to the General Data Protection Regulation, the passwords ought to be of medium length and have a regular expiry.
- Firewalls. The companies should build firewalls of the most modern software with proper configuration. All the systems have to be updated regularly. What is more, there should be implemented the latest anti-spyware as well as systems of timely intrusion detection and prevention.
- Data decommissioning. The EU GDPR claims that, if some pieces of sensitive personal information are stored on the old hardware or software, all the measures should be undertaken to delete them.
- Encryption. This is not an obligatory step for companies handling a limited amount of personal data, but experts advise include valid encryption, PGP, and VPN services.
- Data backup. All the sensitive personal information should be regularly copied on the reliable carriers.
It is very important to improve the data protection systems in the technical facilities of your company. However, it may be even more crucial to train your staff and instruct them properly about new regulations. So we would recommend you to take such steps:
- Make sure all agreements are of non-disclosure nature. All team members should also sign a pledge of secrecy.
- Train your staff to handle the risks of data leak and to identify and prevent possible information misuse.
- Limit the access to the sensitive data to the members who are in charge of it only. This also includes severe restriction of personal devices and email addresses usage for corporate purposes.
- Assure the best possible ways of the premises and workers’ physical protection, as well as the facilities for documents to be kept in the secure places.
| Read also: 10 Basic BYOD Security Rules
Additional security practices we recommend
There are still a couple of not obligatory but still vitally important things you can do to make your business really secure and prepare it for the EU data privacy standards:
- You should make your corporate Wi-Fi password as secure as possible and change it regularly enough. Moreover, you ought to take steps to prevent the creation of other Wi-Fi hotspots working in your office. A good idea will be to set the WPA-TKIP security protocol for only authenticated staff to reach it.
- Integrate multi-factor authentication. This is an absolute must for the European standards of infosecurity. And avoid using old-fashioned multi-factor authentication methods like SMS authentication or e-mails. There are many highly reliable ways to protect corporate accounts from illicit access: hardware security tokens, in-app authenticators, and even special bots in messengers delivering one-time passwords.
- Be sure to integrate proper web filtering to all of your corporate devices, blocking the suspicious URLs.
Implementation of such a massive and strict regulation as the GDPR cannot but involve huge changes in the system of processing sensitive personal data. We would say that a short EU GDPR summary is – it promotes safety in a radically new way.
These changes seem to be rather positive, as the EU General Data Protection Regulation of 2018 implies total compliance for all the companies working with personal information and the absolutely equal preventive and punitive actions for any organization infringing it.
Though it is quite difficult to believe that the level of the GDPR compliance will be absolutely equal in all the countries processing data of the EU member, GDPR equalizes in rights a large number of businesses across the world, that will definitely bring some clarity for entrepreneurs from different countries. They will allegedly work under the same conditions not to lose their companies.
What we can do now is to prepare our companies for the new regulations and wait for the whole world to do the same.
- Top 7 Tips How to Protect Yourself from Phishing Scams
- Social Engineering: What It Is and Why It Works
- Self-Driving Cars: New Cybersecurity Challenge
- Panama Papers Leak – Evil or Good?
- How to Backup Google Authenticator or Transfer It to a New Phone
- 10 Most Popular Two-Factor Authentication Apps on Google Play Compared