GDPR Compliance – General Data Protection Regulation
The General Data Protection Regulation directly affects Organisations upon a Global scale. For example, Organisations originating from The United States, having offices both within The European Union and the US, and, export personal data from The EU to the US will need to comply with the GDP Regulations or be subject to the consequences set within the GDPR.
When/if an Organisation experiences a Data Breach, under the GDPR, the following may apply subject to the extent of the breach; The Organisation is required to inform the relevant Data Protection Authority and the owners of the breached data. The Organisation could be fined up to €20 million or 4% of GLOBAL TURNOVER.
Exemptions are provided under the GDPR and they are based on whether appropriate and adequate security controls are in place within the Organisation. An example, a breached Organisation who has rendered the data unintelligible by means of encryption to an unauthorised access person, is not mandated to notify the records owner.
The likelihood of receiving fines will also be reduced if the Organisation can demonstrate a “Secure Breach” occurred.
Under the GDPR, Organisations are to remain in control of their data ensuring that the said data is only accessed by authorised persons only when appropriate. Secure destruction of paper files is to be complete in line with European Standards specific shred sizes. The data has to be in an unreadable state.
Encryption is deemed to keep digital in an unreadable state without the appropriate key. Organisations appropriately using encryption in conjunction with access controls can illustrate their data’s security and integrity.
In addition to encryption and appropriate destruction methods, Organisations will be required to conduct full risk assessments and adopt the measures to mitigate the identified risks. As all risks cannot be identified relating to data, Organisation are advised to encrypt their data to “Secure the Breach”.
Right to Erasure
Post data collection, individuals will have a claim and a certain amount of control over the said data. Organisations are required to securely erase data when;
- A partner Organisation submits a request for data deletion
- An agreement or service comes to an end.
- Consent being revoked by a data subject.
If a breach results in unprotected data being exposed, the Organisation is required to inform the relevant Data Protection Authority within 72 hours, and, communicate the breach directly to the affected data subjects.