What is EU-GDPR?
We have been hearing & seeing articles about GDPR with much frenzy. In this guide we will do a quick catch-up on GDPR and where we stand.
GDPR stands for General Data Protection Regulation which outlines stringent security measures with an intent of protecting data & individuals of EU region.
The Background
The EU Digital Single Market strategy aims to open up digital opportunities for people and business and enhance Europe’s position as a world leader in the digital economy.
This paved way for wider & stricter compliance in form of, EU-GDPR – General Data Privacy Regulation, the first comprehensive overhaul of EU data protection rules in twenty years, taking effect on May 25 2018.
GDPR extends the scope of EU data protection law to all foreign companies processing data of EU residents, this has created the ripple effect across the Tech Industry. Its going to significantly alter the way organizations handle and store data.
Fact Check – whats the impact for me?
GDPR applies to all organizations that control or process data within the EU as well as those that control or process data related to EU residents. This means that, while GDPR is rooted in the EU, organizations in the Asia / N.America. that handle data from EU residents are very much impacted as well.
So if the above scenario is applicable for your organization, then you are very much in need to compliant.
Ok – So what is personal data / sensitive data?
EU GDPR Article 4 Definition – ”personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, unique identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social or gender identity of that person
EU GDPR Article 9 Definition – Special Categories of Data The processing of personal data, revealing
- Race or ethnic origin,
- Political opinion
- Religion or philosophical beliefs,
- Sexual orientation or gender identity,
- Trade-union membership and activities, and the processing of genetic or biometric data or data concerning health or sex life,
- Administrative sanctions, Judgements, criminal or suspected offenses, convictions or related security measures
By now you should be getting the crux of the upcoming challenge and its common to wonder if there are more to it.
Hmmm readon….
GDPR – Overview of Provisions
The following are the broader scope of the GDPR which outlines the Access Rights & the data usage
- Scope
- Single rules
- Responsibility
- Accountability
- Lawful Data Processing
- Explicit Consent
- Data Protection Officer
- Data Anonymization
- Data Breach
- Sanctions
- Data Access Rights
- Data Removal Rights
- Portability
- Auditability
- Data Protection
Read more here from EU the detailed regulation.
Is there a checklist? Yes but one size doesn’t fit all
Ask these some basic questions to your IT or your Vendor to start with and then build a workable plan.
- What data you capture?
- Is there a classification of data?
- Where do your store the personal data?
- How do you process the data?
- How long you archive the data?
- Who has access to the customer data?
- Are they SFIA level certified to handle the data?
- How are my services & data exposed to the outer world?
- How secure my systems are, are they patched & upgraded periodically?
- Finally devise an “action plan” & identify a compliance officer who can drive you through the muddy waters
Last words….
Preparing for the”holy grail” – GDPR compliant, seem like a daunting task, but organizations that follow the above steps and are equipped with the right security tools and strategies can rise to the challenge and strengthen their security, threat detection and response abilities.
Clock is ticking…Be compliant ALWAYS!!