What is the
G D P R ?
E A R E
N T O G
E A T U
R E L
A C A
L T T
I I
O O
N N
The GDPR was approved and adopted by the EU Parliament in 2016 and will be in effect as from the 25th of May 2018. The general data protection regulation is set to streamline data protection laws across Europe and change and ameliorate the way organizations and companies handle information and privacy. This contributes to the protection of fundamental rights and to the freedom of EU citizens, as it gives them more control over the information other organizations possess pertaining to them.
GDPR is applicable to any organization that processes personal data of EU citizens, thus this can also apply to organizations outside of the EU. The regulation demands that the necessary procedures need to be established to ensure compliance with the data protection principles which include transparency, accountability and natural persons’ rights, whilst ensuring the security of data.
Name
Address
E-mail Address
Identification Number
IP address
Political opinions
Sexual information
Genetic data
Health information
Physiological data
Location data
Online cookies
Analytics data
Race
Religion
Personal data can pertain to the customer, supplier, partner and employee. If a company possess any of this data, it will need to comply with the GDPR, whether the data is on a spreadsheet, on a computer network, mobile phone, e-mail or in the cloud. Personal data refers to any data which can directly or indirectly identify a natural person.
What does processing
of data entail?
Processing of data should be rightful, transparent and fair.
Compiled for definite, justifiable objectives.
Competent, pertinent and constrained to what is required.
Data must be authentic and updated.
Data must be kept for only as it is required.
Sufficient security and privacy should be ensured and data should be handled with honesty.
It should be transparent to natural persons if their personal data is being collected, used, consulted or processed and to what extent these processes will take place.
The specific intentions for which personal data will be processed should be accurate, straight forward and justifiable and these should be established prior to the onset of data collection.
Direct consent from the individual should be obtained.
The data processor should ensure that the personal information of the data subject is preserved and safeguarded at all times.
Any processing of data should be lawful and fair.
How should consent
be given?
Consent is an act affirming the data subject’s agreement to the use of personal data pertaining to him or her.
This can take form of a written statement and can be given also through an electronic means.
Consent should be specific, informed, unambiguous and freely given.
For a consent to be informed, the data subject should at least have information regarding the data processor and the purposes for data processing.
If the subject has no free choice or cannot withdraw from their giving consent without any unfair treatment, then consent cannot be regarded as freely given.
Any request for consent should be unambiguous and clearly legible, using plain language.
Organizations should be able to provide evidence for the consent given by their data subjects.
For the collection and processing of data to be lawful, consent must be given by the person to whom the information belongs.
What are the data
subjects’ rights?
Data subjects have the right to access the personal information that organizations have, pertaining to them.
Data subjects have the right to correct any inaccurate data about themselves.
Data subjects have the right to have personal data erased
Data subjects should be provided with means through which they can request and obtain, free of charge, access to their personal data.
Individuals have the right to move personal data from one provider to another.
The data controller should provide means for requests to be made and the controller should oblige with undue delay, the latest within one month.
This regulation gives data subjects new rights.
The repercussions of
non-compliance.
FINED UP TO
€20 million
BREACHES MUST BE
REPORTED WITHIN
72 HOURS
The GDPR strives to strengthen data protection and this also includes employing the necessary measures to ensure that the information is kept safe. Should companies and organizations fall victim to a cyber attack, resulting in a data breach, they might face a fine of up to 4% of the global annual revenue of the previous year, or up to €20 million (whichever is greater). In addition, companies must report the breach within 72 hours of the event. Affected individuals should be informed immediately on the breach and the impact this might have on their rights and freedoms.
Apart from complying to the aforementioned procedures, increasing cybersecurity measures is imperative as it ensures the safekeeping of information whilst warding off breaches. Cyber criminals pose the greatest risk to the company’s information, stored digitally. They use phishing, malware and SQL injection to obtain what they want, leaving the companies they attack exposed and marred. Cyber attacks can also take form of ransomware where cyber criminals hold your data ‘hostage’ until you give them something they request in return.
Contact us for a FREE SITE VISIT where we’ll check whether your
security is up to par to the needs of the evolving technological world.