GDPR – General Data Protection Regulation is a regulation on privacy and data protection for all individuals within the EEA (European Economic Area) and EU (European Union). It is meant to protect the users’ personal data and restrict inauthentic data access. It brings more transparency to people in terms of what kind of data organisations collect and provides rights to prevent unnecessary data collection. This new EU regulation has been executed for business and individuals across Europe.
The GDPR was adopted on 14th April 2018 and was enforced for implementation by all member states on 25th May 2018.
Almost all of us have given a lot of our personal information, from names, email ids, sexual orientations, etc. to various websites, either voluntarily, or by filling out and interacting with tick boxes on engaging websites. This is where they get all information from. It is hard for people to understand the exact information that they have given consent to for use by these internet giants – Google, Facebook, Twitter, etc. while using their so-called free services. Fundamentally, almost every aspect of our life revolves around data. From internet companies to social media, banks, retailers and even governments – almost every service we consume involves the collections and analysis of our personal data.
What is GDPR Compliance?
Under GDPR, all organisations have to ensure that all users’ personal data should be gathered legally and with their consent. All those organisations that collect and manage data will be required to protect it from misuse and exploitation.
There is a high chance of personal data being lost, stolen, tampered with or released to those people who often have some malicious intent. Therefore, organisations that handle and process personal data need to store it using pseudonymisation or full anonymisation and must use the highest possible level of encryption so that the data isn’t directly available to the public without explicit consent. No personal data can be processed unless the data processors and controllers have received explicit consent from the owner. However, the data owner has the right to revoke the permission at any time.
The GDPR also requires a business to report data breaches to all relevant parties within 72hrs of detection.
Six Lawful Bases for Processing Your Data
Legitimate Interests: If organisations prove their interest and if goes hand in hand with the users’ interests, only then can the personal data be processed
Contractual: Personal data can be processed if the organisation has a contract with the individual and the use of the data complies with the contractual obligations
Consent: Personal data can only be collected and processed with the users’ clear and specific consent
Public interest: Personal data can be processed if the data is needed for public interest
How much will breaching GDPR cost your organisation?
In case a company loses data, be it as a result of human error, cyber-attack or anything else, the company will be obliged to deliver a breach notification to their users.
The notification must include the type of data and the organisation will also need to provide a description of the potential consequences of the data breach.
Now that GDPR has been implemented, if found guilty in failing to report a data breach to the Data Protection Authority within 72 hours, your organisation will be levied a penalty of up to 2% of their annual turnover or $10 million. Organisations need to describe the consequences and impact of the breached data, how this could affect the users and what measures have been taken to rectify the breach.
At the same time, under GDPR, data breaches could be punished by levying a maximum fine of 4% on organisational turnover or $20 million, whichever is higher.
Also read: Security Tips to Protect Your Website form Malicious Attacks, The Most Engaging Tweets of 2017, Bitcoin: Pros and Cons