After the Regulation came into force, the principles of the game in the business world have changed dramatically. It has become unprofitable to violate the rules for storing personal data, since a multimillion-dollar fine can be imposed on a company for non-compliance with the GDPR. Therefore, if you plan to continue doing business in Europe, it is essential to adapt in order to secure the personal data of your customers and users. However, let us talk about everything in order.
What is GDPR?
GDPR (General Data Protection Regulation) is an international law passed in the European Union in 2016. It applies to all legal entities from all countries of the world if they collect or process personal data of citizens or residents of the EU. That is, any business that receives personal information from individuals in the EU must comply with the GDPR.
The main purpose of the GDPR is to protect the rights of people and their personal information that describes them in any way from unauthorized or unlawful processing. The GDPR law requires organizations to ensure that the personal data of users and customers is handled and stored responsibly.
What kind of information does the GDPR protect?
For the purposes of the law, personal data is any information that relates to an identifiable person, the data subject. More specifically, this definition may include:
- User or client name, residential address, identification number;
- Biometric data;
- Bank data;
- Information about a person’s health or medical care;
- Political views, religious beliefs;
- Racial or ethnic information about the person;
- Marital status;
- Sexual orientation;
- Location data, IP address, cookie data, etc.
It should be noted right away that the law obliges to anonymize this data and store it in different places. That is, the information corresponding to the items from the list above should be stored in different databases: in one name, in the second marital status, in the third address, etc.
GDPR requirements and principles
The protection of personal data in the GDPR is based on eight principles that were documented in the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data back in 1980. In the GDPR, they are presented in seven points:
- Lawfulness, fairness, transparency. Personal data must be obtained legally, with the consent of the data subject.
- Purpose limitation. The purpose of collecting information should be clearly stated at the time of collection. The data shall not be used for any other purposes than those indicated.
- Data minimization. It is forbidden to collect more information than is necessary for the purposes specified.
- Accuracy. The information must be accurate, complete and up to date to a sufficient extent to achieve the intended purpose.
- Storage limitation. Data should not be kept longer than necessary.
- Integrity and confidentiality. Information must be protected from unauthorized access, theft, modification or disclosure.
- Accountability. The information controller is responsible for compliance with the requirements of the GDPR.
It turns out that the information controller must explain to users in a language understandable to them why their personal data is collected. They should also have easy access to information about the data already collected. The information should not be stored longer than the required time, and the controller is obliged to ensure its security.
Given the principles of the GDPR, there are several basic rules:
- Warn users that you plan to collect this or that personal data;
- Collect only the information that you really need for your tasks, since you are responsible for all data, whether you use it or not;
- Transfer of information is possible only with the consent of the subjects of information;
- Backup copies must be located in different places, their encryption is mandatory;
- It is necessary to have tools for simple and quick editing and deletion of personal data.
At first glance, it may seem that everything is simple. However, as is often the case, standards that are simple in terms of specifics very often turn out to be burdensome for small and medium-sized businesses. Since they cover a wide legal area and require the company to have its own legal department, or support from highly qualified specialists.
Implementing the GDPR in your organization
Notably, the GDPR only describes the expected outcomes of responsible data governance. And although this is a voluminous and very strict regulation of 88 pages, it does not contain any technical recommendations, methods, measures and means to achieve the requirements. That is, companies must determine them themselves, taking into account the specifics of their business.
The law also says that data controllers must be able to demonstrate their compliance with the GDPR. That is, if you think you are GDPR compliant but cannot show it, then you are not GDPR compliant.
The GDPR is an EU regulation on data protection and privacy in the European Union and the European Economic Area. Countries are covered by the GDPR: Austria, Belgium, Bulgaria, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, the Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, and the United Kingdom.
Why is GDPR important?
GDPR compliance helps increase trust and credibility, along with a better understanding of the data that is being collected and how it is managed. Any company that stores or processes personal information about EU citizens within EU states must comply with the GDPR, even if they do not have a business presence within the EU. The GDPR has severe consequences for non-compliance like a damaged reputation and massive penalties of up €20M or, if higher, as much as four percent of global revenue.
In general, the enterprise first needs to figure out what state everything is currently in regarding the collection and processing of user information. Accordingly, if you are currently using one server, it is better to split it into several so that it is impossible to hack all the databases from one source. There should be a firewall, and the server must be constantly monitored by an antivirus.
It is desirable that there are two Internet channels. So that in case of hacking through one channel, it can be turned off and work with the server through the second. All information must be encrypted, both during storage and during transmission. In fact, technical measures can mean anything.
It is also necessary to develop or update security policies and some other documents in accordance with Art. 24, 30, 33 and 34 GDPR. Accordingly, your employees must be properly trained, understand, and use the principles of information security and the protection of confidential information in their daily work.
If you need to make sure that your enterprise complies with the requirements of the described law, or prepare for an audit, contact our experts to schedule a consultation.
We offer end-to-end services to get you certified as quickly as possible, and we also have an automated solution from Vanta that makes it easy to get evidence that your business is GDPR compliant.