GDPR compliance: Failure to comply will be costly
INTEGRITY BEAT - Henry J. Schumacher (The Freeman) - January 12, 2018 - 12:00am

The General Data Protection Regulation (GDPR) is in the news these days — for good reason. This sweeping new law applies to all companies that collect and process data belonging to European Union (EU) citizens, even if this is done outside of the EU. This includes companies with operations in the EU and/or a web site or app that collects and processes EU citizen data.

Key areas of the legislation cover privacy rights, data security, data control, and governance. The good news is the law will be pretty much identical in all 28 EU member states, meaning they only have to comply with one standard. However, the bar is set high and wide — forcing most companies to invest considerable resources to becoming compliant.

Failure to comply with GDPR could result in a hefty fine. If a company is found guilty of a breach that compromises an EU citizen’s data, the penalty could be up to 20 million euros or four percent of an enterprise’s worldwide revenue, whichever is larger! Putting that in perspective: a large enterprise could be fined hundreds of millions of euros for a single breach.

In addition, two pain points are conspicuous: a requirement to notify EU authorities within 72 hours of a breach, and another to prove your company’s security approach is state-of-the-art.

It is important to note in this context that the Philippine Data Privacy Act is imposing similar pressure / regulation on local companies!!!

What’s mandated by GDPR

Since all of the GDPR requirements have not been finalized, some organizations have adopted a ‘wait-and-see’ approach. Let’s consider the new obligations being introduced by this regulation:

Data control

To preserve subjects’ privacy, organizations must:

* Only process data for authorized purposes

* Ensure data accuracy and integrity

* Minimize the exposure of subject identities, and

* Implement data security measures.

Data security

Data security goes hand-in-hand with data control. GDPR puts security at the service of privacy. To preserve subjects’ privacy, organizations must implement:

* Safeguards to keep data for additional processing

* Data protection measures, by default

* Security as a contractual requirement, based on risk assessment, and encryption

Right to erasure

Subject data cannot be kept indefinitely. GDPR requires organizations to completely erase data from all repositories when:

* Data subjects revoke their consent

* A partner organization requests data deletion, or

* A service or agreement comes to an end

It is worth noting, however, that subjects do not enjoy a carte blanche right for their data to be erased. If there are legal reasons — specified in the regulation — an organization can retain and process a subject’s data. Exceptions are few, however.

Risk mitigation and due diligence

Organizations must assess the risks to privacy and security, and demonstrate that they’re mitigating them. This requires they:

* Conduct a full risk assessment

* Implement measures to ensure and demonstrate compliance

* Proactively help third-party customers and partners to comply, and

* Prove full data control

Breach notification

When a security breach threatens the rights and privacy of a data subject or subjects, organizations must:

* Notify authorities within 72 hours

* Describe the consequences of the breach, and

* Communicate the breach directly to all affected subjects

6 steps to GDPR compliance

To prepare for GDPR, organizations can use this six step process:

1. Understand the law

Know your obligations under GDPR as it relates to collecting, processing, and storing data, including the legislation’s many special categories.

2. Create a road map

Perform data discovery and document everything — research, findings, decisions, actions and the risks to data.

3. Know which data is regulated

First, determine if data falls under a GDPR special category. Then, classify who has access to different types of data, who shares the data, and what applications process that data.

4. Begin with critical data and procedures

Assess the risks to all private data, and review policies and procedures. Apply security measures to production data containing core assets, and then extend those measures to back-ups and other repositories.

5. Assess and document other risks

Investigate any other risks to data not included in previous assessments.

6. Revise and repeat

Repeat steps four to six, and adjust findings where necessary.

For Chief Security Officers,  GDPR and the Philippine Data Privacy Act impose an upgrade on the organization’s security capabilities to both meet the regulation’s requirements and improve overall security vis-a-vis data confidentiality and privacy. If companies in Cebu need assistance, we have a team in place to assist – contact Schumacher@eitsc.com

Philstar
Facebook
  • Latest
Latest
Are you sure you want to log out?
X
Login

Philstar.com is one of the most vibrant, opinionated, discerning communities of readers on cyberspace. With your meaningful insights, help shape the stories that can shape the country. Sign up now!

SIGN IN
or sign in with
Read and share the latest news
whenever and wherever you are.
Top Stories
Features the most relevant stories,
exclusive content, analyses and special reports.
As It Happens
Get bite-sized highlights and up-to-date
information as the news breaks.
Latest
View the most recent
stories of the day.
Log-in
Lorem ipsum dolor sit amet,
consectetur adipiscing elit.
Quisque justo est, auctor vel ullamcorper.
Log-in
Lorem ipsum dolor sit amet,
consectetur adipiscing elit.
Quisque justo est, auctor vel ullamcorper.
How to follow As It Happens stories
STEP 1
Click the story in the As it Happens section.
How to follow As It Happens stories
STEP 2
Click "Follow Story" for updates on the news.
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Aliquam eu metus vitae felis tincidunt finibus ut id sapien. Integer volutpat dui eu malesuada dignissim. Sed varius justo nulla, fringilla convallis sem porta sed.
How to follow Author
STEP 1
Click on the author's name in the article.
How to follow Author
STEP 2
Once you click on the author's name, you will be
brought to the Authors page. Click "Follow Author"
to stay updated on the author's works
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Aliquam eu metus vitae felis tincidunt finibus ut id sapien. Integer volutpat dui eu malesuada dignissim. Sed varius justo nulla, fringilla convallis sem porta sed.
How to follow Tags
STEP 1
Click on a tag in the article.
How to follow Tags
STEP 2
When you click on a tag, it will take you to the
dedicated tag page where you'll see the article
viewed, along with other stories with that tag.

Click the "follow tag" button to stay updated on
the topic.
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Aliquam eu metus vitae felis tincidunt finibus ut id sapien. Integer volutpat dui eu malesuada dignissim. Sed varius justo nulla, fringilla convallis sem porta sed.