The soaring amount of leaked personal information over the last 10 or so years has triggered the emergence of data protection legislation all over the world, including the GDPR in the EU. What is GDPR and how does it affect IT business? Read on to find out.
GDPR Overview
To minimize the threat of fraud and extortion, the General Data Protection Regulation (GDPR) came into effect on May 25, 2018. The regulation superseded the Data Protection Directive that had been governing EU’s information security since 1995.
The GDPR has ramped up the protection of private data and unified its administration throughout the European Union. The legislation revolutionizes the IT industry by exerting a strong influence on business practices, while failure to comply results in huge financial penalties and tarnishing of the company image.
The European general data protection regulation affects the following types of businesses:
- Companies that collect and process the private information of EU nationals, who are both EU and non-EU residents
- Companies that are based in and conduct business in the EU
Business Requirements of the GDPR
The European Data Protection Regulation has fundamentally changed the way companies conduct their business processes, toughening the rules on responsibility for improper management of personal information.
Obtaining Consent
As of May 25, 2018, companies can no longer use private data without specific consent from the owner of that data. As specified by the European Commission, personal data includes any materials that concern a specific individual. This includes information related to one’s personal and public life or professional activities, such as a person’s name, home address, IP address, bank details, photos, health records, social networks, and so on.
While the Data Protection Directive permitted companies to obtain singular consent for data to be used in all aspects of the business, the GDPR requires separate permissions for each particular area: marketing, support, sales, accounting and so on.
The regulation prescribes that companies obtain consent in an explicit form. This means that companies must get subjects to sign legal contracts that describe how, when and where companies will use their personal information, and individuals must be free to withdraw their consent at any time.
Data Security by Design and by Default
GDPR rules that affect workflows extend well beyond companies having to obtain approval for use of personal information: these rules radically alter the way businesses organize their in-house procedures.
Companies tend to add security arrangements after the development stage, yet the GDPR stipulates that organizations should build the processes that govern information safety into every stage of development. Companies should now consider data protection and privacy precautions as early as the design stage and make this approach part of their development philosophy. All business departments must be involved in providing safety and privacy for their clients.
To observe the requirement of information protection by design, the EU Data Privacy Regulation recommends companies use pseudonymization. Pseudonymization helps optimize risks related to the improper use of private materials by separating sensitive data from other materials and documents. Encryption is a good and efficient example of this practice.
For a company to keep compliant, procedures that provide the security of private information require ongoing revision.
Data Protection Team
Whether as a fully functional team or just a single data protection officer, this new role should now exist within businesses. These professionals ensure that their companies abide by the GDPR compliance requirements.
Technical Requirements of the GDPR
Besides causing significant changes to companies’ workflows, the EU data protection regulation also entails drastic technology-related developments.
Data Portability
The GDPR doesn’t limit the rights of individuals once they provide their permissions for the collection and processing of their personal information. Data subjects are free to withdraw their materials and transfer them to another vendor. This is particularly important for social networks and cloud service providers.
Companies that collect and process private information must be ready to deliver the electronic copy of that information to data subjects upon request. Companies should make specific arrangements to create portable copies of the information. In addition, organizations should provide supporting materials that describe materials that they store and the reasons for storing it.
Information portability is usually a challenge for small companies. While large enterprises typically have a formalized storage procedure, small ones keep customer materials in silos. To address this, businesses can opt for outsourced storage service providers.
Data Breach Notification Systems
Companies should notify their supervisory authorities about data breaches within 72 hours after they become aware of the incident. They must further inform customers if their personal data has been affected. These requirements necessitate the development of a robust notification system, regardless of the size of the company.
However, businesses are not legally obliged to notify their customers of breaches if they can prove that they’d taken all measures to prevent unauthorized access to this information.
The Recording of Data Handling Activities
Organizations should not only keep data safe but also record their activities related to the processing of private information. They must deliver reports to supervising authorities at request.
The Adoption of an Information Security Solution
Although the GDPR doesn’t demand that businesses introduce a solution providing data safety, this is nevertheless a measure which most companies will soon arrive at, as breaches become more frequent.
The information security solution should strictly limit access to customer data. Companies should assign access rights carefully and review them regularly. Businesses should also place a special focus on their perimeter protection to monitor and filter the incoming and outbound traffic and minimize the risk of data breaches.
Economic Requirements of the GDPR
Changes in companies’ business processes and related technical aspects induce expenses that are required to cover these new needs. Hiring an in-house officer or outsourcing, as well as adjusting the IT landscape to GDPR requirements, requires considerable investment. Compliance with provisions that relate to obtaining consent, data conversion and transfer, also results in significant expenditures.
Expenses required for the realization of a GDPR compliance plan depend on the company’s size. The bigger the company, the larger the costs for adjusting to the requirements.
Data Protection as the First-Priority Goal
An increasing number of companies are becoming concerned with making their business practices compliant with the requirements of general data protection regulations, including the GDPR, the ISO/IEC 27001:2013 certificate and others. Failure to ensure security of personal information results in a variety of negative implications, such as high penalty charges, legal lawsuits and loss of customer trust and loyalty.
If you require expert advice on how to ensure data security and privacy in the process of software development, feel free to contact us.