Do you remember the Data Protection Directive 95/46 EC ? Probably not, and for a good reason: This 1995 European Union (EU) directive regulates the processing of personal data within the EU. Compliance throughout the years has been mandatory but its enforcement section was weak, keeping the risk of non-compliance for companies at low rates. Thus, except for several enthusiastic fans and early security vendors (yup, I’m that old) nobody really cared (well, almost).
Data protection is important and in the EU they take it very seriously. As a result, data protection and privacy requirements were built into the different bilateral treaties on the functioning of the EU. According to the EU, everyone has the right to the protection of personal data concerning them and the EU is trying to protect the privacy of its citizens vigorously. With privacy protection becoming a major issue in recent years, the EU had to develop a more effective set of mandates that will improve the overall privacy of its citizens and address the privacy challenges of the new millennium.
Companies that are based in the EU are subject to the GDPR requirements. The same holds for companies outside the EU that process and store personal data of EU citizens. It means that companies with a significant European presence as well as companies that do business with other companies that have a presence in the EU will also be subject to the GDPR requirements. In short, this regulation is likely to cover most of the companies in the world.
As a person involved in security for over 20 years, I’m very excited. GDPR, like the Payment Card Industry Data Security Standard (PCI-DSS) will change the way that organizations are processing, storing and securing data. While PCI-DSS is limited to credit card data and its processing systems, GDPR will cover all verticals and more data elements.
The list of GDPR requirements is not long and is easy to read. Adhering to the standard would be challenging. Here are my favorite parts of the regulation:
Data protection by Design and by Default
One important concept introduced by the GDPR is the Privacy by Design requirement. Privacy by design is an approach to projects that promote privacy and data protection compliance right from the start rather than an afterthought, as is currently the case. The regulation requires that data protection is designed into the initial development stages of business processes for products and services. Privacy settings must be set at a high level by default. Technical and procedural measures should be taken in order to make sure that the processing, throughout the entire processing lifecycle, complies with the regulation. Risk management, encryption, planning and design all are built into the regulation. In other words, security, risk and compliance are no longer an afterthought.
Records of processing activities
Records of processing activities must be maintained. The records must include the purpose of the processing, categories involved and envisaged time limits. These records must be made available to the supervisory authority on request.
There is a legal obligation to notify the Authorities within 72 hours of the data breach. Individuals have to be notified if adverse impact is determined . Obviously, it means that organizations must develop breach detection practices. The regulation puts special emphasis on detection.
So why should you care?
The EU which is known to be bold ( here) made yet another bold statement: The penalties for non-compliance are high. Put simply: if you fail to comply with GDPR requirements, your company can be fined between 2% and 4% of the annual global revenues or up to €20 million (about $22.5 million USD at current rates), whichever is higher.
How can we help? GuardiCore Centra was designed to prevent, identify and respond to security and data breaches faster with greater intelligence and can help your organization achieve compliance.