The European Union (EU) has a new data privacy and breach disclosure law, which went into effect on May 25. That’s why you’ve been getting all those emails from various companies with updates on privacy policies.
The new law, General Data Protection Regulation (GDPR), replaces a patchwork of country-specific privacy regulations previously in place within the EU. GDPR brings uniformity and clarity to the handling of personal data and how to proceed when that data is breached. Personal data is defined as any information identified with a specific individual, such as name, IP address, email address and street address.
Preventing Data Abuse
Privacy is a fundamental right within the EU. The law aims to protect the “rights and freedoms” of EU citizens and residents by preventing misuse or improper use of personal data. The ultimate goal is to prevent data from being intercepted for nefarious purposes such as identity theft, fraud, discrimination, financial loss and damage to reputation.
Under GDPR, any entity that uses personal data must have a lawful basis to do so, with the consent of the data subjects, and keep the data only for as long as necessary. GDPR imposes stringent fines on “controllers” and “processors” of data for non-compliance.
A controller is any entity that collects and controls personal data. Examples of controllers include online and physical retailers that keep information about their customers. Processors handle and store personal data on behalf of controllers and include data carriers, cloud service providers, IT solution providers and MSPs. Entities such as data carriers and MSPs, which keep personal data on their own customers and also process it on behalf of others, qualify as both controllers and processors.
Businesses don’t need to be headquartered within the EU to be subject to GDPR. Any organization that handles personal data within the territory, regardless of its base, must comply with the law.
Businesses that move data from within the EU beyond its borders must implement safeguards to prevent data breaches. Whenever a breach occurs, GDPR mandates the relevant authorities be notified within 72 hours. If the breach compromises, or has the potential to compromise, personal data, the individuals affected also must be notified.
The Role of Security
GDPR is not a security standard; there are other regulations and security frameworks for that. However, security is essential to complying with it. For instance, GDPR cites encryption as one option for protecting personal data, but doesn’t mandate it. Nevertheless, the law requires businesses to assess security risks and put the proper measures in place to mitigate those risks, taking into account technology developments and implementation costs.
Every business operating within the EU needs to understand GDPR and ensure it has taken the required steps to protect personal data:
- Assess and understand the types of data your company handles
- Determine which data is subject to GDPR
- Determine if you need to notify, or seek consent from, data subjects whose personal data you handle
- Assess whether measures are in place to comply with GDPR
- Review and update your breach notification procedures
- Take immediate steps to become compliant if you haven’t yet
One of the ways for businesses to achieve GDPR compliance is through round-the-clock monitoring and real-time alerts in case of a suspected breach. Companies that implement monitoring technology and policies also should consider physical security and monitoring a fundamental piece of a comprehensive security strategy.
So in addition to data monitoring, businesses also should deploy monitoring systems in server rooms, wiring closets and edge computing sites – anywhere that houses critical equipment potentially accessible by unauthorized individuals. Physical security and monitoring solutions help prevent unauthorized access that can lead to breaches.
Learn More about GDPR
GDPR puts individuals’ rights above all else. All businesses that handle the personal data of EU subjects need to understand the law and take firm steps to comply; otherwise, you incur the risk millions of dollars in fines. A first step to understand GDPR is to learn about the law, starting here.