As part of eSecure Consulting Services to the Israeli Startups we providing a unique service to comply to the GDPR.
The GDPR was designed to increase legal certainty regarding information exchange within EU’s borders and beyond. The GDPR harmonizes data protection requirements through a single data protection regulation across all EU member states.
The EU General Data Protection Regulation (GDPR) aims to change the regulatory environment for personal (private) information not just in the EU but around the world.
It also introduces stronger consumer protections, requirements for greater transparency and accountability about how data is used by businesses, not-for-profits and governments alike.
GDPR replaces the current Data Protection Act 1998 (DPA) and will become effective on the 25th May 2018.
Fines: potential financial penalty for private data breach has been increase up to 20 Million Euros or 4% of annual turnover.
The right to erasure: it will allow data subjects to request that any data held about them is removed upon request. This requirement is extensive to shared with third parties. Companies must have detailed understanding of all personal data held and have processes and systems in place to meet this requirement.
Data privacy by design and default: data privacy is to be implemented by ‘design and default’, meaning that processes, systems and technology used to store personal data must be designed so that privacy is kept and preserved.
Data Breach reporting: companies will be obliged to report data breaches to national competent authorities within 72h of detection. These 72h are running dats, rather than working days. Weekends should be considered for that matter.
Enhanced transparency: information must be provided to the data subject, explaining how their data will be used and for how long it will be kept and stored and how it will be protected.
Data Protection Officer: GDPR states that data protection officers (DPO) must be appointed for all public authorities. Additionally, a DPO will be required in all processes that involve “regular and systematic monitoring of data subjects on a large scale” or when large-scale processing of ‘special categories of personal data’ exist.
Main concerns with GDPR:
1 – Accountability: companies should
– demonstrate compliance
– have appropriate policy, process and technology to comply with GDPR requirements
– Develop privacy impact assessments
– Have privacy by design and by default on all processes and technologies
– Demonstrate effective, enforced and documented privacy policies
2- Information Security: Companies should
– Improve security requirements
– Deploy encryption and ID management where inexistent
– Secure private data
– Deploy effective detection and response methods regarding Privacy breaches
3 – International Data Transfer
– Keep in mind that IP addresses & log files are forms of personal data.
– Data flow inside EU is “freely allowed”. Outside is subject to strict conditions.
4 – Penalties for not complying
– Fines and penalties can go up to 4% of global annual turnover or up to 20M€ maximum
– Privacy breaches should be notified within 72h, consecutive days.
Where can we help?
– Do you understand all the aspects of the regulation?
– Do you understand what personal data does your company or technology process?
– Do you know what your private data flows are withing your organisation?
– Do you consider privacy at all levels of business?
– Do you have proper mitigation in place to address privacy breaches?
– Do you have proper detection and response planning processes, considering privacy?