The European Union (EU) General Data Protection Regulations come into force on May 25, 2018. After this, there will be one EU supervisory authority, rather than a separate one for each member state.
This whitepaper introduces the General Data Protection Regulations (GDPR) and outlines what
GDPR focuses on privacy, which means it is all about how businesses (Data Controllers) should ask for, retain, manage and use personal data. So before we dig into how to be GDPR compliance we need to understand what is Personal Data.
Personal Data (PD) refers to any information relating to an identified or identifiable natural person (the 'data subject'). It includes anything which might enable the identification of an individual, beyond the usual and obvious identifiers, such as name, date of birth and address. This new definition is broader than
There are two ways to answer the question: by thinking of Organisation Type or Organization Location.
GDPR applies to any organization (all public and some private sector) that collects, processes, stores, analyzes, or shares the Personal Data of EU residents and customers.
GDPR applies to everyone who does business in or with the EU, even if they are not located there, including the UK (regardless of Brexit). EU
These are the key data protection principles that set out the main responsibilities for organizations.
PbD means that all processes must be designed with privacy and data protection built in from the start ('data protection by default'), rather than as an afterthought.
Organizations must take measures to protect their own data. For example, they can conduct data protection impact assessments (DPIAs), ensuring technical safeguards, and make staff aware of their legal obligations.
Organizations also have an obligation to design their process for external privacy. For example, they should publish Privacy Notices (PNs), practice data
The GDPR insists that consent for the collection and use of all Personal Data must be clearly given by the customer. Consent may not be assumed and must be easy to withdraw.
Organizations should only collect the information they require and have specific customer authorization for, and must discard it when it is no longer needed.
The GDPR collates and strengthens the rights
Individuals have the right to request and receive a copy of all data they have previously provided to an organization.
Organizations must ensure that they can delete data when requested.
Organizations must ensure that they can update, correct and complete data when requested.
And organizations must ensure that they can stop processing Personal Data when
If an organization or business is not compliant, the EU has the right to penalize them with fines of up to €20 million or 4% of a company’s annual, global turnover, depending on whichever sum is greater. An organization's Data Protection Officer (DPO) will bear legal and professional responsibility for data protection compliance.
This section sets out what
Once organizations are clear about the scope of Personal Data, they need to document the nature and use of all the data they possess.
As well as the date and description of each piece of data, an audit addresses the following:
An audit also includes an organization's current procedures and policies on data.
Organisations also need clarity on with whom they share Personal Data – where does Personal Data go after it leaves the
Organisations need to map their data and information flows in order to assess their privacy risks and find unintended data uses. A data flow is any transfer of information from one location to another; for example, from inside to outside the EU, or from suppliers to customers.
A data flow must identify and map out all data items, storage formats, transfer methods, and storage locations as part of the information lifecycle, and identify who is accountable.
Finally, an organization needs to draw up a plan on how they will implement the right technical and procedural safeguards, as well as determining their legal and regulatory obligations.
All decision makers and key staff need to be made aware of changes in the law, impact on their organization, potential compliance problems, timescales to compliance, new processes and resource implications.
Organizations can either add GDPR principles to their existing
With GDPR, organizations will also have to tell people the lawful basis for processing their data, data retention periods, and that individuals have a right to complain to the Information Commissioner's Office (ICO) if they think there is a problem with the way their data is handled.
A Data Protection Impact Assessment (DPIA) is required in situations where data processing is likely to result in high risk to the rights and freedoms of individuals.
A DPIA could contain information on information flows throughout and around an organization. The ICO has a Code of Practice for conducting such assessments.
Public authorities and organizations that monitor individuals on a large scale, organizations that process data on criminal convictions, and companies that process Personal Data as one of their core activities have a further requirement, to assign a Data Protection Officer (DPO).
For further information on the DPO, see Controller and processor (Section 4).
The GDPR requires that those organizations outside the EU designate, in writing, a representative within the EU.
A data breach is
In addition to a negative outcome for the person to which the data belongs,
Due to the
The year of mega data breaches was 2016, when year a huge number of world-renowned businesses, such as LinkedIn and Yahoo, suffered data breaches. We analyzed the most notorious data breaches of 2016 and found out that:
To avoid getting hacked, and experiencing a data breach similar to the cases mentioned above, you need to ensure that all the software you use is up to date, implement and use proper protective technical measures (such as firewalls, IDS and IPS) and most importantly of all, ensure that your web applications are not vulnerable to malicious hack attacks.
Here is how Netsparker can help IT departments, security researchers
Once you reach the end of the tunnel on the road to GDPR compliance, request an audit. The data protection supervisory authority in your country can help you to understand and meet the regulations. And some even carry out their own audits, which can save you a lot of money.
Organisations that neglect to put in place the recommendations we summarised above, and who consequently suffer data breaches, have further responsibilities. If the worst happens, you must:
Local authorities may enforce fines for such breaches. Further, individuals have the right to claim for compensation for material damages arising from such data breaches and other non-adherence to the legislation. They can also assign not-for-profit bodies to claim on their behalf, which could lead to class actions.
The consequences of a Data Breach are both serious and severe. We have explained above how integrating the Netsparker web application security solution into your SDLC can help you get ahead of the GDPR legislation. Let us help you to build secure web applications and web APIs to ensure that risks of Data Breaches are minimal and security is maximal.
Download the PDF version of this whitepaper.