On 25th May 2018, in Europe, the updated rules for the processing of personal data, established by the General Data Protection Regulations, come into force.
All companies that process (both inside and outside the EU) the sensitive data of citizens of European countries are required to comply with the requirements of this document. The scope of the new GDPR rules applies to all 28 EU countries. This document will replace the existing laws on the protection of personal data in European countries.
K&C would like to help you adopt the best security measures to comply with the GDPR.
The new rules were developed in response to a dramatic increase in cyber attacks and are aimed at combating such attacks through the cooperation of state and commercial enterprises and organizations.
First of all, the regulation can now apply to companies outside the EU. The rules should be followed by any company that processes sensitive data to offer goods or services (including free ones) to the EU or that monitor the behavior of citizens in the EU.
-tracking the EU resident on the Internet;
-the use of data processing techniques for the profiling of individuals, their behavior, or their relation to anything.
The “offer of goods and services” in a particular EU country is when the company uses the language or currency that is common in that country.
Secondly, the rules account for the need to obtain user consent for the processing of their sensitive data. At the same time, data processing for different purposes will require separate permissions. It must be free, conscious, and concrete and may be withdrawn at any time.
Thirdly, companies will need to keep records of transactions with personal data (the type of data and the purposes it is processed for), as well as conducting internal audits. All companies will have to create internal documents regarding measures to be taken in case the procedure for the handling of sensitive data is violated.
Fourth, companies should notify the regulatory authorities about any violations related to someone’s data within 72 hours and maintain an internal registry of breaches.
European lawyers note that companies that handle sensitive data will need to conduct a large number of changes to ensure that their activities comply with the new rules:
-develop new internal documents,
-perform an internal audit,
-verify existing agreements with users,
-conduct training for personnel
-appoint responsible persons in the company
Yes, you do. Recall how attackers stole Uber’s considerable database with names, phone numbers and e-mail addresses of Uber customers. Although Uber paid the thieves $100,000 to destroy the data, no one guarantees that the information has been deleted and not sold to anyone else.
Meanwhile, if GDPR were in effect, Uber would be subjected to a hefty fine. If to be precise, up to EUR 20 million or 4% of annual turnover.
Other consequences are
-loss of customers
-limits imposed on your operations
-customer complaints and demands for compensation
When the GDPR comes into effect, we should be ready for serious changes. We may see a rapid increase in the number of incidents of data theft in the European Union. Such incidents have already occurred. The difference is that now we will know about them.
From the above, it follows that the problems of information security are becoming even more urgent.
Software and security updates should be a priority for all companies. Such cases as WannaCry or Equifax confirm this. Every day that passes without updating an affected system puts the entire company at risk, as well as the integrity of its data, including information about its customers.
We can follow these practices to achieve better results.
-Analyse everyday processes
To help meet GDPR effectively, companies should be measuring how the company is performing now versus its potential. This will help to clarify the areas of improvement. Auditing the current, as well as new, processes and staffing, will give a deeper understanding of those areas that have to be improved or changed at all.
-Be ready for breaches
Being kept up-to-date on any risk which threatens your business gives you an opportunity to take necessary pre-emptive actions. Yet, it’s hardly achievable through native auditing as far as the process is mainly manual and takes a lot of time. So, we advise you to implement an automated auditing solution into your IT environment (for further information, reach out to the K&C team).
-Introduce the newest technologies to bridge gaps
To achieve the best results regarding data security, auditing, and privacy needs, resort only to the latest technologies, which can meet GDPR requirements. Appropriate technological safety measures, thorough gap analysis, and process landscape will help detect weak spots.
Make sure to provide
–Detection of untrusted files
-Intelligent threat detection
-Track certified admins
It is of paramount importance that you define which user accounts are able to create, change, and log into stored client data. An integrated audit analysis considering the way data is stored, accessed, and managed is to be done on an ongoing basis. Multi-factor authentication is one of the best methods to control access to user registration details.
“The adoption of GDPR is an indispensable step for every company that wants to stay afloat in Europe and move to a new level of service delivery in general. Now that K&C has already made the necessary cybersecurity changes to all its processes, we’re ready to help other enterprises and organizations minimize risks and comply with new rules.”
Michael Krusche, CEO at K&C