GDPR
Let’s begin with the basis. What does GDPR stands for? It is the acronym for General Data Protection Regulation. It is a new set of rules implemented by the EU and will be effective from May 2018. The 25 of May to be accurate. It has been implemented on April of last year. It is the result of years and years of negotiations between cybersecurity experts, governative organizations and lawyers.
GDPR: a guide to understand it
We start giving you a few pills of what this regulation is. Basically, it is the new law concerning users data process and management. This regulation defines the rules, the model and the best practices for personal data protection. To be more accurate, we provide a brief description of personal data too. This definition gathers all the information related to a single individual, linked to his private and professional life. The range is pretty wide: we go from names to pictures, from e-mail addresses to bank account details.
GDPR: the players involved
There a lot of key features involved in this process. Let’s find out who they are and their role in this “game”.
- Data subject: he is the owner of the data. He must give a written consent to have his personal data gathered and processed.
- Controller: he is the owner of the processing operations. He takes on the risk for eventual data breaches.
- Processor: he is the responsible for the processing operations.
- Data Protection Officer (DPO): he is the responsible for data protection. He should advise the Controller in case of dangerous vulnerabilities.
- Supervisory Authority: the guarantor of personal data protection.
- European Data Protection Board (EDPB)
GDPR: duties and rights
There is a long list of duties for companies and users rights, in order to give a complete overview of the phenomenon we sum them up in two short lists.
Users rights:
- Be aware of the communications of his data: why and how are his data used?
- He must have a free access to all his gathered data. In addition, he must have the chance to transfer his data to other suppliers (data portability).
- Ask for modifications, cancellation and removal of his data. These operations must be possible with the same effort of the operation of giving the consent.
- Be informed in case of a personal data breach.
- He must be sure that all laws are enforced. Moreover, a special focus on the laws concerning data transfer outside the EU must be granted.
Companies duties:
- Prove the explicit consent given by the individual. Moreover, dispose of the data in a transparent and appropriate way.
- Save these data from accidental or illegal destruction and from their loss or modification. Moreover, companies must protect them from unauthorized access and divulgation.
- Prove their compliance to the regulations through governance measures. Basically, those measures include detailed documentation and continuous risk assessment.
- Notify within 72 hours any data breach.
GDPR: who’s involved and penalties
Who’s involved? Basically, all companies, in every country, that gather and manage personal data of EU citizens. Which are the penalties? It depends, up to $20 million or up to the 4% of annual global turnover. This leads to a series of simple yet necessary questions:
- Which data exist?
- How data are managed?
- Where are the data?
- Who can access the data?
- Which are the policies, procedures and security measures?
GDPR: steps to follow for compliance
Let’s split the process in 6 steps in order to semplify and give a clearer view.
- Assessment: run assessments in terms of organization, policy, process and technology.
- Risk analysis: analyse vulnerabilities and spot risks in terms of organization, policy, process and technology.
- Risk evaluation: implement proper measure for risk reduction, since there are NO MINIMUM STANDARDS.
- Implementation of proper measures: implement these measures in terms of organization, policy, process and technology.
- Training: train and sensitise the staff involved in data process.
- Periodic update: periodically run these activities on an annual basis.
GDPR: how can I protect my business?
In order to assure to your business the best tool available, Swascan developed a special cybersecurity platform. It is completely in Cloud, Pay per Use and SaaS. You can see for yourself in our brochure: Cybersecurity platform and have an in-depth look at our services. Our four services cover all the governance needs in terms of risk management and periodic assessment. Basically, if you need to understand the areas in which your efforts must focus, GDPR Self-Assessment, Vulnerability Assessment, Network Scan and Code Review are the right tools for you. Last but not least, don’t forget GDPR: our platform is 100% GDPR compliant ( Data Privacy infographic ).