The General Data Protection Regulation (GDPR) is a new European Union data protection regulation that – in May 2018 – will replace the current EU Data Protection Directive. The objective of the new regulation is to give citizens of the EU more control over how their personal data is collected and used. Significantly, it applies to every company that collects, maintains and processes the personal data of EU citizens, regardless of whether the company is located inside or outside of the European Union.
The General Data Protection Regulation expands the definition of personal data to include “online identifiers” such as cookies. Online identifiers, even if pseudonymous, are considered personal data by the regulation if the potential exists for an individual (or their IP address) to be identified from the cookie. Consequently, every company that does business with citizens of the EU – or that hosts a website accessible by citizens of the EU – will have to comply with the regulation or face stiff penalties.
Due to the volume of changes companies may have to make to their businesses practices, and the mechanisms they may have to implement in order to comply with the General Data Protection Regulation, industry leaders in online security are advising companies to prepare for the introduction of the regulation. By planning an “end-to-end data protection strategy” now, and evaluating the options available to implement that strategy, companies will be in a far more compliant position by May 2018.
The Definition of Personal Data under GDPR has been Expanded
The existing Data Protection Directive has a fairly substantial definition of personal data to include any data relating to an “identifiable person” that can be used to identify that person. As well as the obvious details such as name, Social Security number, email address, etc. the Data Protection Directive includes factors specific to an individual´s physical, physiological, mental, economic, cultural or social identity.
As well as adding “online identifiers” to the definition of personal data, the General Data Protection Regulation includes location identifiers, genetic identifiers and biometric identifiers. The definition of personal data relating to an individual´s physical or mental health has also been expanded to include the provision of health services that may reveal information about the individual´s health status.
Although healthcare providers will likely have measures in place to protect healthcare-related data, the expanded definitions of personal data has implications for employers who maintain electronic copies of personnel records. The personnel records of EU citizens are classified as “sensitive” if they contain information about an individual´s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and health or sex life.
New Rules Regarding Consent and the Rights of Individuals
One of the reasons why industry leaders in online security are advising companies to prepare an “end-to-end data protection strategy” is that individuals will have more say about what data is collected about them, how it is used, and when it is deleted. The General Data Protection Regulation also introduces new guidelines on how an individual´s consent should be sought.
Under GDPR, companies will not only have to have a lawful reason for collecting personal data, but the personal data collected must be the minimum necessary to complete its intended task, and then deleted once the task is completed. Individuals must be told why their personal data is being collected before being asked to give their informed consent, and informed they can withdraw their consent at any time.
Other rights of individuals include the right to request the source of any personal data held by the company for which informed consent was not given, the right to know the identities of third parties with whom their personal data is being shared, the right to request details and correct any erroneous data, and the right to have all personal data held by the company permanently deleted on request.
How to Comply with the General Data Protection Regulation
In order to comply with the General Data Protection Regulation, companies will have to review their existing systems for collecting, storing and processing personal data to ensure it is secure at all times. Risk assessments should be conducted, security measures implemented where necessary, and policies introduced to support new working practices, new technology or additional regulations enacted by individual EU member states.
Companies whose core activities are data collection, storage or processing have to engage a Data Protection Officer to oversee compliance. The main tasks of the Data Protection Officer are the independent supervision of a company’s compliance with the General Data Protection Regulation, advising the company about what security measures it needs to implement and overseeing staff dealing with personal data.
Data Protection Officers need to be suitably qualified, with expert knowledge of the General Data Protection Regulation and the regulation in practice. From a practical perspective, Data Protection Officers should have a reasonable understanding of the company’s technical and organizational structure and be familiar with its IT infrastructure and the technology he or she recommends to avoid breaching the GDPR regulation.
- Review existing systems.
- Conduct risk assessments.
- Implement security measures.
- Introduce supporting policies.
- Engage a Data Protection Officer.
The Cost of Breaching the General Data Protection Regulation
Compliance with the General Data Protection Regulation should be taken very seriously, as the cost of breaching the GDPR regulation can be substantial. Data Protection Authorities in each member state have the power to impose fines of €20 million or 4% of the company´s global turnover depending on the nature of the breach and the efforts the company had previously made to mitigate the risk of a breach.
Breaches can vary in significance from the failure to obtain an individual´s informed consent before collecting their personal data, to a large-scale exposure of personal data. Even when the exposure has been accidental, companies will face significant fines if they have not conducted a risk assessment and put mechanisms in place – and supported them with policies – to mitigate the risk of a breach.
Further sanctions – including criminal sanctions – may be imposed if a company has failed to comply with the breach notification requirements. These stipulate that a company must notify its national Data Protection Authority of a breach within seventy-two hours. Unless the breached data is encrypted, companies also have to inform the individual(s) whose data has been exposed. Individuals can bring civil action to recover compensation for any harm that results from a breach of their personal data.
|How SpamTitan Helps Companies Comply with GDPR
|SpamTitan offers companies a suite of tools that can accelerate compliance with the General Data Protection Regulation. These consist of our industry-leading anti-spam email solution “SpamTitan”, our Internet content filtering solution “WebTitan”, and our secure email archiving solution “ArcTitan” with its advanced search and retrieve capabilities.
|SpamTitan’s advanced front-end mechanisms not only detect spam emails, but can prevent the delivery of phishing emails containing malicious URLs and offers dual anti-virus protection from Bitdefender and Clam AV.
|WebTitan is an advanced Internet content filtering solution that protects both fixed and wireless networks, and allows Data Protection Officers to implement multiple acceptable use policies by user, user-group or company-wide.
|Secure email archiving from ArcTitan mitigates the risk of unauthorized data exposure from both outside and inside the company. A necessity for companies that request personal data via website submission forms.
Find Out More about GDPR Compliance with SpamTitan
Regardless of the industry sector your business operates in, it is likely to be impacted to some degree by the General Data Protection Regulation. Find out more about the measures your company may have to take to become GDPR compliant by contacting us and speaking with one of our Sales Engineers.
Further to the advice offered by industry leaders in online security, we are offering all companies the opportunity to evaluate SpamTitan, WebTitan and ArcTitan in their own environment with a fourteen day free trial. For more information about this opportunity, and to start your free trial, contact us today.