General Data Protection Regulation – GDPR was approved by the EU Parliament on April 14, 2016 Regulation No. 2016/679 and it has come into force 20 days after its publication in the Official Journal of the EU. As a Regulation it is directly applicable in all EU Member States two years after set in force, on May 25th 2018, when the bodies; companies and organizations that will not comply will face heavy fines.
General Data Protection Regulation replaces the EU Directive on Data Protection 95/46/EC, and aims (a) to harmonize data protection laws across Europe (b) protect and strengthen the privacy of EU citizens and (c) to reshape the way in which the agencies active in the EU approach and manage personal data security. GDPR will also require much closer co-operation between the different independent authorities such as “Supervisory Authorities” or “Private Data Protection Authorities”.
When GDPR is applied?
The date of application of the regulation in EU Member States is May 25th, 2018
Who does the GDPR affect?
GDPR affects all EU bodies; companies and organizations, private, public and state controlled that maintain and manage private data of EU citizens. In this sense companies and organizations outside EU that manage personal data of EU citizens are also affected.
What is considered personal data?
Any information related to a natural person or “Data Subject” that can be used to directly or indirectly identify the person is considered personal data. This information can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.
How it is applied?
After May 25th, 2018 bodies, companies and organizations operating within the EU should use high-tech security systems for the protection of the personal data they manage. Also companies outside EU that manage personal data of EU citizens should also comply by using high-tech security systems for protecting personal data.
Which are the penalties for violations?
In case of private data protection breach, companies (a) they must inform immediately their National Authority of Personal Data Protection and their National Regulating Authority and (b) will face fines of up to 4% of their annual turnover or 20 million Euro (whichever is greater).
Companies’ obligations under GDPR
A. Follow the basic data protection principles, namely:
- Collect personal data for a specific legitimate purpose and collect only those of them which are necessarily for achieving the specific purpose.
- Do not process them further in any way incompatible with that specific purpose.
- Update them on a regular basis.
- Store them for the minimum time period required.
- Obtain per case the free and clear consent of individuals for whom personal data are collected.
B. Transfer personal data to non-EU countries only under certain conditions.
C. Give access to personal data managed to partners only under controlled and secure conditions and only if they demonstrate their compliance
D. Develop and use electronic computerized procedures and tools for timely and free or charge requests of individuals to:
- Recall of their consent.
- Have access to their personal data.
- Correct their personal data.
- Delete their personal data.
- Reduce of processing their personal data.
- Receive their personal data in electronic form.
- Transfer their personal data to another legal entity.
E. Notify and inform the individuals appropriately and promptly about their rights on personal data protection and management.
F. Ensure personal data protection throughout their life cycle.
G. Keep records and inform for any personal data breach within 72 hours the National Private Data Protection Authority and the individuals with
direct communication and public announcements.
H. Be able to prove that they comply with all GDPR requirements.
In CubeIQ we have the tools, methods and processes with which we can support any business that maintains and manages individuals’ personal data to be compliant with the General Data Protection Regulation 2016/679/EU.
- Data Encryption Systems and Hardware Security Modules – HSM.
- “Data at Rest” Protection, Unstructured Data, Structured Data, Databases, Disks and Files protection & encryption, Key Management.
- “Data in Motion” Protection, Network and WAN protection & encryption - Ethernet Encryptors
- Full PKI Environment Deployment, PKI Encryption & Decryption, Signatures and Certificates Generation & Authentication.
- Multi - Factor Authentication, Physical OTP (Time & Event) tokens, soft OTP, Out of Band – OOB OTP, Mobile OTP, and Pattern based OTP.
- Digital Rights Management for Document Distribution, Adobe PDF, Microsoft Office Documents Protection.
- Physical & Logical access control, Physical access control with Centralized Management, Same medium Physical & Logical access control with Centralized Management.
- End point security, Clientless End point security for Monitoring and Enforcing Security Policy.
[Link] EU: www.eugdpr.org
[Doc] CMS Law: Are you ready for the GDPR? A Conference Report (RAR)
Related Directives and Regulations
EU Directive 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA.
For more information on CubeIQ solutions and services on GDPR compliance please visit www.cubeiq.gr