The recent Cambridge Analytica and Facebook privacy breach scandal is the newest addition to several scandals that have raised a question on the way how the online data is being handled, leaving people helpless about the security of their online data. As a comeback, most of the internet giants are tight-lipped. However, the GDPR compliance will be a massive help to people in Europe to safeguard their privacy. The chief goal of the GDPR is to give the European citizens the control of their private data. Any business that accesses private data about EU residents’ states must abide by the GDPR, irrespective of their business’ geographic presence.
The declaration of an agreement to decide on GDPR ( General Data Protection Regulation) was made in December 2015 and the compliance deadline was set for May 2018 by the EU Parliament. According to the GDPR Portal, a website intended to educate the public, “Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it,” As per a survey conducted by PwC, around $1 million to $10 million is expected to be spent by around 68 percent of U.S.-based companies to meet the GDPR guidelines.
1. Data Protection Officer (DPO)
In the GDPR, Articles 37-39 necessitate a DPO for controlling compliance and liability issues. The data protection officer (DPO) should supervise an organization’s data safety policies and compliance strategies as well.
2. Edify Your Staff
Companies would need to devise a communication plan to educate their employees about GDPR. The person who handles statistics, Information officers and social media managers will need to be entirely apprised about the GDPR, as their role will be significant if the requirement for public information comes up.
3. Detection of a Breach of Personal Data
Under Article 33 of the GDPR, there is a precise & detailed procedure to comply with how to retort to a condition of data breach. Businesses are required to be ready for this vital requirement. The controlling authority should be notified within 72 hours of the breach and the following steps must be taken:
- Define the type of the data breach as well as the estimated quantity of data subjects and accounts affected.
- Communicate the contact of the DPO or other data security staff.
- Describe the possible results of the breach
- Describe the actions taken or planned to be taken, counting those to lessen its possible adversative effects.
4. An Assessment of Your Existing Data Security Structure
GDPR’s Article 30 necessitates all supervisors to document all the processing activities: the individual data stored, its source and with whom it’s shared. One approach to follow this guideline is to place in action a Security Information and Event Management (SIEM). The SIEM tool can notice suspicious actions and source IP addresses and other particulars. You can perform an audit and maintain an ongoing record to recognize where private data is stockpiled across your set-up.
5. Reorganization of Consents Strategy
Article 17 specifies to permanently remove any personal data under specified situations. These comprise the removal of consent by the subject, the information has been illegally handled, and the data subject objects to the use of their personal data and there are no other authentic grounds for continuing to process the data. If the information has been made public by the controller or processor, “reasonable steps” need to be taken to update other controllers and processors of the removal request.
6. Protection of Data of Children
The GDPR ensures special protection for personal data of children under the age of 16. When services are accessible directly to children, according to article 58, companies should ensure additional restrictions are in place to safeguard the usage of personal data of children. Language aimed right at children must be “in such a clear and plain language that the child can easily understand,” (Article 58) and consent is required from “the holder of parental responsibility over the child” for children under the age of 16 (Article 8), although Member States can lower this to 13 years.
7. Develop a Policy for Privacy and Data Protection
Article 35 of the GDPR requires data protection impact assessments (DPIAs), and it also necessitates businesses to “implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.” This comprises consistent testing of the systems to ensure security controls are operative.
To Sum Up:
So, if you are one of the organizations that maintain data on EU residents, it is high time to ensure that your company has the suitable competencies to safeguard compliance with the diverse facets of the General Data Protection Regulation.