Note: This is the second of an ongoing series on GDPR. We’ll be preparing you all the way to May 2018 on topics like: Privacy Protection and Breach Notification, GDPR Compliance Strategies, GDPR Enforcement and Penalities, Potential GDPR Costs, GDPR Auditing and more. Subscribe using the button on the right and you’ll be updated when we post a new article.
As we continue to approach the date for compliance with the European Union’s (EU) General Data Protection Requirement (GDPR) (which is May 25, 2018) we would like to provide insight into two more topics: Privacy Protection and Breach Notification.
It is important to remember the GDPR will be applicable to any company or organization that does business within the European Union (EU) or that maintains private personal data of EU citizens. Most would agree that Privacy Protection and Breach Notification are already important areas of focus for a business. However, there may be more challenges and impacts on businesses and organizations than what initially come to mind.
Privacy Protection is one of the primary goals of GDPR. Organizations simply MUST protect the privacy of consumers. As it pertains to citizenry of the EU, GDPR is there to bring these protections under enforcement legally. One concept supported by the GDPR that will impact most organizations is “Privacy by Design”.
Privacy Protection is nothing new. After all, no organization sets out to intentionally put the privacy of consumer data at risk. In the past, systems were designed and built and only after data breaches increased were protections put in place. Moving forward organizations will need to adjust to “Privacy by Design” meaning systems will have to be designed with protection of the privacy of user data in mind from the initial stages of systems development. No longer can data protection just be an afterthought.
Some other concepts that will assist in Privacy Protection fall in line with the security concept “Principle of Least Privilege”. This aims to ensure that only the data absolutely necessary for processing is maintained and that only the individuals with absolute necessity to the information have permissions.
A simple internet search for “Data Breach” will return many real world and recent examples of data breaches. Under GDPR, data breach notification will have to be timely. There is a 72-hour requirement of notification upon becoming aware of a breach. Organizations will have to be even more pressured to continually monitor systems and data stores to enable awareness of when a breach occurs.
One of the hardest things organizations have to do is figure out the impact of the breach, i.e. what data was compromised and to what extent it could have effected consumers’ private information. In December 2016 Yahoo! reported it MAY have had more than 1 billion users affected by a data breach. Through further investigation, it was found that WELL OVER 1 billion users were affected. It was revealed that EVERY SINGLE USER ACCOUNT WAS COMPROMISED. And to top it off the data breach actually happened in 2013! It would seem these are the situations that are trying to be avoided through the GDPR and enforcement by holding companies financially liable for such infractions.
Many of the tenets of the GDPR are not necessarily new. But when May 25, 2018 rolls around, adherence to GDPR will be paramount to business success. When it comes to Privacy Protection, organizations need to be prepared as they design new systems and follow the “Privacy by Design” concepts. Understanding the impact of any breaches and reporting them timely will hopefully minimize any financial impact from penalties assessed based on the provisions of the GDPR. Simeio Solutions is here to help navigate the waters. Stay tuned to this series as we address other topics leading up the date of enforcement.