The European Union’s General Data Protection Regulation (GDPR) introduces heavy fines for companies and organisations that lose data or don’t take sensible precautions, such as encrypting their customers’ personal data. Mirror legislation for personal data protection is being introduced into the UK due to the country’s planned exit from the European Union in 2019.
The EU GDPR is a statutory obligation upon data processors and entered into effect during May 2018.
“The central thrust is about all organisation’s having to safeguard and protect personal data, and, indeed get permission to hold and use such data in the first place,” said Richard Bingley, Chief Executive of the UK Global Cyber Academy, which runs EU GDPR courses.
Mr Bingley added: “It’s a game-changer. People’s personal data is hugely significant in terms of financial value and the personal safety of individuals. This regulation is about redressing the balance of power of data ownership back to the citizen. Organisations playing fast and loose with personal data will face tough sanctions.”
Qualifi have teamed up with the UK Global Cyber Academy to provide dedicated EU GDPR courses, and modules dedicated to EU GDPR and Data Security within their Level 2, 3 and 4 Cyber Security Diplomas.
See: qualifi-international.com and globalcyberacademy.com
Or email: EUGDPR@globalcyberacademy.com
EU GDPR impacts all companies and countries that trade with EU-based citizens, or hold data about them, profoundly. Regardless of whether such companies themselves are based within the EU. Within the EU, individual member states’ information commissioners (or equivalents) will enforce compliance.
According to UK Law Firm, Pinsent Masons:
“A two-tiered sanctions regime will apply. Breaches of some provisions by businesses, which law makers have deemed to be most important for data protection, could lead to fines of up to €20 million or 4% of global annual turnover for the preceding financial year, whichever is the greater, being levied by data watchdogs. For other breaches, the authorities could impose fines on companies of up to €10m or 2% of global annual turnover, whichever is greater.
Important provisions on data security are contained under Articles 5 and 32 of the Regulation.
Article 5 sets out basic rules on personal data processing which only apply to data controllers, considered to be fundamental to data protection. One of those rules requires data controllers to ensure that personal data is “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures”. This could involve deploying data encryption techniques, Data Loss Prevention Software, stronger authentication procedures, extra physical security layers, and regular review and monitoring of end-users, network traffic and security controls. Staff awareness and competency training will also be critical here for all data owners, custodians and users.
In contrast if data processors breach their statutory data security obligations, set out under Article 32, which requires them to “implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk” of their personal data processing, then the most they could be fined is up to €10m or 2% of global annual turnover.
Data controllers are also subject to the Article 32 obligations. It therefore appears open to national data protection authorities to fine data controllers for any data security failings under Article 5 or Article 32 (4).”
However don’t forget other important Data Protection laws:
Businesses and business people producing and handling customer data, including financial information, .
USA – Health Insurance Portability and Accountability Act Security Rule: (HIPAA): https://www.nist.gov/healthcare/security/hipaa-security-rule
USA – Security Breach Notification Laws: http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx
Payment Card Industry Data Security Standard (PCI DSS): https://www.pcisecuritystandards.org/
Further details: www.globalcyberacademy.com or EUGDPR@globalcyberacademy.com