The dangers of the new privacy regulations: How to protect yourself?
On May 25, 2018 the new European privacy regulations, the General Data Protection Regulation (GDPR), enters into force. The purpose of the GDPR is to better protect the data of European citizens. The new regulations arose from the 'Data Protection Directive' of 1995. There was much confusion about this directive and new developments such as cloud, escaped the reach of this law.
The new regulations apply to companies in possession of personal data, but that appears to be a broad notion. It includes ‘any information about an identifiable individual’ and that is not just a name, address, photograph and date of birth, but also account numbers, telephone numbers, or even an IP address. All that information can, namely, lead to a physical person and therefore also falls under the GDPR Directive.
When in doubt, it is best to assume that you are dealing with personal data. Fines for violations can include up to 4% of your annual global sales ... Also as a self-employed worker you cannot escape this regulation. The fines could run up to 20 million euros.
The regulations emphasise among others:
- Transparency: communicate clearly about how you collect and process data
- Data transfer: it should be possible, without any problem, to transfer personal data to another service at the request of the person concerned
- The right to be forgotten: personal data must be deleted upon request, also with third parties.
- Notification requirement in case of data breaches: if you become a victim of a data leak, you must report it within 72 hours to the Belgian Privacy Commission and in severe cases, also the affected individuals.
How do you become a GDPR compliant?
Phase 1: make an inventory of what data you have and where they are located.
Phase 2: elaborate procedures on how to protect and process personal data.
This is not a simple task; it is therefore appropriate to appoint a representative. Such a Data Protection Officer (DPO) is mandatory in some companies. The company's activities are a decisive factor: all organisations in the public sector and organisations that process personal data from a ‘special category’ (religious or health data, political affiliations ...) are obliged to appoint a DPO.
Placing your data in the cloud is not a wild card place to escape your responsibilities. Also, cloud providers must comply with the regulations in the context of transparency concerning data storage. If you store your data in a public cloud environment, the cloud provider cannot guarantee the physical location of that data. In this case, you do not comply with the privacy regulations. In a private cloud environment, the cloud provider has self-control over the storage place. Yet you and your company always remain responsible for the processing of your data and compliance with the law, not the cloud provider.
It should be clear that this directive has a great impact on your organisation. Not only do you need to identify the available data and the catalogue (required manpower), but you should also secure and protect them at a maximum level (required IT investment) and in case of a data leak a whole series of administrative and legal obligations arise (requires a crisis plan with use of specialists).
You have taken all precautions to become GDPR-compliant, but it backfires?
Are you the victim of ransomware or have your clients’ data been hacked? Then our IT Care policy takes action.
Speed is extremely important. IT Care primarily offers assistance in an incident or a breach. If you have determined either one of these, dial the emergency number that is accessible 24/07. IT specialists guide you through the various steps in the first 48 hours so that you are able to return to work. You will also receive support from specialist lawyers on the various steps and requirements regarding the reporting process. They work systematically: where do you have to report the leak? How do you inform the people concerned? Meanwhile, IT specialists will examine the location of the problem, remove the cause, ensure that the leak is closed and, if necessary, reconstruct the data... IT Care is able to provide for global assistance, after all: a claim follows the jurisdiction of the country where a person submits. Not only do we reimburse all costs incurred, the compensation liability claims and fines are also part of the cover.
In addition to the dangers of the new privacy regulations, ICT Care also covers other cyber and ICT-related risks. More information? Ask about our ICT Care folder or contact Door Cooreman
Our advice: let specialists assist you to deal with the risk of privacy and ICT incidents.