GDPR requires all businesses (in and outside European Union) dealing with EU citizen’s data to protect their data and privacy for transactions that occur within EU member states. Non-compliance will result in hefty penalties. The directive will set a new norm for consumer rights but, initially, it will be challenging for companies to put the required systems and processes in place to conform. The compliance will require new expectations from security teams, as it will take a wide view of what constitutes personally identifiable information to protect citizen’s data. This article will attempt to answer some questions you may have about the GDPR.
Why has GDPR been proposed?
There are primarily two reasons why GDPR has been proposed. Firstly, the EU’s data protection legislation is old, having been implemented in 1995. The EU has evolved since then and become more complex. It ensures an individual’s fundamental right to data protection. The problem was that each Member State has their own way of implementing the law; leading to complexity, legal uncertainties and administrative costs.
Secondly, when the current legislation was introduced, many of today’s online services and the associated challenges did not exist. Social networking sites, cloud computing, mobile devices, smart cards and other technologies have led to the growth of personal data. The GDPR is an attempt to update current privacy laws to keep in line with these advances in technology.
How will GDPR change things?
The GDPR reinforces individuals’ rights, strengthens the EU internal market, ensures stronger rule enforcement, streamlines transnational transfers or personal data and sets new global data protection standards.
The new directive will give people more control over their data and make it easier to access it. It will ensure that people’s personal information is protected irrespective of where it is sent, stored or processed – even outside the EU.
What are the benefits to you?
GDPR will strengthen citizens’ rights and build trust. It has following provisions:
- Right to be forgotten: When someone no longer wants their data to be processed or retained, and if there are no legitimate reasons for retaining it, the data will be deleted to protect the privacy of individuals.
- More information about your data: People will have more information on how their data is being handled. Right to data portability will ensure that people can easily transmit their data between service providers.
- Full transparency in data handling: Companies must notify the national supervisory authority and to individuals of data breaches at the earliest so that users can take appropriate measures.
- Data protection by design and by default: Data protection safeguards will be included at the early stage of products and services development, and privacy-friendly default settings will be the norm – for example on social networks or mobile apps.
How will the “Right to Erasure” work?
Whilst not providing a complete “Right to be Forgotten,” this principle dictates that anyone can ask to erase his or her data if there is no convincing reason for a business to keep it.
The “Right to Erasure” states that in certain conditions, a person can submit a request to the data controller to delete their data. The “right to erasure applies” when:
- It is no longer necessary to store the personal data purpose for which it was originally collected.
- The individual withdraws explicitly consent to process (and if there is no other justification or legitimate interest for continued processing).
- Personal data has been unlawfully processed, in breach of the GDPR.
- The data must be erased for a controller to comply with legal obligations (for example, a certain data set’s deletion after a particular period).
- If any of these conditions are met, the data controller will have to delete the data within a month (unless specific conditions apply).
Is there any protection for minors?
Yes, the directive states that minors’ data should be specifically protected as they cannot be aware of risks, penalties, precautions and the scope of their rights. The regulation expects that consent for processing a child’s data must be given or authorized by the person holding the child’s parental responsibility. The provision aims to protect children from unwillingly sharing personal data without fully realizing its consequences. When it comes to counseling services given directly to a child, parental consent should not be a necessity.
What are benefits and drawbacks of GDPR for businesses?
Benefits of GDPR for businesses:
- One law for the entire of the EU: A single, all-Europe legislation for data protection that will replace the current inconsistent national laws. Instead of dealing with 28 different laws, companies will deal with just one.
- A single window for businesses: Now it will be simpler and cheaper for companies to do business in the EU as they will only have to deal with one sole supervisory authority instead of twenty-eight.
- The same rules for all companies: After the GDPR comes into effect, even companies based outside Europe will have to follow the same standards when they offer goods or services on the EU market. This conduct will create a consistent business environment.
Drawbacks of GDPR for businesses:
As far as the disadvantages are concerned, initially companies may have to update their policies and business processes, leading to increase in cost for a short period. However, in the long run, the benefits will far outweigh the initial cost.
What effect will GDPR have on Britain after Brexit?
As already mentioned in this article, the GDPR will apply to both EU-based companies and those companies that are outside EU but deal with the data of EU citizens. Even after Brexit, companies in UK will have to comply with the GDPR if they process EU data.
There are two reasons for this. Firstly, there will be an overlapping period between the GDPR coming into effect and the UK exiting the EU. The UK will have to comply with the regulation while it is still a part of the EU. Secondly, the GDPR has extraterritorial reach explained earlier. Hence, UK companies doing business with the EU or processing data of EU citizens will have to comply with the regulation even after leaving.
How can auditing help both businesses and citizens?
As per GDPR, businesses will have to ensure data security and fulfill breach response obligations. Organizations running Active Directory can meet these requirements by auditing Active Directory, File Servers, SQL Servers, SharePoint Servers, Exchange Servers and other similar server components. Proper auditing will not only fulfill organizational responsibility, it will also ensure that subject data is secure and safe from leaks and breaches.
However, the native auditing methods for doing this can be complicated and time-consuming. Collating information from servers spread over the entire network is also a complicated task. Retrieving information through scripts can be difficult, and in many cases systems hang while running scripts if there are GBs of the log.
How can LepideAuditor help?
LepideAuditor has numerous predefined audit reports which can help you to meet the IT-related regulations of GDPR. You can easily retrieve the required information by generating one record for every change. You can do advance filtration, sorting, searching, and other functions on the reports. You can schedule these reports to be delivered at predefined intervals via email.