The media regularly reports on personal data leaks. There is even a site where you can check whether your data have been leaked. In September 2017, the news of Dropbox and Yahoo user data being leaked went viral. Both companies revealed the leak several months post factum, potentially endangering most of their user data. This issue has increased in popularity and the new General Data Protection Regulation (GDPR) could rapidly decrease data leaks, however, it is essential to understand the Regulation and meet GDPR compliance requirements.
Data protection still is the fundamental right of each natural person. The previous EU Directive was written in 1995 (Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data), but, with rapid technological advancements, it has become ever so important to process and store natural person data correctly.
The Regulation affects all 28 EU member states and all data controllers, including data controllers who do not physically reside in the EU but offer their products or services to EU data subjects. The main goals of the Regulation are to increase the control each EU data subject has over their data and to protect their data. A unified natural person data protection regulation in the entire EU will promote awareness about natural person data processing and storage. Additionally, it will end the numerous adaptations and corrections made to state laws and end the fragmented enforcement of data protection within the EU. Since the Regulation incorporates identical requirements and concepts for all EU member states, it will thus prevent market distortions in the market and work slowdown in government institutions.
https://www.youtube.com/watch?v=l6XSCfGrBdE
GDPR requires significant changes to be made to the current regulation of the natural person data protection law in order to raise the level of personal data protection and provide the data subject with the rights and responsibilities to control their data processing. Now, when all services involve data processing, the use of natural person data has become uncontrollable, which endangers both the data subject and the company processing the data. Rules regulating several key aspects of data processing will result in better personal data protection, which in turn will build trust in the data subject when they send their data for processing.
The data controller establishes the code of conduct for GDPR compliance which includes:
GDPR does not describe specific technologies or products that work as GDPR compliance or data protection mechanisms, however, it describes the thought process and provides suggestions regarding natural person data security. In order to protect data subject rights, the data controller considers the current state of technologies owned, implementation costs, the character of data processing and its scope, context, risks, and performs the required technical and organisational activities such as data anonymisation or data pseudonymisation. Also, an important mechanism is data encryption: all data which can identify a natural person are encrypted and data exchange is performed with encrypted data exchange protocols, e.g. SSL tunnels.
Public institutions, companies specialising in processing and storing natural person data on a wide scope, and companies which have more than 250 employees, are required by GDPR to appoint a person responsible for natural person data security in the institution/company.
This GDPR requirement provides the data subject with the option to erase their own data or to ask the data controller to erase data when the data subject no longer wants their data to be stored and processed in a specific service. Of course, the request for data erasure can be denied if it has legal grounding.
If the data controller is located outside the EU but their company offers products and services to data subjects within the EU, e.g. for Yahoo/Dropbox users, then GDPR requirements apply to these companies. When the Regulation enters into force, all companies, regardless of their location, will have equal requirements which in turn will lower market distortions.
The data controller will have to inform the respective authorities and all data subjects affected within 72 hours of a malicious break in into a system, interference, or unsanctioned access to personal data.
The data controller will have to ensure the user with the option to save their data in a commonly used, machine-readable format so it is possible to transmit these data to another data controller.
The Regulation has specific conditions for children under the age of 16. The data controller will have to make sure that the guardian has given their consent to the processing of the personal data of a child.
For legal persons the maximum GDPR administrative fine is 14 000 EUR , but the amount can change depending on aggravating or mitigating factors. After GDPR enters into force, the supervising instances will impose fines, including administrative fines. The amount of an administrative GDPR fine will be up to 20 million EUR or up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher. In a case of a minor infringement or if the fine likely to be imposed would constitute a disproportionate burden to a natural person, a reprimand may be issued instead of a fine.
To efficiently implement and overlook deeper/layered security, you need a lot of human and time resources, therefore, we recommend considering cloud solutions. By using cloud solutions, you cover the first security layers.
You do not have to worry about:
Microsoft Azure cloud solutions fully comply with requirements of the old natural person data protection directive and other security standards. How can you prepare for General Data Protection Regulation? Download this free GDPR document package!
Madars Šmits, SQUALIO Cloud Solution Product Manager