In the age of the internet, privacy is a huge concern and when a data breach occurs personal information gets lost and even stolen. It's not always know where this information winds up, but it is almost always in the hands of someone with malicious intent. In 2017 we saw many data breaches, Equifax being one of the largest. So when these breeches occur, how can we keep companies accountable for losing such precious information?
The European Commission aims to answer this question with the General Data Protection Regulation. Better know as GDPR, the General Data Plan Regulation is a legal frame work that sets guidelines for the collection and processing of personal information of individuals living within the European Union.
The GDPR not only affects businesses that are located in the EU but all foreign companies that hold any data belonging to individuals that live within the EU as well. These companies must comply with the guidelines and ensure that an individuals personal and private information is stored with a high level of protection and must know exactly where this information is being kept.
The GDPR will officially go into effect on May 25, 2018.
Why is the GDPR being implemented?
Data breeches happen, and we've seen many major ones in the past few years. Yahoo!
was hit in 2013 but the impact of the breech was not disclosed until this past year when it was revealed that all Yahoo! users had been affected. When these breeches occur, hackers can do catastrophic damage to an individual if they obtain, email addresses, birth dates, social security numbers, mailing addresses and bank account information.
When can companies process an individuals Data?
What happens if a breech occurs?
- The data subject has given consent to the processing of personal?ata for one or more specific purposes.
- Processing is necessary for the performance of a contract to which the data subject is party or to take steps at the request of the data subject prior to entering into a contract.
- Processing is necessary for compliance with a legal obligation to which the controller is subject.
- Processing is necessary to protect the vital interests of the data subject or of another natural person.
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
- Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party unless such interests are overridden by the interests or fundamental rights and freedoms of the data subject, which require protection of personal data, in particular if the data subject is a child.
Once the GDRP goes into effect, all organizations that process a large scale of data must appoint a Data Protection Officer, while smaller
organizations must abide by the laws set by the GDPR legislation.
Listed under articles 33 and 34
of the GDPR, data controllers and processors are under legal obligation to notify the authorities within 72 hours of any breech that risk individuals rights and freedoms.
If any company fails to comply with the new regulations they are facing a hefty fine. Fines will vary depending on the severity of the data breech and how the company handled the aftermath. The maximum fine for failure to comply is $20 million euros or 4% of their annual profit, whichever is greater and the minimum is $10 million euros or 2% of their annual profit, whichever is greater.
The GDPR brings a huge benefit to citizens of the EU, notification of breeches as soon as this happen. This will allow individuals to quickly react to any threats they may face by hackers and proactively prevent any major damage that might occur to their personal information.
To prepare your company for the General Data Protection Regulation
before May 25, 2018, visit the EU's GDPR home page
for the complete legislation and guidelines.