The GDPR is a comprehensive regulation aimed at protecting the privacy of EU citizens' information. The regulation was passed by the EU on May 25th, 2018 and it mandates standards for the transparency and protection of its citizens' data. This means that for every international company with any EU citizen's information must comply with this regulation or face hefty fines. Noncompliance to the regulation results in a fine of €4 million or 4% of the targeted company's global annual revenue, which ever one is greater determines the fine.
However draconian these fines may be, if compliance is observed, companies can rest easy about law suits and improve upon their existing networks. There are 7 major points of interest where complying to this regulation are drastically different or deviate from tradition in any significant manner.
- Transparency: The data subject, in this case a citizen of the EU, is afforded the Right of Access. The data subject can therefore request and receive their information in a timely manner. This requires diligent organization on behalf of the data controller. At a moment's notice, data controllers must possess audit-readiness to effectively track data to display no foul play.
- Right to be Forgotten: This right gives the data subject power to question the existence of their data and request its destruction. The data subject has never experienced such assertive rights. Data controllers are going to have to adapt to these measures regarding policy and organization of data.
- Privacy by Design: This mandate requires data controllers to have an internally-reviewed and recognized industry-grade standard for their protection technology, which varies widely by industry. Regulations like these demand that companies centralize cybersecurity. Without a central cybersecurity leader to manage a cybersecurity program vulnerabilities will multiply rapidly.
- Legality of Consent: This mandate ensures that every data subject has willfully entered into an agreement with the data controller to facilitate the exchange of information. The changes made force data collectors to proactively ask in clear unambiguous form for consent. In the past, a passive form of consent forced data subjects to have to search for an opt-out of the agreement. Consent will now have to filter through the lawyer's office or someone familiar with complying to this aspect of the regulation.
- Processing Activities: This rule requires an adequate log of how a data subject's information is processed. This must include how it is grouped, affected, and the purpose of the process. Negligence to comply results in a €2 million fine or 2% of annual turnover. The costs of non-compliance can no longer be ignored as politics injects industries with standards well beyond some companies' current capabilities.
- Limited Hold on Data: This mandate outlines measures must be taken to eliminate data once it is deemed unusable. The retention policy varying between companies and industries will determine the length and justification at which the data is kept. Essentially, data cannot be held without a reason.
- Privacy Impact Assessments (PIA): The PIAs demand a comprehensive report on how risk is managed during stages of processing data subject information. The report maps out where and how data might become vulnerable and must be submitted to the proper authorities punctually. This centralization of cybersecurity begs the question whether there should be a dedicated officer in charge of overseeing the cybersecurity front.
Domain5 provides diligent compliance advice for all data controllers subject to the GDPR. The team at Domain5 can consolidate vulnerabilities, guide cybersecurity reorganization, and provide audit-readiness. The GDPR also demands degrees of cybersecurity centralization and Domain5 can supplement that institutional void. CISO(Chief Information Security Officer)-as-a-service can supplement centralization by implementing an effective cybersecurity program aligned with any new compliance. This service is tailored to organization-specific needs and is only active when necessary. Domain5 provides support that leverages the team's extensive experience with the specific needs of any given organization.