General Data Protection Regulation (GDPR) - Regulation (EU) 2016/679 entered into force on May 25, 2017, being generally binding for all companies operating across the European Union. Any legal entity of any size falls under the new GDPR regulation. As is also apparent from the name of the regulations the main aspect to be considered is the protection of personal data, including: name, address, email address, phone number, date of birth, IP address, political views , religious views, etc.
The fundamental principle of the regulation is transparency. All personal data processor must adopt the appropriate protection of such data. Another important principle is the express agreement by the person whose personal data is being processed, thus avoiding unsolicited commercial communications.
Fines for non-compliance with GDPR may reach up to 20 million euros or up to 4% of the global annual turnover of the previous Financial exercise, (the highest value)
- right to data access; li>
- right to rectify the data; li>
- right to delete the data (the right to be forgotten); li>
- right to restrict data; li>
- right to data portability; li>
- right to opposition li>
- right not to be subject to a decision based solely on automatic processing, including profiling; li>
- right to address the National Authority for Personal Data Processing and Justice; li>
What does the GDPR rule mean for your website?
The vast majority of websites collect personal data directly by registering / authenticating customer accounts, personalized product listings, contact forms, etc. or indirectly through cookies for statistics or analysis. In the latter case, site owners often ignore the fact that these statistics collect personal data. The most common example is Google Analytics, which collects many personal data like: location, address, age, gender, etc. Analysis systems can be set to anonymize personal data.
- Inform users about the contact details of the processor; li>
- Inform users about the type of personal data that is collected; li>
- Inform users about how they collect personal data
- Inform users about the purpose and the grounds for collecting personal data; li>
- informing about the period for which personal data is stored; li>
- Inform users regarding the transfer of personal data to third parties li>
- Inform users about countries where personal data is stored or transferred li>
- Inform users about the security of their data li>
- Inform Visitors / Customers about the rights they have; li>
- Inform users about any security breach that compromises the protection of their personal data; li>
- Receiving consent to process personal data, for commercial communications via e-mail / phone / text message / etc .; li>
What does the GDPR rule mean for your company?
The GDPR Regulation will require all companies to implement technical and organizational measures to ensure that GDPR requirements are met - "confidentiality by design" and "confidentiality by default". Companies must take into account data protection requirements from the incipient phase of any new technology, product or service that involves the processing of personal data (deliberately) and the application of appropriate data processing measures (confidentiality by default). GDPR calls for a number of measures that can help companies achieve these goals noting: the minimization of personal data processing, data encryption or anonymization, transparency in their functions and processing, allowing subjects to monitor how data is managed. These measures must be up to date.
The regulation requires organizations of all sizes to adopt a new set of processes and policies designed to give individuals greater control over their personal data records. Much of this provision will involve writing new processes and manuals, training staff and updating systems to adapt to these new procedures. Other steps involve practical steps, such as the use of encryption if data is exposed to any risk. A lost or stolen laptop or USB stick should not lead to a penalty if it has been encrypted with a validated product. One of the key principles of GDPR, as provided in Article 5, is to ensure the proper security of personal data. and, as mentioned in Article 32 - called Security of Processing - encryption is a suitable technical measure to achieve this. If encryption is used as a technical measure, it must provide the possibility of restoring data immediately after an incident, and the records must be kept to show that the systems are safe and recoverable. Also, the GDPR Regulation requires enterprises to notify the competent authority (and the data subjects, under certain conditions) of all data breaches, without undue delay, within 72 hours, unless it is unlikely that the data breach leads to a risk for individually targeted persons.
- Data security stored within the organization - the ability to encrypt files, folders, and mobile storage media in a standard way to ensure data security at the endpoint or server level. Li>
- Safe transit data - Full encryption option for removable drives and storage media, USB sticks and optical media to ensure data security in motion. Li>
- Securing mobile data in home-based work practices - Portable encryption on any USB storage device. li>
- Secure data transfer between locations - Outlook plug-in, clipboard encryption that is compatible with all mail clients, including webmail, as well as attachment-level encryption for any system. Encryption of optical media systems allows safe transfer of data stored on CDs or DVDs. Li>
- Blocking / limiting access to specific data - implementing and managing encryption for teams and complex workgroups li>
- Allowing access to secure data when needed - remote management for users through a secure internet connection. Li>
- Safe storage of personal data - encryption standards, industry-standard, trustworthy, approved and secured methods li>
- EU Reform on Data Protection Rules
- Regulation (EU) 2016/679 of the European Parliament and of the Council