Does your business have the potential to withstand a fine of 20 million Euros or 4% of your annual global revenue?
Yes, higher of either value would be the fine for GDPR violation!
Let’s discuss in detail about what is GDPR and know the consequences or penalties for GDPR violation.
GDPR or General Data Protection Regulation (GDPR) is a law enforced on all business that deals with personal data of people residing in European Economic Area (EEA) and European Union (EU) that has changed the way customer data is collected, stored and processed. It aims to have a regulatory body for an organization to have policies and procedures to protect the data of EU citizens and have an environment for business, so, both citizens and organizations can get full benefits.
According to the Trust Arc research, more than 27 % of companies are yet to begin work to make themselves GDPR compliant.
Why is data privacy so important?
All companies have sensitive data, such as financial transactions, personal files, and documents, product information, and customer data. If this data gets into the wrong hands, it can be leaked, misused, can put you and your customer in trouble. This data is the most vulnerable asset of your organization, and thus its safety should be of utmost priority.
How does a data breach happen?
The Internet has brought a dramatic change in our lifestyle, change that starts from dealing with our daily tasks to the way we deal with our official and financial information. We share photos, files, documents, pay bills, make a financial transaction, purchase goods by providing our personal and financial details online without even giving it a second thought. Have we ever thought or questioned about the data that we have shared?
You are informed that your data is being collected to serve you in a better way, optimize user interface by offering you more relevant and better customer experience.
But is that the only reason for data collection? What happens to your data?
Let’s take an instance from our daily lives. You bought a few things online, from the most reputed retail vendor. You check out the items, and because you are a regular shopper, your details like address, phone number, credit card details and more are already stored in the application. So, you click three times, enter the code, and your purchase is made in a jiffy.
How simple and easy life could be right!
Just like you, eight million European customers also blindsided the security risks that technology and a world connected to the Internet can bring.
Who knew that an online retail giant could leave unsecured customer records on company’s web service for anyone to find and misuse it?
A total of eight million records were collected via the marketplace. Data in the records included names, phone numbers, email addresses, shipping address, order IDs, items purchased, and credit card details of the customers, which was disclosed on the website.
So, a breach on the website of the retail giant? Is it true?
The retail company, however, blamed it on the accidental technical glitch and brushed it under the carpet by saying, “It happens!”
Well, irrespective of whether it was an accident or a data breach of its website, enterprises must be more responsible towards customers data.
In May 2018, the EU came to the rescue of the people and launched the General Data Protection Regulation (GDPR).
Importance of including GDPR in GRC?
GDPR will add an extra layer of rules and regulations that must be followed by all the companies who do business with the EU, including a European customer whose only contact with you is for your service. Ensure that GDPR rules are followed; if not, it could be a disaster in waiting for an organization. The consequence is not just the high amount to be paid as fine but also the reputation of your company so much that it can even drag down the big players.
Top 10 checklists for GDPR
1. Raise Awareness
The regulation came into effect on 25 May 2018 and is mandatory to follow the compliance from this date. All employees, whether they are general administrators, decision-makers, sales and marketing executives, IT, HR managers must be aware of what is GDPR and what are its requirements and implications.
2. Analysis of personal data
Make a list of all the data that you store and document the answers to the following questions:
- What is the purpose of storing the data?
- What is the source you get the data?
- For what reason you are collecting this data?
- How long will you store it?
- Is your system secure enough to store this data?
- Is the data encrypted?
- Is your data accessible to other third parties?
- Will you share this data with other third parties, if yes, what is the purpose of sharing?
3. Update your privacy notice
Businesses require providing certain information to the individual about the use of the information they collect. Companies should incorporate mechanisms and design new systems and processes that ensure privacy and protection by default. Privacy notices should be reviewed and updated regularly.
4. Review procedures
Ensure that you have a suitable privacy policy and procedures in place so you can comply. Review the policy to ensure the users’ rights are accounted for. The review will also help to update any contract with the users’ terms & conditions and other protection policies to the compliant with GDPR.
5. Ensure appropriate access rights
Make a list to whom the rights will be granted and what will be the access rights. Then put them together and make a plan how a change in access right should be handled to ensure safety and privacy for users’ data and if you refuse access request you need to demonstrate your policies and procedures that meet these criteria.
6. Customer Consent
You will need to make sure your users have given full authorization to use and process their data, in the same way, your privacy policy defines it. You need to have clear records of users’ data that is acquired, stored, and processed. Users will be allowed to withdraw their consent at any moment they feel.
7. Review children’s data
GDPR has special protection for children’s data. If you are processing their data, then you need to verify the subject’s age before processing. Suppose the data belongs to a child whose age is under 16 their guardians’ authorization to process data is required.
8. Data Breaches
It would be best if you had implemented infrastructure for handling data breaches that can detect and investigate any breaches that occur. If there is any data breach, the user should be informed within 72 hours of identifying the breach, failure to report a breach will be a violation of GDPR rules and could result in a fine.
9. Data Protection Officer
Under the European Union GDPR, an organization that does significant processing of personal data of their users must hire a DPO. When assigned, the DPO would have the responsibility to implement data protection policies, advising the company about compliance with GDPR requirements and ensure all members are trained to comply with GDPR policies and must deal with their inquiries.
10. Regularly check for updates
GDPR is still finalizing some more details, and they have monthly updates on their website. We advise you to check on it regularly to get up to date details. Under GDPR, rights are modified depending on a legal and environmental basis.
While the above list serves as a handful of practices that should be considered for becoming GDPR compliant, it is important to understand that these requirements and their implications with seriousness. If you want to get more visibility and control on the data stored and its access and security w.r.t GDPR and other global privacy laws, you need to have a data security platform. A system with continuous governance framework to ensure that the data is duly protected and secure from any internal or external threats.
Associate Director, heads the Data Security & Privacy Practice at Happiest Minds Technologies and comes with over 13 years of experience in Enterprise Security domain. Her expertise spreads across Identity & Access Management, Access Management & Governance, Data Security & Global Privacy laws across multiple industry sectors. She comes with hands on experience across various tools in IDAM, Data Discovery & Classification, DLP & CASB and Data Encryption & Masking.
Shubhi’ s current work profile involves assessing & consulting the new age Digital Customers for their data protection landscape and recommending & planning the deployment of next-gen data security solutions for them.
She has been crucial in designing and implementing comprehensive data protection solutions along with leading GDPR & CCPA assessments for some of these enterprises as well.
