The General Data Protection Regulations: Questions & Answers
The European Union’s General Data Protection Regulations, or GDPR, has some Canadian and US companies concerned about their compliance level such that they have suspended the accounts of the EU customers. Yes, the rules and fines are not something to ignore, but we shouldn’t be afraid. Many companies may already be complying with many of the rules, while others may simply need to improve their data collection, breach response and security practices.
So what is GDPR requiring companies to do?
As of May 25, 2018, the GDPR places obligations on companies that collect and process personal data from EU residents.
What’s got companies running scared?
The administrative fines companies for infringement are massive, up to 10 million euros or 2% of worldwide income. However, you’d have to be significantly negligent with personal data and failed to have follwowed reporting requirements before the administration would even trigger a discussion about fines.
How much effort would it take for Canadian companies to comply with the GDPR?
Well, many factors could impact this effort, such as the type of industry, data collected, how permission to collect data is obtained and how the stored data is protected. For companies that meet the requirements of Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), or the US Health Insurance Portability and Accounting Act, some of these regulations are already consistent with the GDPS’s provisions.
Where would I start if I need to determine if my company is compliant with the GDPR?
The best place top start is to read the GDPR. You should also consult with your security and privacy teams to ascertain areas of data collection and usage risks in your organization. Finally, consult with a GDPR expert and legal counsel to ensure you have all of your bases covered. Should you need website services to ensure your site is compliant, feel free to contact Straydog for a free assessment.
What are the most important requirements of GDPR?
The most important requirements are:
- Collect and use only data for which the individual has given consent, and to seek that consent in a transparent manner.
- To only use that data for the purposes agreed to by the individual. You must also offer individuals a transparent method to withdraw consent and erase their data, where there are no legal grounds to keep it.
How can I my company’s data policy help to keep data secure?
The most secure data is the data that you never collect and store.The GDPR requires that you collect only personal data that you need to perform the service or conduct the research agreed to by customers – and to store that data for only as long as you need it. If you’re conducting a lot of research on individuals, ask yourself whether you need to store names, addresses or phone numbers? The more unnecessary data you collect, the greater your potential for liability.
How can a company protect data it needs to store longer?
You should have a robust security protocol, making it hard for intruders to access your network via the internet of WIFI and through user actions. You should have a network firewall in place and then monitor and control incoming and outgoing network traffic to identify and stop unusual or malicious activity. You should also restrict access to staff that need to use the data, and use encryption and file integrity monitoring. Finally, you should train employees to protect data that is in their care and to recognize scams and fraudulent links that might expose data to theft.
While you can achieve a degree of protection using passive controls, adding a human element to supervise network traffic can make the difference between fending off a cyber attack and allowing bad people to achieving their malicious goals.