What does GDPR stand for?
GDPR stands for General Data Protection Legislation. This is a European Union (EU) law that came into force on May 25, 2018. The GDPR governs how we use, process, and store personal data (information about an identifiable living person). It applies to all organizations within the European Union, as well as those that provide goods or services to the European Union or monitor EU citizens.
Therefore,Businesses and organizations must have a clear understanding of what GDPR means。It is a legislative force established to protect the fundamental rights of data subjects whose personal information and sensitive data are stored in an organization. Data subjects now have the right to request access to their personal information and the right to request that the organization destroy their personal information.
These regulations will affect most sectors in business, from marketing to medical services. Therefore, in order to avoid hefty fines from the Information Commissioner's Office (ICO), it is essential to comply with the GDPR.
GDPR Key Principles
Legal, transparent and fairUse the data only for the specific legitimate purposes for which it was obtained, the most lenient of which is legitimate interestsWhy is GDPR important?Get only the data we strictly need
Make sure that any data we have is accurate
Storage limits
Integrity and confidentiality
Accountability
First of all,The GDPR is important because it provides a set of rules that all EU organizations must follow, thus leveling the playing field for businessesand make data transfer between EU countries faster and more transparent. It also empowers EU citizens by giving them more control over how their personal data is used.
Before introducing the new GDPR legislation, the European Commission found that only 15% of citizens felt they had full control over the information they provided online. With public trust so low, it's clear that consumer habits will eventually suffer. Measures to rebuild this confidence through the introduction and proper implementation of the GDPR are expected to increase**.
It is important to thoroughly implement data protection policies and employee education, as non-compliance can lead to data breaches. In the event of a serious data breach, the Information Commissioner's Office (ICO) can impose a fine of up to 4% of annual turnover or a fine of €20 million, whichever is higher. Data protection training is a must to reduce the risk of data breaches.
Who does the GDPR apply to?
The General Data Protection Regulation (GDPR) regulates how personal data is collected and processed in the European Union (EU). Personal data is defined as any information relating to an identified or identifiable living person.
The GDPR applies to any person or organization within the European Union that processes personal data. According to the GDPR, countries outside the EU that process personal data are referred to as "third countries". They may have their own data protection legislation.
However, GDPR must be adhered to in the following cases
When providing goods and services to the European Union.How to learn fullyLearn about EU privacy compliance laws?LearnCIPP E courseIt focuses on the practical application of privacy laws and regulations, and understands the knowledge and assessment of European data protection and European regulators.When processing data concerning citizens residing in the territory of the European Union.
Key aspects of the GDPR
The GDPR replaces the 1995 Data Protection Directive, which sets out minimum requirements for data protection across Europe. Prior to 2018, this gentle approach to data protection led to a series of data breaches and scandals that resulted in the personal information of data subjects being compromised. The changes in the GDPR will now provide better protection for the fundamental rights of data subjects.
Extended Jurisdiction
The GDPR now applies to any organization that processes the personal data of EU data subjects. This means that the GDPR applies to organizations large and small both inside and outside the EU.
Agreed
Strictly focusing on consent, it must be specific and unambiguous.
Right of Access
Data subjects can make subject access requests to view their personal information, and organizations must comply.
The right to be forgotten
The data subject may request that the data controller destroy his or her personal information.
Data Protection Officer
Data controllers should now have a DPO on their team to ensure that data assurance regulations are adhered to.
Penalties
ICOs can now impose harsher penalties for data breaches, including fines of up to €20 million for organizations or 4% of the organization's global turnover, whichever is greater.
Why do you need GDPR?
Society is now more data-driven than ever, so the sheer volume of sensitive data stored on computers has led to an increase in cyberattacks and data breaches.
Phishing emails
Phishing is the use of scam emails by cybercriminals to infiltrate personal information, and even one of the main ways to change bank details and account details. Due to the prevalence of such cyberattacks, the GDPR is essential to prevent such attacks from happening frequently.
Organizations need to be aware of emails that may contain viruses to protect the company's IT network. If the virus successfully infiltrates the organization's hard drive, then the personal information of customers and employees will be compromised and a data breach will occur.
Organizations should implement email encryption so that cyber hackers can't infiltrate the personal information contained in the emails.
Data controllers can use secure email gateways to prevent emails containing malware, phishing attacks, or spam from reaching the organization.
Therefore, in order to comply with GDPR, organizations need organizations to install a secure email gateway to monitor their emails.
Office 365 and GDPR
Many organizations and businesses use Office 365's software to store important information, such as those that contain employee personal and sensitive data, business contracts, and annual audits. Therefore, Office 365 is responsible for ensuring that this data is protected.
Office 365 uses cloud software, so up to 85% of businesses store data in the cloud. Even though this data is stored in the cloud, Office 365 still needs to maintain GDPR compliance.
That's why Office 365 leverages automatic labeling policies and intelligent content search to help you find personal information easily. As a result, Office 365 has demonstrated its GDPR compliance by ensuring that personal data is transparent and easy to find.
End User Consent
When it comes to processing personal data, the GDPR imposes stricter controls on the consent of end users.
The GDPR's position is that data subjects must be informed about the processes that will be used to store their personal data.
Subsequently, the data controller is obliged to provide the data subject with the processing of personal data. Users can terminate their consent once they believe that their personal information is no longer needed by the data controller, or that the personal information may be compromised.
Two-factor authentication
Article 32 of the GDPR stipulates that organizations shall take technical measures to protect personal information, such as through two-factor message authentication. This two-factor message authentication should be applied to systems that handle personal information, such as mobile devices that should be encrypted.
The GDPR should not intimidate organizations because if regulations and safeguards are clearly implemented, there should be no problems, and there is no reason for ICOs to get involved.
Will GDPR replace DPA?
The Data Protection Act 1998** (DPA) was superseded by the European Union's (EU) General Data Protection Regulation (GDPR) on May 25, 2018.
Prior to 25 May 2018, the applicable UK data protection legislation was Data Protection** (DPA) In 1998. As computers became more common in businesses, DPA was introduced at the end of the 20th century.
However, by 2018, the DPA is undoubtedly obsolete and no longer reflects the digital technology age we live in.
For example, a large proportion of the population in the UK uses social networking**, many of us own more than one digital device (mobile phone, tablet, laptop), and almost all businesses rely on computer networks.
The digital world we live in has changed the way we process information, and the laws have been updated accordingly.
How to comply with GDPR?
In order to comply with the GDPR, you must first understand the rights granted to individuals by legislation. They are as follows:
The right to know how to process your data.Then,Organizations must determine their role in the data flow, such as whether they are a data controller or a data processor? The data controller determines why and for what purposes the personal data is used. A data processor is an individual or company that processes personal data on behalf of a data controller.The right to access that data.
The right to rectification of inaccurate data.
Right to erasure of data.
The right to restrict the processing of personal data.
Right to data portability – This means that as a business, you need to set up a system through which you can quickly and easily compile all the personal data you hold about individuals and make it securely accessible to them.
The right to object to the processing of your data.
Rights in relation to automated decision-making, including processing.
While data controllers retain the ultimate responsibility for protecting their data, data processors must also comply with the GDPR when processing and storing personal data. The data controller shall draft a written contract agreeing to the compliance of its processors with its data policy and ensure that all third parties sign the contract.
In accordance with the GDPR, the processing of personal data is determined
The legal basis is very important. Acceptable reasons are:
Agreed
Contracts
Legal Obligation
Vital interests
Public tasks
Legitimate Interests
When processing special categories of data, sensitive personal information, there are different grounds for lawful use of such data. Processing requires both a lawful basis and a special category of conditions.
The GDPR requires some organizations to appoint a Data Protection Officer (DPO). The DPO is no longer involved in the day-to-day processing activities of the organization, but is responsible for ensuring GDPR compliance.
You must appoint one if: you are a public body; Conduct regular large-scale monitoring of individuals as a core activity; Large-scale processing of special categories of data or information for criminalized offences as a core activity.
If processing activities are likely to pose a high risk to individuals, organizations must conduct a Data Protection Impact Assessment (DPIA).
The purpose of this is to identify personal data and minimize risk. The risk assessment considers the likelihood and severity of the impact of the risk. If, while doing a DPIA, you find a high risk that cannot be reduced, you must notify the ICO.
The GDPR is also more stringent on consent, which means businesses need to familiarize themselves with these new requirements. Consent must be freely given, explicit, concrete, unambiguous, and expressed through positive affirmative action. Any consent you have obtained in the past will also need to meet these requirements, and if it is not, it must be re-obtained.
It's no longer enough to simply state GDPR compliance, it must now be demonstrated. You are required to publish a privacy policy informing your data subjects about how their personal data will be used. You should also have a plan in place for what happens to a data breach.