What is GDPR?

On May 25^th,2018 the EU’s General Data Protection Regelation takes full effect. The goals of these new privacy rules are to harmonize data protection law across EU member states and to enhance data protections for citizens. All business owners need to understand its regulations, regardless whether they are located in the EU or not. Fines will be heavy for companies that don’t prepare and are found in non- compliance.

VISTA InfoSec commences GDPR Compliance Services . They have 15 years of experience in the industry and is well equipped to help organizations stay compliant and be GDPR ready.

Quick facts about GDPR

Fines: fines for a data breach will increase from 500000 (under the Data Protection Act) to 20 million or 4% of global turnover – whichever is greater . There are also additional fines for non-compliance.

New Roles: Companies will need to appoint a Data Protection officer, who will be responsible for overseeing data protection strategy and ensuring compliance with GDPR. This does not to be a full time role, and it can be outsourced.

 Data Breaches:  If company suffers a data breach then they must notify the relevant supervisory authority, and the affected individuals, as soon as possible – within 72 hours of discovery.

Security Measures: GDPR set out clear requirements for securing personal data including encryption, monitoring, user access control, auditing.

Assessments: Data Privacy Impact Assessments (DPIA) are mandatory for organizations where processing is likely to result in high risk to the rights and freedoms of individuals. The obligation to conduct this is on the data controller.

Rights for individuals: New and increased rights, including the right to portability and the right to erasure (also known as right to be forgotten) . Companies can also no longer charge individuals who request copy of their personal data.

 Consent: Consent must be given in the form of positive opt-in. Assumed consent or negative opt-ins are not enough! Companies must keep records of how and when that individual opt in, and allow them to easily revoke consent at any time.

Processor & Controller: GDPR applies to both. It is the responsibility of the controller to make sure their processor abides by data protection law, and the processor has a responsibility to keep records of their processing activity.