Settling the Risk Quantification Debate
Different analysis methods are better suited at each phase, with the greatest concentration of quantification tools needed during…
The General Data Protection Regulation (GDPR) has had an enormous impact on multinational companies that do business in the EU. In the time since the law took effect in May 2018, we have seen the severe penalties of noncompliance as a handful of companies have been hit with finesse. Most recently, British Airways was hit with a historic GDPR fine of £187 million ($230 million) as a result of a data breach that compromised 500,000 travelers’ personal data.
Although the GDPR has been active for more than a year, there are still companies out there who are noncompliant.
In this article, we’ll break down the GDPR into its basic parts for easy understanding. We’ll also delve into the specific rights it grants EU citizens, its impact on multinational companies, and the penalty provisions it contains. Finally, we’ll wrap up with methods to make sure your own company is compliant.
The GDPR is a European Union law that has had dramatic effects on multinational companies around the globe, including the United States. The law stipulates that companies must be held accountable for the personal data they retain concerning any citizen in the European Union—whether they are an employee, customer, or business partner. According to the Information Commissioner's Office (ICO), which is the “UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals,” there are eight rights the GDPR extends to all EU citizens. They are:
The full source of the rules can be found on the Official Journal of the European Union.
In order to fully understand the vast scope of the GDPR, we should first define “personal data.” Under the GDPR, “personal data” includes any piece of information that could be used to identify anyone, including: IP address, HR records, location, contact details, and even pseudonymised or key-coded information.
The purpose of the GDPR is to protect EU citizens from data breaches, increase consumer trust and safety, and create transparent accountability measures. Data must be provided in a clear, concise, transparent, and easily accessible language, and it must be provided at no cost. Under the GDPR, all EU citizens should (1) have access to their own data, (2) receive notification when their data is being processed, and (3) be permitted to take their data with them once their business with the company has ended.
The GDPR requires a company to quickly and accurately answer these questions about a person’s data:
The GDPR is more restrictive than any other previous legislation in the European Union because it places the accountability on the company. It’s also the first data privacy regulation that has global relevance, making it one of the most significant laws about information security and privacy laws ever passed. It requires companies to show how they are in compliance, not just report that they are in compliance.
Under the GDPR, clear consent must be given in order for a company to begin processing someone’s data. Consent can no longer be assumed by silence, pre-selected boxes, or inactivity, and it must be separate from other terms and conditions.
If your company meets the following requirements, you could be required to appoint a Data Protection Officer (DPO):
The DPO is responsible for ensuring the company is compliant with GDPR regulations. They must report to the highest management level in the organization, and should operate independently without threat of penalty for completing their assigned tasks.
As proven with the British Airways breach, the penalties for failing to comply with GDPR rules are steep. Sanctions differ depending on which articles of the law apply. Companies failing to comply with the following provisions can be imposed a fine of up to 10M EUR (or up to 2% of the total worldwide annual revenue of the preceding financial year):
Companies failing to comply with the following provisions can be imposed a fine of up to 20M EUR (up to 4% of the total worldwide annual revenue of the preceding financial year)
The GDPR makes it plain that the EU no longer intends to let irresponsible companies slide by without consequence. Thus it’s imperative for any company that deals with the personal data of European Union citizens to put policies and processes in place to comply with the new regulations.
The wide-ranging requirements of the GDPR present challenges for organizations, especially since the requirements to become compliant vary for each individual business. LogicGate is helping companies meet GDPR compliance requirements by centralizing and automating all of the new processes as well as enhancing existing manual processes (such as third-party risk management) that now must incorporate privacy impact assessments.
For more on the GDPR, check out LogicGate's Webinar below on Managing Third-Party Risk in the Age of GDPR.
We sat down with Shannon Harrison, LogicGate’s Senior Director of User Experience, to learn why we’re making accessibility…
On this episode of GRC & Me, we explore business resilience and the differences between proactive, reactive, and…
Build a Centralized View of Assets, Risks & Cyber Controls
Find out how to take a proactive, connected approach to your cybersecurity risk management processes.