The General Data Protection Regulation (GDPR) was passed in the European Union (EU) in 2016 and requires all businesses to protect an updated definition of personal and private data of EU citizens for transactions occurring within EU member states. The directive establishes data privacy rules that provide transparency and expanded privacy rights for EU citizens.
The basic definition of personal data is any information relating to an identified or identifiable natural person (data subject).
Examples of private data covered by GDPR include:
When a data breach has been detected, companies are now required by GDPR to notify all affected persons and the supervising authorities within 72 hours. GDPR regulations apply to all privacy data created for EU residents regardless of whether or not they are citizens of EU countries.
GDPR defines penalties for noncompliance. Failure to comply with GDPR prescriptions can result in fines ranging from 10 million euros to four percent of the company’s annual global turnover.
Under GDPR, companies can’t legally process any person’s personally identifiable information (PII) without meeting at least one of the following six conditions:
In addition, companies that conduct data processing or monitor data subjects on a large scale must designate a data protection officer (DPO). The DPO is the figurehead responsible for data governance and ensuring the company complies with GDRP. This person is responsible for ensuring appropriate data protection principles are applied to the maintenance of personal data.
Businesses that operate outside of the EU and do not process private data on EU data subjects, as outlined in the list above, need not worry about GDPR itself. However, similar legislation is in place throughout most of the world, so businesses should instead focus on examining their local country’s data privacy rights. Once you understand your legal obligations in your own home country, you’ll want to develop a breach notification plan.
It’s very important to have a plan to notify any users and applicable agencies involved in a data breach. The time to work out how to notify and what the applicable home country laws and requirements are is not during a breach but before one. In the US exists a patchwork quilt of data privacy laws by individual states. There is no federal law in effect. In preparing your breach notification process, make sure you seek outside counsel and expertise to help you comply with each state you may have data on (or country as the case may be).
CyberHoot recommends you know the laws affecting your company and you prepare a Breach Notification process document reflecting those laws. Don’t forget to test the process annually as well.
Beyond establishing a breach notification process, there are many other actions your company can take to reduce the risk of a breach. CyberHoot recommends the following basic breach counter-measures:
Sources:
Additional Reading:
Booking.com Fined Following Vishing Attack
Regulations Don’t Stop At California’s CCPA
Related Terms:
California Consumer Protection Act (CCPA)
Discover and share the latest cybersecurity trends, tips and best practices – alongside new threats to watch out for.
Spoiler alert: If you’re still using “password123” or “iloveyou” for your login… it’s time for an...
Read moreStop tricking employees. Start training them. Take Control of Your Security Awareness Training with a Platform...
Read moreGet sharper eyes on human risks, with the positive approach that beats traditional phish testing.