Light Dark
August 15, 2016 By Vikalp Paliwal 4 min read
Data Protection

The European Union’s General Data Protection Regulation (GDPR) has been adopted and goes into effect on May 25, 2018. That may not feel soon to some, but given the complexity and nuances of the regulation, that date really is just around the corner.

Know Your Data

Many organizations in Europe are already requesting more insight into the GDPR to help them avoid the substantial potential penalties (fines of up to 20 million euros or 4 percent of worldwide annual turnover per incident) for violating the GDPR compliance requirements.

Countless organizations outside the EU, however, are completely unaware that the GDPR may also apply to them. Why? Because the GDPR applies to any business that holds data about or markets to persons within the EU. Fortune 500 businesses and others, beware.

Begin your education now! Learn what you need to know, think about what the regulation means, consider its implications and prepare your business for success.

Data Subjects, Controllers and Processors

Per the GDPR, Data Subjects — which include end users, customers and employees, among others — have the right to make a claim if their Personal Data is not protected in compliance with the GDPR regulations. Further, EU regulators have a right to impose huge fines for violations.

Data Protection is a key concern for businesses, and the GDPR creates more obligation and liability for Data Processors and Controllers. For these reasons, it’s important to consider some general Data Protection best practices to help think through the activities Data Controllers and Data Processors will need to adopt to prepare for the GDPR — including the who, what, when, where and how of Personal Data.

Read the Interactive Solution Brief: Ready, Set, GDPR

Three Goals of the GDPR

Before we talk about requirements, let’s set the context by considering the very important goals of the GDPR and clarify what is meant by Personal Data. The GDPR’s three main goals are:

  1. To ensure protection of the fundamental privacy rights of Data Subjects (e.g., ensuring the security and confidentiality of Personal Data, but also ensuring proper notice, choice, right of access, rectification and erasure, just to name a few);
  2. To update the privacy laws so that they reflect and keep pace with the way the technology landscape has changed over the last 20 years; and
  3. To unify the 28 disparate privacy laws of the EU member states.

Within that framework, Personal Data is information about an individual. It can be any data related to you: personal identification; location data; biometric, physical, physiological, genetic or mental health data; economic, cultural or religious sentiment data; social, political or gender preference data; and more.

Data Protection Requirements

People and businesses are now paying avid attention to the GDPR requirements because of the heavy fines that go along with violating the regulation. Below, I will focus on some key requirements for processing Personal Data:

1. Condition for Consent

This requirement mandates that Controllers have the consent of Data Subjects to process their Personal Data, with some exceptions. Controllers should also be able to provide proof of consent for all their Data Subjects. Data Subjects have the right to withdraw their consent at any time, and consent is limited to specific purposes. It doesn’t apply more broadly and use needs to cease as soon as the specific purpose is met.

Data Subjects also have the right to request documentation about their Personal Data processing, and the Controller and Processor need to be able to provide this.

2. Right to Access and to Obtain Data for the Data Subject

Data Subjects have the right to request access to information held about them and be provided with detailed documentation, in plain and simple language and in electronic form, from the Controller. This should describe what information is held, how Personal Data is being accessed, the purpose of the access, where it is being accessed, what categories of Personal Data are being accessed and who has access. The Controller needs to provide all these details.

3. Right to Erasure

Data Subjects have the right to request the erasure of their own Personal Data if certain conditions are met. That is, they can request the deletion of Personal Data if they do not wish to allow the Processor or Controller to use it. The Controllers should be able to carry out the erasure without delay and provide documented proof that the Personal Data was removed. This gives the power to the Data Subject on whether Personal Data is or is not used. This right only applies to the Data Subject’s information.

4. Right to Rectification, Object and Profiling

Data Subjects have the right to request that the Controller correct their Personal Data if it is inaccurate. Data Subjects also have the right to object to profiling that has the effect of discriminating against individuals on the basis of race, ethnic origin, political opinions, religious beliefs, sexual orientation or gender identity, trade union membership, etc.

The GDPR Brings Big Changes

In addition to the above requirements, the GDPR also included some big changes of which organizations should be aware. These are all highly impactful changes that will impact the organizations that are preparing for May 2018.

Some of the biggest changes and innovations include: the Data Breach Notification requirements; the obligatory appointment of Data Protection Officers; the obligatory Data Protection Impact Assessment; the new obligations that apply to Data Processors; and the obligatory use of Data Protection by Design.

For clarification purposes, Data Protection includes both Privacy and Security. Therefore, Data Protection Impact Assessment means both Privacy Impact Assessment and Security Impact Assessment, and Data Protection by Design means both Privacy by Design and Security by Design.

Get Educated

To be in a position to meet the GDPR requirements, organizations should start getting educated now. Some requirements are relatively simple to meet but others, such as enabling systems to support the right to be forgotten, will be more difficult to achieve since they require business process changes.

Beginning the education process and starting to think through how and what it will take to meet the GDPR requirements should be the first logical step on the path toward embracing the GDPR.

Organizations should assess their Personal Data landscape, including where it is stored and how it is accessed, and gain a better holistic understanding of the GDPR requirements. Only then can they move forward and begin considering which technologies they will need to install to support the GDPR. Then they can determine what their deployment road map will need to look like to successfully prepare for May 2018.

Read the Interactive Solution Brief: Ready, Set, GDPR

 |  |  |  | 
Vikalp Paliwal
Product Manager, IBM Security – Guardium

More from Data Protection
November 19, 2024

Communication platforms play a major role in data breach risks

4 min read - Every online activity or task brings at least some level of cybersecurity risk, but some have more risk than others. Kiteworks Sensitive Content Communications Report found that this is especially true when it comes to using communication tools.When it comes to cybersecurity, communicating means more than just talking to another person; it includes any activity where you are transferring data from one point online to another. Companies use a wide range of different types of tools to communicate, including email,…

November 8, 2024

SpyAgent malware targets crypto wallets by stealing screenshots

4 min read - A new Android malware strain known as SpyAgent is making the rounds — and stealing screenshots as it goes. Using optical character recognition (OCR) technology, the malware is after cryptocurrency recovery phrases often stored in screenshots on user devices.Here's how to dodge the bullet.Attackers shooting their (screen) shotAttacks start — as always — with phishing efforts. Users receive text messages prompting them to download seemingly legitimate apps. If they take the bait and install the app, the SpyAgent malware gets…

November 7, 2024

Exploring DORA: How to manage ICT incidents and minimize cyber threat risks

3 min read - As cybersecurity breaches continue to rise globally, institutions handling sensitive information are particularly vulnerable. In 2024, the average cost of a data breach in the financial sector reached $6.08 million, making it the second hardest hit after healthcare, according to IBM's 2024 Cost of a Data Breach report. This underscores the need for robust IT security regulations in critical sectors.More than just a defensive measure, compliance with security regulations helps organizations reduce risk, strengthen operational resilience and enhance customer trust.…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature