For companies without a dedicated security or compliance department, GDPR can be a nightmare. With fines up to 4% of annual revenue, non-compliance can come at a serious cost.
So, what do you really need to know about GDPR compliance?
Here are some of the essential elements that will make compliance—and your life—a little easier:
What is GDPR? General Data Protection Regulation (GDPR) was developed by the European Commission to protect the digital privacy of EU citizens. GDPR gives EU citizens control over their personal data and simplifies the regulatory environment for businesses so EU citizens and businesses in the European Union can fully benefit from the digital economy.
Here are the 7 key principles that underpin GDPR:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimization
- Storage limitation
- Integrity and confidentiality (security)
For more on what these principles mean, click here.
While GDPR has a lot of principles, the way we see it, it breaks down to processes and security. Many of the processes are very prescriptive and lengthy, but the actual security of your organization and protecting customer data is paramount in GDPR compliance.
More below on how we can help ensure both are in place.
Does GDPR impact companies outside the EU? Absolutely—GDPR impacts companies all over the world. In fact, any company who does business with the EU in one way or another needs to comply, regardless of location. Non-compliance with GDPR can result in administrative fines of up to 4% of annual global revenue or €20 million, whichever is greater. In the first year alone, EU regulators opened more than 200,000 investigations into potential GDPR violations!
Are other businesses also concerned? Organizations around the globe are feeling the heat of the GDPR regulations. Research from 900 organizations found that almost half (47%) of businesses fear they won’t meet the requirements for GDPR, with 32% doubting their organization has the right technology to cope. Certainly, recent record fines means companies are taking GDPR very seriously.
So, what do we need to do? While GDPR covers many areas of data protection, cyber-security is one of the principal tenets of GDPR. According to Article 5: “Companies must protect personal data in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.”
What does that mean for you? Basically, the EU is saying that organizations must implement technical, administrative and physical controls to protect the personal data from unauthorized access and modification. These countermeasures must, at the very least, include data encryption, vulnerability/patch management, access control, security awareness, network segmentation, mobile device management, Data Loss Prevention (DLP) Solutions, Intrusion Prevention and detection systems (IPSs/IDSs).
How can FortifyDatahelp? The FortifyData Cyber Risk Platform addresses the key compliance obligations related to GDPR, such as vulnerability and management, security awareness and training, vendor risk management and security consultation.
The table below table shows the key rules and how our platform can help you comply.
|GDPR Rule|| Description ||FortifyData Platform|
|Article 5 – Principles relating to processing of personal data.|
|Your company must protect personal data in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.||The FortifyData platform helps your organization assess your level of cyber risk exposure daily. It also provides recommended solutions to protect the data from identified risks.|
|Article 28 – Processor|
|Your company must only use processors providing sufficient guarantees to implement appropriate technical and organizational security and privacy measures.||The FortifyData platform provides third-party security review measurements and continuous assessments of your processors to identify technical and organizational security issues.|
|Article 32 – Security of processing.|
|Your company must implement “appropriate technical and organizational measures” to ensure a level of security appropriate to the risk of data being processed.||The FortifyData platform provides a clear and accurate assessment of your company’s level of security through assessing both technical and organizational controls. The level of risk is represented as a score for easy comprehension.|
|Article 33 – Notification of a personal data breach to the supervisory authority.|
|Within 72 hours after having become aware of a breach, your company must notify the data breach to the supervisory authority. The Supervisory Authority is determined by a designated representative of the collector / processor (the company) in the EU.||The FortifyData platform provides breach notification alerts as soon as there are indications of a data breach on the dark web. These discoveries include credentials published or sold on marketplaces and/or other forums.|
FOR THE OFFICIAL GDPR SITE (SEARCHABLE), CLICK HERE
FOR MORE INFORMATION ABOUT HOW WE CAN HELP YOU COMPLY WITH GDPR, CONTACT US TODAY!