This month the European Union is beefing up its Data Protection laws. Even if your business is not in the EU, you will still have to comply with the new regulations if you collect or process data of EU residents. So in this newsletter we are focusing on what they may mean for you.
The General Data Protection Regulation (GDPR) is a leap forward in protecting EU citizens from companies that are lax about the protection or misuse of personal data. The ground-breaking rules include new policies such as “privacy by design” and the “right to be forgotten”. Mandatory breach notification, which is already in place in countries like the USA, Taiwan and South Korea, will be introduced. In some cases it will be mandatory to appoint a Data Protection Officer; and penalties for non-compliance could be up to 4% of annual worldwide turnover.
There is a two-year transition period before the regulations come into force. To help you plan for this important development, we have provided more information and useful links below.
Also, there are a number of ways that Alertsec can help you meet your data protection obligations including Endpoint Encrypt and our new “Third-Party Protection”. There’s more information below or you can contact us if you have any particular questions.
All organizations that collect or process EU citizens’ data will be affected by the recently passed GDPR, even companies outside the EU. GDPR unifies data protection rules within the EU, making it simpler for international businesses. However, it also gives citizens greater control of their personal data and imposes legal obligations on both data controllers and data processors. Below we’ve provided a brief Q&A. We encourage you to use the links below to find the key points and details of the new regulations. We will keep an eye on developments as the practical issues come to light over the next couple of years.
Does GDPR impact your organization? The EU data protection law will apply to any company processing data of EU residents. There are new legal obligations for both data controllers and data processors.
What is personal data? The definition has been expanded and can be a name, a photo, an email address, bank details, posts on social media, medical information, or even a computer’s IP address.
How can people control their data? Consent for processing personal data must be explicit, pre-ticked boxes will not constitute consent. Consent can be withdrawn and individuals will have the right for their data to be erased – the right to be forgotten.
Do you need to appoint a DPO? In certain circumstances data controllers and processors must appoint a Data Protection Officer (DPO) responsible for advising on and monitoring GDPR compliance.
What are your obligations? There are separate obligations for data controllers and for data processors, but also common requirements eg. the need to conduct a risk assessment to ensure appropriate security measures are in place.
How will compliance be enforced? Mandatory notification of a breach applies to both data controllers and data processors. Fines for non-compliance can be as high as €20M ($22.5M) or 4% of the annual turnover.
The links below may be useful to find more detail:
The GDPR introduces legal obligations for data processors, but at the same time data controllers also have an obligation to assure themselves of processors’ privacy capabilities. Large organizations are now gearing-up security measures within their subcontractors and affiliates. How can SMB’s be confident that their vendors, accountants and lawyers are able to implement appropriate data protection measures?
Alertsec’s new “Encryption for third-party suppliers” provides a dedicated portal for your third-party suppliers so they can purchase and install encryption on all devices handling data. You will be able to monitor the uptake of encryption by your service providers, or you can push installations if required.
For more information, read more on our website, or you can contact firstname.lastname@example.org to help you get started.
Many cloud-storage solutions already offer good encryption and key handling as part of their service, and that should extend across all cloud and datacenter providers when the new GDPR responsibilities for data processors come into force. However, it is not enough to encrypt data where it resides in the cloud. You also need to think about the security and encryption of any desktops, mobile devices and removable media that may be used for data handling.
It is very likely that programs running on your desktops or mobile devices download copies of cloud-based information to a local drive. If the computer is unencrypted, your company and customer files that are protected in the cloud will be at risk if the endpoint device is stolen, lost or disposed of.
Alertsec’s Endpoint Encrypt provides full disk encryption, and now includes Media Encryption to encrypt all your removable media for free. Please contact our Helpdesk for more information.
OptumRx, the online pharmacy and part of UnitedHealth Group in Minnesota, reported that an unknown number of customer records were compromised when an unencrypted laptop was stolen from a vendor employee’s vehicle in Indianapolis, Indiana. The vendor provides home delivery services to patients and the laptop contained customer names, addresses, health plan name, prescription drug information, prescribing provider information and in some cases date of birth.