What is this ‘GDPR’?
GDPR. Huff! This name has created fear amongst organizations scaling from a smaller to bigger one. GDPR or General Data Protection Regulation (EU) 2016/679 (GDPR), is a regulation of the European Union law that is the governing body for data protection and to protect the privacy of each individual that comes in the European Union (EU) and the European Economic Area (EEA). This regulation is replacement for the 1995 Data Protection Directive that sets the standards for data processing in EU. These regulations govern the export of personal data outside the EU and EEA as well. The motive of this regulation is to allow an individual to have complete access over one’s personal data. However, the companies with more consumer data are way more affected than the companies that have a smaller database. All the organizations within the GDPR need to report any case of exposure of personal data to national data protection regulators along with the victim under 72 hours of becoming aware of data breaches. These guidelines lay down effective security measures for data protection and the accused organization might have to pay a fine either up to €10 million or 2% of the worldwide annual turnover.
What has GDPR done so far?
Since GDPR 2016/679 came into force, a number of cases including attacks such as mis-sent emails and personal data breach, have fallen into the ears of public within a period of eight months from May 25, 2018 to January 28, 2019. Till date, GDPR has fined 91 firms with heavy fines for these breaches including Google.
Commission nationale de l’informatique et des libertés (CNIL), French data regulator, fined Google with €50 million for its inability to not follow the EU’s guidelines on Consumer data protection. The CNIL’s committee said that Google was unable to provide its users with the needed information about the data consent policies and how the data was being used. The company was also held responsible for not providing a legal basis for collecting data with the purpose of ads’ personalization. The committee summed up its judgement holding Google guilty of ‘lack of transparency and valid consent along with lack of adequate information on ads personalization’ as per GDPR guidelines.
According to the GDPR Data Breach Survey done by DLA, the law firm, around 26 European Economic Areas (EEA) countries have reported approximately 59,000 data breaches since GDPR regulation came into action. The Netherlands is on the top of the list with 15400 data breaches. DLA Piper was a victim of a cyber-attack itself in 2017, where due to a ransomware, the attacker was able to access employees’ emails as well as documents and blocked them. Germany was second on the list with 12600 reported cases while UK was third on the list with 10600 data breaches. On per capita basis, UK was at the 10th position, Germany was at 11th and French was on the 21st position. The whole situation displays a lack of strict enforcement approach towards the data security. In Germany, regulators imposed a huge fine of €20,000 on a company since it failed to protect the password of its employees. In Austria, an organization was fined with a heavy sum of €4,800 since it was operating an unauthorized CCTV system that surveyed the public sidewalk only partially.
Are there any amendments in GDPR?
There are some amendments that have been made in GDPR:
- Individuals can now request access to their personal information very easily.
- Users can accurately update their personal information.
- Organizations have the freedom to automatically delete data of people that they have no business with.
- People can get their personal data deleted on request.
- People can request organizations to stop the processing of their data.
- People can get their data delivered to themselves or a third party.
- People can easily raise objection to profiling or automated decision making that have the ability to impact them.
What can be concluded from all this?
GDPR is not a challenge to the IT and its security along with data protection. However, it’s a challenge for people on top such as Chief Information Security Officers, Chief Information Officers and Data Protection Officers.
In the end, it is the responsibility of an organization to work in the favour of its consumer by protecting their confidential as well as sensitive information. A number of cyber security companies such as Kratikal, have been working with a goal to ensure the same. These frauds will not only continue to make your nights sleepless, but also, they will make comeback in different forms. Therefore, it is very important to be cautious and strengthen the immunity of your system with the state-of-the-art cyber security solutions including Phishing simulation tools such as ThreatCop, Vulnerability Assessment and Penetration Testing tools etc.