General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intended to strengthen and unify data protection for all individuals within the European Union (EU). It also addresses the export of personal data outside the EU.
The GDPR aims primarily to give control back to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.
When the GDPR takes effect, it will replace the data protection directive (Directive 95/46/EC) of 1995. The regulation was adopted on 27 April 2016. It becomes enforceable from 25 May 2018.
Data Security Practices
The important data security practices are summarized below:
- • Maintain all personal information in an encrypted data format to minimize damage caused by data theft
- • Require each staff user to have access credential with strong passwords, and Force periodic changes of access credentials
- • Control access to personal information in such a way that staff can access only that information which is relevant to the requirements of their role
- • Maintain a log of all accesses to personal information, the log will be required after a data breach to identify the cause of the breach
- • Logout users after a period of inactivity
- • Detect any attempted access by non-authorized individuals and report such occurrences to the administrator
GDPR Compliance Issues
The EU-wide data protection regulation known as the GDPR goes into effect on May 25, 2018. The GDPR regulates how companies protect the personal data of EU data subjects (EU citizens and residents). The regulation will impact an organization's legal, compliance, information security, marketing, engineering, and human resource practices. The law protects EU data subjects. It extends beyond the EU’s borders and affects companies without offices or data centers in the EU. Any organization offering goods or services in the EU, collecting data on EU subjects or employing EU residents will have to be compliant.
Penalties for noncompliance can include fines of up to €20 million or four percent of worldwide annual turnover, whichever is higher.
Many organizations are ill prepared and Gartner estimates that more than 50 percent of companies affected by the GDPR will not be in full compliance by May 25, 2018