GDPR – Privacy First

GDPR – Privacy First

Let us start this by talking about why privacy is important to the business. You want to assure your customers, especially in Europe that you take their data seriously and will develop processes to protect it. The recent companies that have been fined by the European Union are:

1. Ireland slammed WhatsApp with A €225 million GDPR penalty after claiming that the messaging service had failed to properly explain its data processing practices in its privacy notice.
2. France fined Amazon €35 million after the tech giant allegedly failed to get cookie consent on its website.
3. On July 13, Italian Data Protection Authority imposed a fine of €16,729,600 on telecoms company Wind due to its unlawful direct marketing activities.
4. Italy’s DPA (the Garante) fined telecoms company Fastweb €4.5 million on April 2 2021 for engaging in unsolicited telephone marketing without consent.
5. Capio St. Goran is a Swedish healthcare provider that received a GDPR fine of €2.9 million ($3.4 million) following an audit of one of its hospitals by the Swedish DPA. The audit revealed that the company had failed to carry out appropriate risk assessments and implement effective access controls. As a result, too many employees had access to sensitive personal data.
6. German electronics retailer notebooksbilliger.de (NBB) received this significant GDPR fine of €10.4 million ($12.5 million) on January 8, 2021. The penalty relates to how NBB used CCTV cameras to monitor its employees and customers.

These are just some of the fines levied and they show us that privacy is important if you are looking to do business with European user data.

Let us start this by talking about why privacy is important to the business. You want to assure your customers, especially in Europe that you take their data seriously and will develop processes to protect it. The recent companies that have been fined by the European Union are:

1. Ireland slammed WhatsApp with A €225 million GDPR penalty after claiming that the messaging service had failed to properly explain its data processing practices in its privacy notice.
2. France fined Amazon €35 million after the tech giant allegedly failed to get cookie consent on its website.
3. On July 13, Italian Data Protection Authority imposed a fine of €16,729,600 on telecoms company Wind due to its unlawful direct marketing activities.
4. Italy’s DPA (the Garante) fined telecoms company Fastweb €4.5 million on April 2 2021 for engaging in unsolicited telephone marketing without consent.
5. Capio St. Goran is a Swedish healthcare provider that received a GDPR fine of €2.9 million ($3.4 million) following an audit of one of its hospitals by the Swedish DPA. The audit revealed that the company had failed to carry out appropriate risk assessments and implement effective access controls. As a result, too many employees had access to sensitive personal data.
6. German electronics retailer notebooksbilliger.de (NBB) received this significant GDPR fine of €10.4 million ($12.5 million) on January 8, 2021. The penalty relates to how NBB used CCTV cameras to monitor its employees and customers.

These are just some of the fines levied and they show us that privacy is important if you are looking to do business with European user data.

What do we need to know?

Here are some facts about GDPR – As of now, this regulation became active on May 25th, 2018. The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of personal information of individuals within the European Union (EU). GDPR replaces Data Protection Directive. Current legislation. The General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union. It addresses the export of personal data outside the EU.

Here are some facts about GDPR – As of now, this regulation became active on May 25th, 2018. The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of personal information of individuals within the European Union (EU). GDPR replaces Data Protection Directive. Current legislation. The General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union. It addresses the export of personal data outside the EU.

Some specific terms that are critical to applying GDPR to your particular business:

Data Subject – Data that allows an individual to be identified directly or indirectly by reference to an identification number or to one or more factors specific to his physical, or physiological.

Data Controller – An organization that collects data from an EU resident

Data Processor – An organization that processes data on behalf of a data controller like a cloud service provider.

Data Subject – Data that allows an individual to be identified directly or indirectly by reference to an identification number or to one or more factors specific to his physical, or physiological.

Data Controller – An organization that collects data from an EU resident

Data Processor – An organization that processes data on behalf of a data controller like a cloud service provider.

As for sensitive data, is this different from the other sensitive data (PII, ePHI, cc#, SS#)?

The Act provides a separate definition for “sensitive personal data“. This relates to information concerning a data subject’s racial or ethnic origin, political opinions, religious beliefs, trade union activities, physical or mental health, sexual life, or details of criminal offenses.

The Act provides a separate definition for “sensitive personal data“. This relates to information concerning a data subject’s racial or ethnic origin, political opinions, religious beliefs, trade union activities, physical or mental health, sexual life, or details of criminal offenses.

Does the regulation apply to my small business?

The regulation applies if you have any European user data in your database or you access such data. The data controller (an organization that collects data from EU residents), or processor (an organization that processes data on behalf of a data controller like cloud service providers), or the data subject (person) is based in the EU. Under certain circumstances,[9] the regulation also applies to organizations based outside the EU if they collect or process the personal data of individuals located inside the EU.

The regulation applies if you have any European user data in your database or you access such data. The data controller (an organization that collects data from EU residents), or processor (an organization that processes data on behalf of a data controller like cloud service providers), or the data subject (person) is based in the EU. Under certain circumstances,[9] the regulation also applies to organizations based outside the EU if they collect or process the personal data of individuals located inside the EU.

As a business, when can I process the data of an EU resident?

Unless a data subject has provided explicit consent to data processing for one or more purposes, personal data may not be processed unless there is at least one legal basis to do so. They include:

1. For the legitimate interests of a data controller or a third party, unless these interests are overridden by the charter of Fundamental Rights (especially in the case of children).
2. To perform a task in the public interest or in official authority.
3. To comply with a data controller’s legal obligations.
4. To fulfill contractual obligations with a data subject.
5. To perform tasks at the request of a data subject who is in the process of entering into a contract with a data controller.
6. To protect the vital interests of a data subject or another person.

To be able to demonstrate compliance with the GDPR, the data controller must implement measures that meet the principles of data protection by design and by default. Data protection by design and by default (Article 25) requires data protection measures to be designed for the development of business processes for products and services.

Unless a data subject has provided explicit consent to data processing for one or more purposes, personal data may not be processed unless there is at least one legal basis to do so. They include:

1. For the legitimate interests of a data controller or a third party, unless these interests are overridden by the charter of Fundamental Rights (especially in the case of children).
2. To perform a task in the public interest or in official authority.
3. To comply with a data controller’s legal obligations.
4. To fulfill contractual obligations with a data subject.
5. To perform tasks at the request of a data subject who is in the process of entering into a contract with a data controller.
6. To protect the vital interests of a data subject or another person.

To be able to demonstrate compliance with the GDPR, the data controller must implement measures that meet the principles of data protection by design and by default. Data protection by design and by default (Article 25) requires data protection measures to be designed for the development of business processes for products and services.

What are my rights as a data owner or data subject in GDPR?

Right of access – The right of access (Article 15) is a data subject right. It gives citizens the right to access their personal data and information about how this personal data is being processed. A data controller must provide, upon request, an overview of the categories of data that are being processed (Article 15(1)(b)) as well as a copy of the actual data (Article 15(3)). Furthermore, the data controller has to inform the data subject on details about the processing, such as the purposes of the processing (Article 15(1)(a)), with whom the data is shared (Article 15(1)(c)), and how it acquired the data (Article 15(1)(g)).

Right to erasure– A right to be forgotten was replaced by a more limited right of erasure in the version of the GDPR that was adopted by the European Parliament in March 2014. Article 17 provides that the data subject has the right to request the erasure of personal data related to them on any one of a number of grounds.

Records of processing activities– Records of processing activities must be maintained that include purposes of the processing, categories involved, and envisaged time limits. The records must be made available to the supervisory authority on request (Article 30)

Right of access – The right of access (Article 15) is a data subject right. It gives citizens the right to access their personal data and information about how this personal data is being processed. A data controller must provide, upon request, an overview of the categories of data that are being processed (Article 15(1)(b)) as well as a copy of the actual data (Article 15(3)). Furthermore, the data controller has to inform the data subject on details about the processing, such as the purposes of the processing (Article 15(1)(a)), with whom the data is shared (Article 15(1)(c)), and how it acquired the data (Article 15(1)(g)).

Right to erasure– A right to be forgotten was replaced by a more limited right of erasure in the version of the GDPR that was adopted by the European Parliament in March 2014. Article 17 provides that the data subject has the right to request the erasure of personal data related to them on any one of a number of grounds.

Records of processing activities– Records of processing activities must be maintained that include purposes of the processing, categories involved, and envisaged time limits. The records must be made available to the supervisory authority on request (Article 30)

What are my duties in the event of a data breach under GDPR?

Data breaches – Under the GDPR, the data controller is under a legal obligation to notify the supervisory authority without undue delay unless the breach is unlikely to result in a risk to the rights and freedoms of the individuals. There is a maximum of 72 hours after becoming aware of the data breach to make the report (Article 33). Individuals have to be notified if an adverse impact is determined (Article 34). In addition, the data processor will have to notify the controller without undue delay after becoming aware of a personal data breach (Article 33).

Data breaches – Under the GDPR, the data controller is under a legal obligation to notify the supervisory authority without undue delay unless the breach is unlikely to result in a risk to the rights and freedoms of the individuals. There is a maximum of 72 hours after becoming aware of the data breach to make the report (Article 33). Individuals have to be notified if an adverse impact is determined (Article 34). In addition, the data processor will have to notify the controller without undue delay after becoming aware of a personal data breach (Article 33).

Under GDPR as a Data processor or controller, what sanctions will be imposed in the event of non-compliance?

Sanctions – The following sanctions can be imposed:
1. A warning in writing in cases of first and non-intentional noncompliance.
2. Regular periodic data protection audits.
3. A fine of up to €10 million or up to 2% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater, if there has been an infringement of the following provisions: (Article 83, Paragraph 5 & 6).
4. A fine of up to €20 million or up to 4% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater, if there has been an infringement of the following provisions: (Article 83, Paragraph 4)

Sanctions – The following sanctions can be imposed:
1. A warning in writing in cases of first and non-intentional noncompliance.
2. Regular periodic data protection audits.
3. A fine of up to €10 million or up to 2% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater, if there has been an infringement of the following provisions: (Article 83, Paragraph 5 & 6).
4. A fine of up to €20 million or up to 4% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater, if there has been an infringement of the following provisions: (Article 83, Paragraph 4)

So what have I learned from this article on GDPR?

As a small business if I collect or process European user’s data as defined under this law,
1. Information security professional firm to review my business process & risk.
2. Conduct a risk assessment with a focus on GDPR.
3. Develop and document policies to address GDPR regulation.
4. Develop controls or remediation if I do not have them already in place for sensitive data under GDPR.
5. Conduct a risk assessment of vendors focused on GDPR.
6. Remediate “critical” or “ high” risk gaps.
7. Develop a continuous compliance program.

As a small business if I collect or process European user’s data as defined under this law,
1. Information security professional firm to review my business process & risk.
2. Conduct a risk assessment with a focus on GDPR.
3. Develop and document policies to address GDPR regulation.
4. Develop controls or remediation if I do not have them already in place for sensitive data under GDPR.
5. Conduct a risk assessment of vendors focused on GDPR.
6. Remediate “critical” or “ high” risk gaps.
7. Develop a continuous compliance program.

Request a quote today!

Request a quote today!

Request a quote today!