Published on 28 Nov 2023.
You may have already read about it: the update of the GDPR or General Data Protection Regulation of the European Union is a fact. From May 25, 2018, the controversial directive around personal data protection and security will come into force.
But what is this GDPR legislation - now almost infamous? How does it impact your organization and how can you, too, qualify to comply with the (strict) requirements?
The GDPR (also known as the AVG or General Data Protection Regulation) sets out rules for how you must manage and secure the personal data of European citizens.
Specifically, as an organization or business, you must be able to outline the data you collect, use or manage, and how you ensure it is properly secured against harmful influences from within and without, whether it's data you process in-house, using cloud infrastructure or even infrastructure located outside the EU.
The internet is already rife with stories of monstrous fines of up to 4% of your annual turnover for failure to comply with these guidelines. It' s imperative to report "data leaks " and ensure that your entire infrastructure has a robust security plan in place.
If one of the classic rules is that "soup is never drunk this hot...", this is unfortunately the case here. this is unfortunately the case here.
In a modern age where your organization uses cloud services and is likely to come into contact with some form of processing of people's data (customers and/or employees), the GDPR applies to large companies, as well as small businesses and other organizations.
Studies show that few organizations are already preparing, or have made progress in establishing an action plan.
The official GDPR directive applies to data controllers and processors. The two "parties" can therefore be defined:
Datacontroller - "the natural or legal person, public authority, department or body which, alone or together with others, determines the purpose and means of the processing of personal data". In other words, if you collect and store data yourself for marketing purposes - we're just giving an example here - you fall into the role of "data controller".
Sub-processor - "the natural or legal person, public authority, department or organization that processes data on behalf of the data controller". Returning to our example, if you collect and store data for marketing purposes and do so through a cloud service provider, the latter must also comply with GDPR legislation, as it is the "processor" (data controller).
Mind you, the data controller is obliged to comply with the processor's guidelines!
But... the personal data processor must also comply with certain rules and reports on how it processes data.
We've already compiled the most important points of the GDPR below. These details are of course available on the official GDPR website.
Extended jurisdiction
The rules apply to any company processing the data of EU citizens, regardless of where the company is based. Therefore, if your head office is not on EU territory but you process EU citizens' data, you are still responsible.
Consent to use data
Companies must obtain the consent of the data subject to store and manage this data, and must also explain how they will use it and why.
Mandatory reporting of data leaks
From now on, companies and organizations are required to report a data leak to the competent authority within 72 hours of the leak being identified, unless it is a security breach that does not affect "the rights and freedoms of the individual".
Right of access
Companies must provide anyone who requests it with an electronic copy of the data held, including information on how, where and for what purpose it is held.
Right to erasure
EU citizens can ask the data controller not only to erase their data, but also to stop having it used by third parties, who will in turn be obliged to stop using it.
Transferability
The new directive also allows individuals to transfer their data from one data controller to another. In practical terms, this means that, on request, companies or organizations must provide a means enabling the individual to easily transfer the data in a readable format.
Privacy by design
This is a crucial rule and undoubtedly one of the most important changes in the GDPR. Previously, it was possible to circumvent the need to implement full security by saying "we will provide sufficient security"/ By introducing the "Privacy by Design" rule, security must now be ensured in products/services and processes from the day of implementation!
Data Protection Officer (DPO)
Both the data controller and the processor must have a "DPO" or "Data Protection Officer". The DPO can be an external party, a new employee or a member of the organization. Please note that there are exceptions: not everyone needs to appoint a DPO!
As a cloud service provider, over the years Kinamo has acquired in-depth experience in not only IT infrastructure security, but also data processing, management and recording.
Is the GDPR an exclusively "IT" story? Certainly not... We are therefore aware that making your organization GDPR-compliant requires a fresh look at your experience as a manager of your own processes and at Kinamo's added value for optimizing your organization's digital processes.