General Data Protection Regulation - Significant data breaches and the lessons learnt
General Data Protection Regulation
The EU has acknowledged the tremendous value that personal data has and how it can be misused. As a result, has drafted the General Data Protection Regulation (GDPR), which specifies the transparency requirements to be met while collecting personal data, and outlines the requirements on safeguarding such data.
Regardless of where you are based, the regulation affects you if you’re collecting or processing Personally Identifiable Information (PII) of the citizens of the EU. The regulation lays guidelines on the collection, storage, processing, and deletion of personally identifiable data. What’s interesting is that the onus of the abiding by GDPR lies with both – the Data Controller (who owns the data and is ultimately responsible to the citizens on the usage and consumption of their personal data) and the Data Processors (who performs data processing on behalf of the Controller).
The security incidents resulting in a data breach could be “the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed." Data breaches no longer can be pushed under the carpet. GDPR mandates that the data controllers and processors report a data breach to the respective Supervisory Authority within a defined duration or face heavy penalties. The fines for breaching the regulation can go up to 20 million Euros or 4% of the worldwide annual revenue of the prior financial year, whichever is higher.
8 Individual Rights
- Right of Access
- Right to Rectification
- Right to be Forgotten
- Right to Restrict Processing
- Right to be Informed
- Right to Data Portability
- Right to Object
- Rights in relation to Automated Decision Making & Profiling
7 Key GDPR Principles
- Lawfulness, Fairness and Transparency
- Purpose Limitation
- Data Minimisation
- Storage Limitation
- Integrity & Confidentiality
Came into effect on: 25th May, 2018
Notable breaches since May 2018:
On January 21, 2019, a famous search engine became the first tech giant to get hit with a record fine for breaching GDPR, by the French regulator CNIL.
On November 19, 2018, an American hospitality company announced a massive data breach, compromising the personal data of its 383 million customers.
In October 2018, ICO found a social networking company guilty of improperly sharing the information of an estimated 87 million users with a political consultancy service company.
GDPR is stringent and here to stay.
How can you and your business stay on top of this regulation?
- Raise awareness on GDPR and establish a dedicated implementation team
- Review current data security and privacy processes
- Review contracts with vendors, affiliates and customers
- Conduct Data Privacy Impact Assessment (DPIA)
- Establish a response plan
At Crossbow Labs, we have devised a comprehensive approach to help secure the personal data your business deals with and save you from missing on any regulatory requirements. The integrated approach ensures you have adequate measures in place to meet regulatory requirements.
Crossbow Labs' GDPR Adherence Approach
GDPR Awareness Session
Before implementing the regulatory requirements, we make sure that your organisation has enough understanding of the regulation and why and where it is applicable to your products or services.
Data Inventory Audit
We will help you identify the PII retained within your organisation and understand it’s lifecycle.
After identifying PII, we will review the existing set up to identify gaps in the organisation’s GDPR preparedness.
GDPR Implementation Assistance
We will assist you in designing essential policies and procedures related to data protection, consent, subject access request, privacy notice, and relevant forms.We will facilitate the setting up Data Protection Office, Data Breach Incident Management desk, Consent Management desk, and related workflows.
Data Protection Impact Assessment
We will assist you with the Data Protection Impact Assessment ( if processing could result in a high risk to the rights and freedoms of natural persons Article 35, GDPR).