The European Union (EU) has introduced the General Data Protection Regulation 2016/679 (“GDPR”), which is a new privacy regulation containing security and privacy requirements to fully protect data belonging to EU based individuals.
GDPR was adopted by the European Parliament in April 2016 and goes into effect on May 25, 2018.
GDPR is applicable for companies based in and out of the EU where data collection and personal data handling from EU-based individuals is in play. Any information which can be used on its own or with other information to locate, contact or identify a single person such as names, identification numbers, online identifiers, location data, or any other factors specific to the individual’s genetic, physical, mental, physiological, cultural, economic, or social identity is considered to be Personally Identifiable Information (PII).
In order to be in compliance with GDPR, any company handling or collecting PII. I pertaining to EU-based individuals needs to ensure their data management protocol adheres to all requirements detailed within GDPR.
GDPR requirements
Included in the requirements for GDPR are cross-border data flow mechanisms, technical/operational security measures, notice & consent, accountability and data minimization.
Specifically
Security audits: Records of security practices must be maintained by companies and regular audits to assess the effectiveness of the established security program must occur. If any breaches are identified, corrective measures must be taken immediately. Data security: It is mandatory that companies put in place strict controls, including physical, technical and administrative. In accordance with GDPR requirements, incident management, data integrity, confidentiality, encryption, availability and resilience are required as part of the security program for any company handling EU-based data. Implemented controls must serve to prevent information leaks, data loss and unauthorized data access.
Data breach notification
Companies must immediately notify regulators, clients, and any and all impacted individuals once they become aware of a data breach which could potentially impact data controlled or processed by the company.
Disclaimer: This document must not be used as legal advice about any law or regulation. To understand the GDPR, customers must seek their own legal counsel.