Impact of GDPR on Enterprise Cybersecurity Practices
On 25th May 2018, a new data protection regulation called General Data Protection Regulation (GDPR) in the European Union was implemented. The intention of GDPR is mainly to give control to citizens over their private information and to streamline the monitoring atmosphere for international businesses by combining the guidelines within the European Union.
You may question why the GDPR has been introduced since we already had the UK Data Protection Act 1998 (DPA). The GDPR is introduced to keep up with the continuously expanding digital world. It includes an extensive array of privacy policies wider than the DPA 1998 and provides even further data rights to the citizens. All the organisations are thankful to GDPR when it comes to defending personal data.
Implementation of GDPR has influenced a lot on enterprise cybersecurity practices. I have listed down a few of them.
10 key Influences of GDPR on Organisations’ Cybersecurity Practices:
- Because of the privacy policies in GDPR, the individual’s expectation of data secrecy rises and therefore the company’s responsibility of establishing a stiff cybersecurity platform increases.
- GDPR enforces thorough and immediate data breach notifications. In case of data breach, both the company and its customers need to be informed immediately. The information should be delivered not later than 72 hours after knowing about the breach.
- Enterprises must analyse the apparatuses through which they accumulate personal data. GDPR makes it compulsory for all citizens to make active consent available to their personal data being collected. So, enterprises must be crystal clear about why data is being collected and how it will be used.
- If GDPR policies are violated, and significant private data are exposed, the companies could demand heavy fines. If the loss is high, the company may ask a compensation of 4% of the organisation’s total income.
- If a company’s essential activities require frequent monitoring of data, the company must appoint a team dedicated to data protection. It should also have a data protection officer or a chief privacy officer who will be in complete charge of the data protection team.
- Under GDPR, individuals carry a right to demand organisations to delete their data. Those companies who have not yet started following such policies, need to start working on them at the earliest.
- GDPR gives right to the individuals to receive their data in a common set-up and request their data to be moved to a different controller. Companies must pass the individuals’ data as per the demand of the individuals. Those companies who have not yet started must start accepting such requests as soon as possible.
- Under GDPA, the data controllers select their processors and are responsible for every action taken by the data processor. A data processor is one who processes the data on behalf of the data controller. Processing includes obtaining, recording and keeping the data safe. The data controller chooses the purpose and method to be followed to process the data.
- When children under 16 years of age are offered online services i.e. information security services as per GDPR, increased number of consent is required to be authorised by the parents.
- “Privacy-by-design” should be practiced for all events. For example, During the launch of a new product, the security experts should join with the marketing team in making the marketing plan including the new rules of GDPR privacy policy.