What is GDPR in simple terms?
The European Union's General Data Protection Regulation (GDPR) came into effect on May 25th 2018, therefore it is essential for businesses and organisations to understand explicitly what GDPR means. It is the legislative force established to protect the fundamental rights of data subjects whose personal information and sensitive data is stored in organisations. Data subjects will now have the right to demand subject access to their personal information, and the right to demand that an organisation destroys their personal information. These regulations will affect most sectors within business, from marketing to health services. Therefore, to avoid the crippling fines administered by the Information Commissioner's Office (ICO) it is essential to become GDPR compliant.
The key aspects of GDPR:
GDPR has replaced the 1995 Data Protection Directive, which established minimum requirements for data protection across Europe. This moderate approach to data protection, prior to 2018, led to a series of data breaches and scandals, allowing the compromise of data subjects' personal information. Now, the changes established in the GDPR will provide better protection of data subjects' fundamental rights.
Extended Jurisdiction: The GDPR now applies to any organisation which processes personal data of data subjects who are in the EU. This means that GDPR applies to big and small organisations, in and outside of the EU.
Consent: There is a strict focus on consent, it has to be specific and clear.
Right to Access: A data subject can issue a subject access request to view their personal information, and an organisation must comply.
Data Protection Officer: Data controllers are now expected to have a DPO in their team, to ensure data protection regulations are being upheld.
Penalties: The ICO can now issue much harsher repercussions for a data breach, this includes fining an organisation up to €20 million or 4% of an organisation's global turnover, whichever is highest.
Why was GDPR needed?
Society is now more data-driven than ever, therefore the vast amount of sensitive data stored upon computers, has resulted in a rise in cyber-attacks and data breaches.
Phishing is one of the key ways that cyber-criminals can infiltrate personal information using scam emails, and even alter bank details and account details. The common nature of this sort of cyber-attack has now resulted in GDPR being essential to prevent it from happening so often.
Organisations need to be aware of emails which might contain viruses, to protect their company's IT network. If a virus manages to infiltrate an organisation's hard drive, then personal information of customers and employees will be compromised, and a data breach will occur.
Organisations should implement email encryption, so that personal information included in the emails can't be infiltrated by cyber hackers. A data controller can use a secure email gateway to prevent emails containing malware, phishing attacks or spam, from reaching an organisation. Consequently, to be GDPR compliant an organisation needs to organise the installation of a secure email gateway to monitor their emails.
Office 365 and GDPR
Many organisations and businesses use Office 365's software to store vital information, such as tables with employee personal data and sensitive data, business contracts and annual reviews. Therefore, Office 365 have the responsibility to ensure this data is protected.
Office 365 utilises a cloud software, therefore up to 85% of businesses store their data in the cloud. Despite this data being stored in a cloud, Office 365 still need to remain GDPR compliant. To do so, Office 365 have utilised auto-label policies and intelligent content searches to help locate personal information easily. Therefore, Office 365 has proved its GDPR compliance, through ensuring personal data is transparent and easy to locate.
End User Consent
The GDPR has imposed tighter control on end user consent, when processing personal data. The GDPR takes the stance that a data subject must be informed of the processes which will be used to store their personal data. Subsequently, it will then be the data controller's responsibility to make the processing of personal data available to the data subject. The user will then be able to put an end to their consent, once they feel that a data controller no longer needs their personal information, or that there may be harm to the personal information.
Article 32 of the GDPR stipulates that an organisation should apply technical measures to protect personal information, such as through two-factor message authentication. This two-factor message authentication should be applied to systems which process personal information, such as mobile devices which should be encrypted.
GDPR should not intimidate organisations, because if the regulations and safeguards are implemented clearly, there should be no problems and no reason for the ICO to get involved.