GDPR (General Data Protection Regulation) is a new data protection regulation from the EU - designed to give EU citizens greater rights as to how their data is processed. The regulation is enforceable across all EU member states from 25th May 2018 and is applicable to any business that holds or processes records/data (physical or electronic) on EU citizens. The regulation is centered around data that could potentially be used to personally identify someone. This could be their name, email address, IP address, etc.
Here's Everything You Need to Know About the GDPR:
Access the full EU GDPR published regulation below
Access additional GDPR guidance issued by the EU Working Party
Want to become compliant? Tech Guard can help
Quick Overview from the Irish Data Protection Commissioner
Key Points:
1. Security/Recovery (Article 32)
Businesses need to ensure that sensitive data and the systems it lies within should be secure, restricted, encrypted, backed up, easily restorable and continuously available.
2. Large Penalties (Article 83:4-5)
Companies can be fined up to €20 million or 4% of their global turnover for non compliance. This excludes any fines for failure to report a breach and also excludes any fines from civil actions.
3. Awareness (Article 39:b)
The regulation advises that staff receive awareness training on how to reduce risk of a data breach.
4. Data Collection (Article 6,7,8)
Consent is now an extremely important part of the regulation, especially in terms of marketing and gathering user details via website/email or phone. To that end, businesses must now ensure they: (A.) Have/gain consent for to market to existing and new clients/prospect. (B.) Keep records that provide consent was freely given by the end user. (C.) Clearly document on their website for what purposes they collect the data, why, how long it is stored etc. (D.) Have a system to ensure consent is maintained and refreshed on a regular basis to ensure the data is still accurate. (E.) Provide an easy way that allows a user to remove their consent (opt-out) at any time.
5. Access Requests (Article 15)
Companies have 30 days to respond to data access requests from EU citizens.
6.Breach Notification (Article 33)
The Data Protection Commissioner must be notified within 72 hours of detecting a data breach.
7. Data Protection Officer (Article 37)
A Data Protection Officer is required by public bodies and also companies that [process sensitive data or monitor data subjects] on a large scale, or as a core activity of their business.
8. Accountability/Documentation (Article 82)
All companies must document and demonstrate compliance with the GDPR.
9. Third Parties (Article 46)
Outsourced/cloud providers (payroll, CRM etc.) that you use to hold or process data must be compliant. Contracts should be in place between parties to ensure each party states their compliance.
10. Right to Erasure (Article 17)
Subjects can request deletion of all paper & e-data held on them (incl. data processed by third parties).
Data Controller Example
Your HR Department will hold records pertaining to your staff.
In this case, you are the data controller of this data.
Data Processor Example
Your Finance Department may outsource company Payroll to a third party provider.
In this case the payroll company would be referred to as the data processor.
Tech Guard IT Essentials Bundle for GDPR
One of the biggest challenges of GDPR compliance is implementing state of the art "appropriate technical and organisational measures" with regard to safe-guarding data. Data protection authorities will look very closely at how well a business protects their data should a breach ever occur, so it pays to be prepared.
To help businesses with GDPR compliance against these measures, Tech Guard has developed a no nonsense, cost-effective IT Essentials GDPR Bundle. Let us take the hassle out of becoming compliant.
How Can Tech Guard Help?
Article 32 is one of the major technology related parts of the regulation.The regulation states that organisations (controllers and processers) that hold/process EU citizen data must implement appropriate technical and organisational measures to ensure a level of security to protect the data. They specifically point out the following measures businesses must put in place to ensure:
i. The confidentiality, integrity, availability and resilience of the systems used to process the data
ii. The ability to restore the availability of and access to personal data in a timely manner in the event of a physical or technical incident
iii. A process for regularly testing, assessing and evaluating the effectiveness of the measures to ensure security of the data.
Tech Guard provides several “Fully Managed” GDRP complimentary technology services that can help businesses become compliant with Article 32.
Cyber Essentials
We help companies achieve Cyber Essentials certification. Cyber Essentials is a government backed Cyber Security framework that is now being adopted across all member states to aid in compliance with GDPR. It is a great first step to for small to medium sized organisations to demonstrate (through formally approved certification body) that they have proactively implemented IT security controls to protect the data they control/process. In the event of a data breach, such a certification would help reduce the size of the fine handed down for a breach by the Data Protection Commissioner.
Security Awareness Training and Testing
Phishing and Social Engineering attacks on staff are now known to be the #1 cause of data breaches. Our fully managed security awareness training and testing services are proven to drastically reduce an organisation's risk of a data breach. The service provides up-to-date web based security awareness training to all your staff, so they know how to spot the latest scams before it’s too late. We then regularly email your staff emails simulating the latest scams, to keep them on their toes.
Need more information? See how our service works and check out our training library:
Network Cyber Security Services
Businesses and IT staff are finding it very hard to dedicate the time and effort to stay on top of the latest cyber threats and ensure their network remains protected against them. Here at Tech Guard, we have built a multi-layered, ever evolving and up-to-date Cyber Security framework. Our framework employs the latest next generation security technologies which aims to protect every area of the business from being impacted by cyber-attacks and resulting data breaches. Our Fully Managed Cyber Security services implements our framework into your business giving you peace of mind, knowing a team of experts are focused on reducing your risk of a data breach and keeping you in business.
Backup, Disaster Recovery & Continuity
Backing up your sensitive data and ensuring you can recover your systems in a timely manner is a key requirement of the GDPR. Tech Guard provides its clients with a Fully Managed Backup, Disaster Recovery and IT Continuity service allowing your business to maintain operations, no matter what. We ensure your data and systems are securely backed up, monitored, maintained and backups tested. You can sleep soundly knowing your data and systems can be quickly restored in the event of an incident or a cyber attack.
Cyber Insurance
The GDPR regulation does not mention the requirement for Cyber Insurance - however, we strongly recommend companies think wisely and purchase Cyber Insurance cover for their business. Cyber Insurance can help to greatly offset and/or fully cover the fines that may be handed down to a business in the event of a data breach. It can also assist with financial and reputational loss as a result of potential lawsuits arising from a data breach. You wouldn't risk driving your car without insurance, why risk your business?
Policies/Procedures
Tech Guard partner with data protection specialists who can assist our clients in the review, amendment and/or creation of GDPR aligned IT policies and procedures. We then help businesses implement the necessary security, backup, recovery and continuity good practice controls outlined in such amended policies and procedures. Finally we undertake documentation of the network and security controls in place. Failure to have accurate and up-to -date IT documentation of IT security, backup, recovery and continuity controls in place can lead to non compliance with the GDPR regulation.