GDPR Compliance

En Abril de 2016, el Parlamento y el Consejo de la Unión Europea votaron a favor de reemplazar la Directiva de Protección de Datos 95/46/EC y promulgar un reglamento de seguridad de datos de amplio alcance denominado Reglamento General de Protección de Datos (GDPR). La ley entró en vigor el 25 de mayo de 2018 y es la ley principal que regula cómo las empresas protegen los datos personales de los ciudadanos de la UE. Las empresas que necesiten cumplir con la antigua directiva de seguridad deberán cumplir con la nueva ley en esa fecha o enfrentarse a duras multas y otras sanciones.

Acerca De GDPR

El GDPR se creó en respuesta a la multitud de problemas de seguridad de datos que muchas empresas han tenido en el sector económico de la UE durante los últimos años. Al hacer que todos los países miembros de la UE se adhieran al mismo estándar de protección de datos, la esperanza es que este nuevo mandato sea un estándar de referencia para las empresas que manejan datos de ciudadanos de la UE.

Algunas de las disposiciones clave de la ley incluyen requisitos para:

• Sujetos de consentimiento para el tratamiento de datos.
• Proporcionar notificaciones rápidas sobre violaciones de datos si se ha producido una violación.
• Anonimizar los datos recopilados para proteger la privacidad del consumidor.
• Designar un “delegado de protección de datos” para determinadas empresas.
• Maneje de forma segura la transferencia de datos a través de fronteras..

What Businesses Need to Be Compliant?

This is where the law gets a little tricky. Every business that markets or sells goods and services within the confines of the European Union member states has to meet the GDPR regulation. As a result, the global implications of this law are substantial. For businesses that will need to be in compliance to continue doing business with EU citizens, the GDPR will likely have a significant impact on the way that your business uses its core information systems.

The GDPR will be enforced by what are called “Supervising Authorities” (SAs). SAs will interpret “substantially affects” on a per-case basis since the context of data processing, the type of data, the purpose of processing and whether the processed data causes damage, loss, or distress to individuals; has an effect of limiting rights of certain groups or individuals; affects individual’s economic status or circumstances around their economic health; inflicts potential reputational damage; and many more qualifications.

To ensure these qualifications are met, SAs will be looking for organizations to do many of the following:

• Encrypt personal data
• Prevent unauthorized access to personal data (or equipment used in the processing of this data).
• Prevent unauthorized access to the use of personal data (or the equipment used in the processing of this data).
• Take part in independent assessment of equipment to evaluate the nature and potential severity of privacy risks.
• Have the ability to recall and report personal data in a timely manner in the event of an incident.
• Ensure continuous confidentiality and integrity of all equipment used in the processing of personal data.
• Perform regular tests to assess the effectiveness of measures to ensure data security.

The GDPR is filled to the brim with language referencing security of computing infrastructure as a precursor to the actual security of the data held within these constructs. Before you can build a GDPR-compliant infrastructure, you must understand how your IT needs to be altered to do so.

What Are the Consequences if You Fail to Comply?

Since the law that the GDPR replaced was over twenty years old, the vast changes in computing, marketing, and sales coupled with the prevalence of threats to data security produced some stark changes in the way the GDPR punishes companies that are found to be in violation of this mandate. SAs have far more authority under the GDPR than under the old directive. They hold investigative and corrective authority, and will have a system to issue organizations warnings for non-compliance. They will also perform audits, dictate changes, impose deadlines for those corrections, order data to be forfeited or erased, and even be given the power to block companies from transferring data to any other jurisdictions until all compliance mandates are met.

The biggest role SAs will have is assessing fines for noncompliance; and, the fines are substantially larger than under the previous law. Fines will be determined based on the circumstances of each case, and if substantial evidence is there to find that an organization's breach wasn’t of their own negligence, the SA may not impose a fine at all. The fines that are imposed may be up to two-to-four percent of total global turnover or up to 20 million euros, whichever is greater.

How Quantium PSA Can Help

With the deadline to integrate the changes your organization needs to meet the standards of the GDPR, any business that sells products and services in European Union member nations has to begin to shift their priorities to ensure they are compliant with the new mandates. The best course of action is to read through the law here, and then call Quantium PSA at (829) 988-7400 to see how our technology professionals can help you structure your network and data security policies to adhere to even the most stringent security mandates.