* By @KelliRibeiro
The European regulation of personal data protection called (GPDR - General Data Protection Regulation), was approved in April 2016 and is being applied since May 25, 2018.
The general data protection regulation is intended to to protect the privacy of data of European Union citizens and to overhaul the controls on data privacy of European citizens.
1. Which organizations will be affected?
- All organizations that manipulate or process information from EU citizens. The new law will be global in scope and will apply to any company offering products and services to EU residents;
- The rules apply to both data controllers and processors / handlers.
2. What will be the penalties?
- Organizations that violate the regulation GDPR can be fined up to 4% of their annual overall income or € 20 million (whichever is greater). This is the maximum fine that may be imposed for the most serious infringements detected by the competent Supervisory Authority (each Member State will appoint an authority to supervise the application of the Regulation. GDPR).
- The organization can be fined 2% for: not having its records inventoried (GPDR Article 28) or not notify the Supervisory authority or the citizen of a data breach. Or for not conducting an impact assessment of the incident.
3. What activities are required by the GDPR regulation?
- Assessment Data: For organizations with more than 250 employees, a data protection officer is required. They must perform an internal analysis of customer and employee information handling;
- Evaluate tools and devices that store datato ensure that it complies with internal policy for storing information and using encryption for recording on devices such as: hard drives, SSDs and mobile devices (flash drives, smartphones, etc.);
- Establish and publish security policies, classification, processing and transfer of data;
- To establish rules for reporting incidents which caused data leakage to competent authorities within 72 hours.
4. What are the user's rights?
- Authorization granted by the owner of the information;
- Notification of violation;
- Right to be deleted or forgotten (having your data actually deleted);
- Right to portability;
- Right of transparency.
5. What is the Brazilian scenario for this theme?
Currently, two bills are being processed in the country, PL 5276 A / 2016 and PLS 330/2013, for the adoption of a General Personal Data Protection Act, whether this is carried out by public or private organizations.
6. Project PL 5276 A / 2016 addresses the following topics:
- Protection of sensitive data;
- Degrees of consent;
- The consent of the holder for sharing to third parties;
- Protection for international data transfer;
- Technical and handling security measures during the processing (processing / storage) of personal data and profile;
- Anonymous data: data relating to a holder who is not identified by the controller for the purpose of the treatment, eg use of database for searches;
- Data protection of public and private access;
- Law enforcement system;
Data privacy is a topic of extreme relevance to organizations and is becoming increasingly complex as new technologies and business models that use data processing as a strategy emerge every day.
In Brazil the Bill 5.276 / 16 used the European standard as a basis and is expected to be approved later this year.
Organizations should be aware of these regulations, and they may timely direct the development of legacy projects that lacked regulatory drivers to perform, for example, information asset inventory, information classification, security incident management. Information, among others.
* Kelli Ribeiro is an Information Security Consultant for [SAFEWAY]
[SAFEWAY] is prepared to conduct an assessment of the GDPR framework focused on an action plan, implementation of requirements and / or enhancements focusing on the European data privacy law.
More information: [email protected]
THE [SAFEWAY] is a widely recognized company as a provider of premium information security and cybersecurity solutions. From its extensive portfolio, we highlight several solutions, including those based on platforms:
● Archer da RSA Security, considered by the institutes Gartner and Forrester and by the market itself, the most complete process integration solution for Governance, Risk Management, Compliance and Business Continuity Management;