* Gustavo Loçano Silva
With the ever-increasing collection and processing of information, it is common for exposure risks to increase as well. Information leakage can cause huge damage such as; damage to one's own image and financial loss. Considering all the risks, countless countries are increasingly looking for data security.
General Data Protection Regulation - GDPR (translating to Portuguese, general data protection regulation), is a regulation developed in the European Union, considered the updated version of the old privacy law “Data Protection Directive” (Data Protection Conduct) of 1995. A new version became necessary before the time of the first, as in the drafting of the old law, companies with online businesses did not have the proportion of today.
The law aims to change the way companies store European citizens' data by proposing to increase user privacy. The individual has the right to know what information is being shared and for what purposes it will be used.
This regulation is valid for any company that stores or processes personal information about any resident of countries belonging to the European Union, even if they are in another country. That is, if the company is headquartered in Brazil, but contains the data of some European citizen, it must comply with this regulation.
They are considered by GDPR Personal data A set of distinct information leading to the identification of a particular individual. Some examples are; name, email address, home address, and IP address. There are also sensitive data, which are specific conditions of a person, such as data revealing racial origin, political, religious opinions and genetic data.
Fines and penalties
If the main points of the regulation are violated, companies will be penalized to pay a fine ranging from 2 to 4% of their annual revenues or 20 million euros (R$88.400.000).
Some points that need to be analyzed are:
• The access right in which the individual has the right to know if their data is being processed by the company and for what purpose, as well as the right to receive in electronic form the data that the company has about them.
• Data portability ensures that a person claims his or her personal data and is entitled to portability of that data, ie to move the data to another system without losing the information.
• Data breach, whether exposed to becoming vulnerable or stolen, is required by the company to notify the user within 72 hours of discovery, and is valid for processors as well as data controllers, at high risk. fine if you do not meet the correct time.
Since the General Data Protection Regulation seeks to ensure that users have the privacy of their personal data assured by companies, it is understood that transparency is required between the two sides.
The consulting [SAFEWAY] can help your organization by validating the level of adherence and maturity to GDPR (General Data Protection Regulation) and LGPD (General Data Protection Law) considering the business environment to which it is inserted, in order to identify the main action plans for regulatory compliance, aiming at process improvements and gains for your organization.
* Gustavo Loçano Silva is GRC and Information Security Consultant at [SAFEWAY]