In this blog I will be talking about GDPR, and why you need to know all about the new regulation.
For the past month I have received emails from various companies asking for my consent to continue using my data, and I am sure you have seen similar requests, this is all due to the implementation of GDPR on the 25th of May.
GDPR refers to the General Data Protection Regulation, this is a new EU privacy set to replace the Data Protection Directive. The Queens Speech confirmed that GDPR will form part of UK law, even though we are withdrawing from the European Union, the reason for this is because the regulation states that anyone holding EU citizen data must comply. Once the UK has left the EU the legislature will be able to modify the framework of GDPR as seen fit, however this could be a subject covered in one of my future blogs.
GDPR aims to control how personal data is processed, used, stored and exchanged. Personal data refers to any information that is personally identifiable, this could be basic identify information such as your name, email, address, ID numbers. Personal web data such as your location, IP address, cookie data, RFID tags, medical data such as your heath, genetics, biometric data, ethnic data, or even political opinions.
The reason for the surge of emails relating to privacy changes is due to the huge fines for companies that do not comply with the regulation. Penalties for not complying with the new regulation can be up to 20 million euros or 4% of annual worldwide, this could be millions for big companies, and enough to destroy a small business. Organisations now need your consent to keep using their data as consent is no longer assumed. Pre-ticked boxes that involved you unchecking a box are no longer allowed, consent needs to be unambiguous and involve clear action, and it must be easy to opt out in the future.
For those who use cloud storage for personal data If you use cloud data storage that is privately hosted you will have full control over the data and you must ensure that the appropriate measures for protecting the data are in place. If you store personal data publicly or as a hybrid of public and private then the cloud storage provider is responsible to put security measures in place, you must check to make sure the cloud storage provider security implementations comply with the GDPR policy.
The main area of interest for me as a Junior Cyber Security Analyst is of course security. Security action that must be implemented by organisations due to GDPR is encryption of all personal data, regular testing, assessments, and evaluations of the effectiveness of personal data security policies. Provisions to secure the confidentiality, integrity, availability and resilience of processing systems and services. Ensuring that staff members are reliable will also be a high priority, as personal data on mobile phones, memory sticks pose potential security risks, a failure to ensure that such devices are encrypted can immediately expose organisations to a fine so there will be added pressure on keeping personal data safe when moving it off site.
When the new regulation comes into place there will be some new rights granted for the data subjects. From the 25th of May this means that if an organisation is the victim of a data breach that is likely to result in unauthorised use and distribution of data, the data controllers will notify you within 72 hours of becoming aware of the breach. You will also have the right to access your data at any time, you can find out how, where and what purpose your personal data is being processed. You now have the right to be forgotten, this means you can ask for your data to be deleted from the logs, and halt or cease further distribution of your data by a third party. A data controller should only hold and process data that is necessary for the completion of duties.
From looking into GDPR I have arrived at the conclusion that the new legislation will benefit everyone in terms of how their personal data is used and distributed, and I will be interested to see any modifications the UK makes to the law once we leave the EU.