GDPR FAQs – All About General Data Protection Regulation Compliance

Debasish Pramanik Cloud Security Expert - CloudCodes Software
  • September 13th, 2017

Have you ever thought how vulnerable your data is when you fill personal details online for banks, insurances or even on social media? No doubt that the cloud service providers work hard to ensure safety to your personal information, but are the organizations doing enough? Of all the information collected by these organizations, not all of it is relevant to them. Many of the vulnerable bulk data is just stored for future references in order to enhance consumer experience. Keeping this in mind, the European Parliament has formulated a regulation called The GDPR (General Data Protection Regulation) which will be enforced on May 25, 2018. As we are approaching very close to this date, so it would be good if we do our homework well in advance of this regulatory compliance and are very well prepared for welcoming this change. Some of the GDPR FAQs discuss in upcoming sections.

What Is General Data Protection Regulation?

GDPR is a data protection law, which carries provisions that require all organizations to protect the personal data of all the European Union (EU) citizens, also referred to as data subjects. GDPR regulates the privacy of EU citizens within the EU member states as well as outside the EU. The standard set by General Data Protection Regulation is high and the businesses outside the EU need to rethink their strategy in providing adequate data security.

What Are the Provisions in GDPR?

This new regulation gives utmost importance to the consumers’ rights to access and data privacy. It is the task of the organizations and the cloud providers to ensure that consumer data is secure. The impacts of GDPR (General Data Protection Regulation) are:

  • GDPR applies to all businesses in the EU including those where the data processing part happens outside the EU
  • If your business is dealing with the EU citizens, be it in the EU territory or no, then it is subject to GDPR
  • It requires that the organizations process only the data where consent has been given by the consumers and the consumers have every right to stop the processing of the personal information at their will
  • Also, the companies need to provide an e-paper to the consumers, outlining the details of where their data will be used

Who Is Affected By General Data Protection Regulation?

Any company that stores and processes the personal data of the EU citizens within the EU states must comply with the GDPR. Also if the company has no presence in the EU but it processes the data of EU residents then they also come under its gambit.

Who Is Held Responsible for Non-Compliance during Security Breach?

According to the GDPR (General Data Protection Regulation), the employees who are directly related to data function and storage must ensure regulatory compliance. If the data controller (one who collects data; example, the company), data processor (one who processes data on behalf of the data controller; example, cloud service provider) or the Data Protection Officer (DPO) is found breaching the law, then they will be liable to severe penalties. This penalty can be as high as a whopping 4% of the business turnover.

Supervisory Authority

Putting in simple terms, the lead supervisory-authority is the major data-protection regulator, which any company would deal with; it is basically the one-stop-shop; an authority that the company contacts for any compliance activity like registration of a DPO (data-protection-officer), notification of any risky processing activities or notification of any breach of data security. Supervisory authority handles such data security and protection complaints of organizations, and then they conduct certain investigations for undertaking any enforcement activities that would relate to cross-border processing.

What Are the Impacts of GDPR on Businesses?

The businesses will have to rethink their strategy to collect and store the data. The data needs to be sorted out periodically and redundant data is to be deleted. Appropriate strict DLP Security measures are to be implemented and any data breach should be instantly notified to the concerned authorities.

Appointing a DPO

Besides legal obligations, appointing a DPO would do a lot good for your organization. In this super-information era, where data is serving as building blocks for any firm, appointing a DPO does ensure data protection, whether it is collection or processing of that data. A DPO would increase your chances of remaining a step ahead in this competitive, dynamic, evolving, global world of data-protection landscape. Simultaneously, it would enhance your customer service and would also improve upon your responsiveness towards augmenting public-awareness and regard for the protection of your personal data.

GDPR Encouraging “Pseudonymization” of Personal-Data

GDPR has introduced a fresh concept in the European data-protection-law and that is “Pseudonymization”, which is basically data separation from direct identifiers for the purpose of avoiding any linkage to some identity without additional info, which is held separately. Pseudonymization can thus reduce the data processing risks considerably enough, at the same time, maintaining data-utility. For doing this, GDPR (General Data Protection Regulation) has created incentives for controllers for pseudonymizing that data white they would collect. Even though pseudonymous-data is not totally exempted from that Regulation, still it would relax some requirements on controllers that are using this technique.

For businesses operating in the cloud, having a Cloud Security Access Broker (CASB) will become of vital importance, to imply compliance and policies ensure no data is lost, if lost, does not indicate towards the data subject. We have discussed all possible GDPR FAQs in this article.