Time for action! What does your organization need to do to meet GDPR?
In a world that digitizes at a rapid pace, personal data storage becomes more and more important. Your medical history is stored in a database, you do your banking online and you probably accept cookies without giving it a second thought. Even more so, you probably do not know what a company does with that data. Until about a year ago, every European country had a separate legislation which stated how companies should handle your data without it being misused or risk throwing it out on the street. Many of these legislations however became outdated and multinationals could establish their offices where the legislation is to their best convenience…
This changed in May 2016. The European Union accepted the General Data Protection Regulation, GDPR in short. From May 15 2018, this law will be enoforced. Companies that do not meet de legislation risk a high fine.
What does the GDPR entail?
- Scope: The legislation does not exclusively apply to European organizations that process personal data, it also applies to organizations that are not located in the EU, but do process personal data of European citizens.
- Consent: Users of websites and applications must give permission to an organization for processing their personal information. The terms & conditions concerning this subject need to be understandable and unambiguous. Furthermore, people need to be able to easily withdraw their consent. When certain data was in possession of the organization before 2016, retroactive consent needs to be asked.
- Breach notification: When a data leak occurs, victims need to be notified of the risks within 72 hours. This needs to be done by the organization that processed the leaked data.
- Right to access: People have the right to ask if organizations make use of their personal data and for what purposes it is used. Furthermore, one has the right to request a free electronic copy of the used data.
- Right to be forgotten: People have the right to request organizations to remove their personal data.
- Data portability: Organizations need to make sure that personal data is transmissible, so that consumers can easily switch service providers.
- Privacy by design: Privacy protection must be integrated in the design of new systems, whereby suitable technical measures can be implemented directly.
- Data Protection Officers: Organizations with over 250 employees, or organizations that process sensitive data, need to appoint a Data Protection Officer.
- Effectivity of control: Organizations must at all times be able to prove that security control was operational and configured. This needs to be tracked in log files.
Possible consequences after violation of the GDPR
The GDPR is seen as the strictest legislation concerning personal data protection in the world. Violation of the GDPR can cause great consequences for your organization. The Authority of Personal Data can, for instance, hand out fines up to 20 million euros or 4% of the annual revenue. This regulation also works on C-Level: directors can be held joint and several liable for a data leak. Besides official fines, GDPR can also cause heavy reputational damage. Think of what happens when you mandatorily have to tell your customers their personal data was out in the open. Or what it does to your brand when your website is suddenly provided with unwanted content.
How can we help you protect your website?
It is of great importance to take action right away, do not wait until it is almost May 2018. Check if you need to appoint a Data Protection Officer and if you know exactly which data is stored where, and what they are used for.
Furthermore, it is important to take the right technical measures to meet the GDPR requirements, like setting up an appropriate Web Application Firewall (WAF). A WAF is a cloud-based intelligent protection of your website or API against several sorts of threats, like cross-site scripting, sql-injections and brute force passwords hacking. A WAF is placed before your regular firewall, allowing you to be even more protected against known and unknown threats. With our knowledge and expertise, we are able to advise you about the correct implementation of a WAF.
TRIMM is the only full-service internet agency that has a partnership with Akamai. The benefit of a WAF from Akamai is that it can protect several hosting locations. Akamai works closely with AWS, Azure and On Premise, while hosting the WAF happens in one location in the cloud. This saves you a lot of maintenance work. By hosting the WAF in one place, the logging (which takes place at transaction level) enters from different hosting locations to one place, making it a lot clearer.
Time to act!
Are you curious about how we can make your organization GDPR-ready by May 2018? Or do you have questions about this new European law? Please feel free contacting us!