GDPR stands for General Data Protection Regulation. The EU parliament enforced it on the 25th of May 2018. According to this legislation,
“In the event of a personal data breach, data controllers notify the appropriate supervisory authority without undue delay and, where, feasible, not later than 72 hours after having become aware of it.”
Being enforced by the EU parliament does not imply that the only EU-based organisations need GDPR certification; it applies to every organisation that maintains any sort of business interaction with EU data subjects and withholds any personal data of people residing in the EU. Organizations that do not comply could be looking at fines of up to €20M or 4% of their annual global turnover from the preceding year.
Substantial Increase in Reported Violations
This shouldn’t come as a shock to anyone that the enforcement of GDPR has sent the count of violation reports through the roof. Statistics show that in Austria, over 100 complaints have been filed in the past month, accompanied by 59 breach reports, which has otherwise been a figure for an eight-month period.
France’s data protection authority, CNIL, has registered a 50% rise in the number of complaints ever since the legislation came into effect. A similar surge can be perceived in reported breaches, owing to the 72-hour breach notification rule. Considering recent reports, it is important to note that this does not mean that, suddenly, hackers have gained more power. Contrarily, it reflects that businesses are religiously following the legislation and owning up to the protection of personal data instead of trying to bury the truth.
How Does a Business Ensure Violation Reports Within 72 Hours?
- First, you need to make sure that your security incident response plan is up-to-date.
- Second, you should take a thorough inventory of all the personal data of EU citizens in your possession. Here, personal data comprises the obvious information (name, address, email address, etc.) along with whatever information is particular to the individual’s identity.
- Third, you should maintain a spreadsheet of the data including essential background information: data type, department, administrator, system, data location, provider of the data, and reason for collection.
- Fourth, you need to assess the associated risks with each individual’s data set by creating a risk register that includes vulnerabilities/threats associated with the data in addition to the likelihood/potential impact. You may find it lucrative to consult third-party experts here.
Companies Will Be Flooded With “Right to Be Forgotten” Requests
Particularly the rule,
Consumers can demand that businesses delete their data,
that has been added to the GDPR legislation, will lead to an overwhelming majority of the population asking for deletion of their personal information by appealing for the “right to be forgotten”. Non-compliance can lead to a ban on processing or control data.
It should be noted that these punishments should not be a company’s sole motive for playing by the rules; it should realise the long-term benefits of having strong consumer trust.