The General Data Protection Regulation (GDPR) was effective since 25 May 2018 and it applies to both, companies within the European Union, as well as to companies outside the European Union under certain conditions. As a complement to GDPR, member states are required to adopt national data protection laws to accompany and abide by the GDPR. The GDPR applies to all organisations that process, store or use data about EU citizens.
GDPR presents organizations a framework to define and design their approach to the privacy of data for all personnel, harness the value of the data and ensure that the organization is fit for tomorrow’s digital and cloud economy. If personal data is processed on behalf of the data controller, it is required to include an SLA which elaborates all the techniques, processes and responsibilities which will be followed by the organizations to abide by the GDPR. The GDPR is ultimately a compliance requirement.
GDPR as proposed by the European Commission was proposed to promote data protection for all individuals residing in the European Union (EU). This new EU Regulation significantly enhances the protection of the personal data of EU citizens and increases the accountability of organisations who collect or process personal data of EU citizens. The regulation built many requirements for Data Privacy and Security and added severe penalties for violations. A GDPR compliance program is about changing behaviours.
The primary objective of the GDPR is to give citizens back control of their personal data. If you control or process the data of EU citizens and based in or outside of the EU, the GDPR will apply to you. Under the GDPR, if your organization suffers a breach of information assets related to EU citizens, the entity would be charged heavily and would need to notify the local Data Protection Authority and potentially the owners of the breached records resulting in loss of reputation.
As the data controller, the organization is required to decide the purposes and means concerning this processing and is responsible for the security and accountability of this personal data. All organizations functioning as partners or as service providers and have access to or process personal data and accordingly act as a data processor will be included in the scope of the data controller. The data controller will provide specific guidance on how the personal information processed will have to be secured. The GDPR primarily safeguards EU citizens data no matter where it's stored in the world and by whom.
SecurWires consults on the industry best practices for implementation of security controls to achieve the objectives of GDPR. This includes implementation of defence in depth practices spanning network architecture, application security, IT infrastructure security, policies and procedures in maintaining the security of the data, implementation of privacy principles, incident management, training and awareness etc.