General Data Protection Regulation (GDPR)
Regulations, Standards & Compliance
What is General Data Protection Regulation (GDPR)? How do you become compliant with GDPR?
The General Data Protection Regulation (GDPR) is the foundation of Europe’s digital privacy law. “Europe’s digital future can only be founded on trust.” When the revisions were agreed upon in December 2015.
GDPR applies to all businesses that collect and process personal data from EU citizens. Non-EU businesses would be required to hire a GDPR representative and would be liable for all fines and penalties.
Critical requirement of GDPR:
- Processing that is legal, fair, and transparent
- Purpose, data, and storage limitations : Collect only the information that is required and then trash any personal information once the processing is completed.
- Rights of data subjects: A customer has the right to know what data an organisation has about them and how it will be used.
- If personal data is processed for reasons other than those listed above, organisations must obtain the customer’s consent. The client can also withdraw consent at any time.
- Breach of personal data: The consumer must be notified within 72 hours of the breach being discovered, depending on the severity and regulatory requirements.
- Privacy by Design: Organisations should design new systems and processes with organisational and technical procedures to secure personal data.
- Impact Assessment of Data Protection: When starting a new project, change, or product, a Data Protection Impact Assessment should be performed.
- Data transmissions: Even if a third party handles it, organisations must verify that personal data is protected and GDPR obligations are met.
- Officer in Charge of Data Protection: When a business processes a considerable amount of personal data, it should appoint a Data Protection Officer.
- Organisations must raise employee understanding of important GDPR regulations through education and training.
To achieve GDPR on the cloud, we need to take these additional steps:
- Organisations should be aware of where Cloud Service Provider (CSP) stores and processes their data.
- Organisations should be aware of which cloud service providers and apps fulfil their security requirements. Personal data should be protected from loss, alteration, and unlawful processing by organisations that use appropriate security measures.
- Organisations should have a data processing agreement in place with their cloud service provider and any cloud apps they intend to use.
- Organisations should only gather the data they require and should keep the processing of personal data to a bare minimum.
- Organisations should guarantee that the data processing agreement is followed and that personal data is not utilised by CSPs or cloud apps for other reasons.
- Organisations should be able to delete data from all CSP data sources at any time.