The General Data Protection Regulation (GDPR) is a landmark new privacy law that entered into force on May 25th 2018. It replaces the Data Protection Directive 95/46/EC and is designed to give greater protection and rights to EU citizens and to redefine the way organizations are approaching data privacy.
It regulates the processing of personal identity information which includes the collection, storage, use, and transfer of personal data about EU citizens.
Under the GDPR, the EU defines "personal data" broadly, without providing a finite list of personal data types, therefore, the law covers any information relating to an identified or identifiable EU citizen:
- Personal data, such as email addresses and employee ID numbers
- Information that could be traced back to a specific person, given the right circumstances
The Regulation states that any organization that processes personally identifiable information of EU citizens needs to comply with the GDPR, regardless of where they are located and where they have an office.
It classifies these entities as either data controllers or data processors:
-Data controller exercises control over the processing of personal data and decides which data to collect
-Data processor acts at the direction of data controller to collect, store, retrieve, or delete personal data
Potential fines predicted for the GDPR non-compliance are severe and amount up to €20.000.000 or 4% of global annual turnover, whichever one is greater.
Another negative impact you may face, if you fail to comply with the GDPR, is the reputational one, where you risk the trust of your employees, business partners, customers, and other entities whose personal data you are handling.
All organizations, whether they are data controllers or processors, must keep detailed written records of all processing activities they perform and take all necessary technical and organisational steps that ensure compliance.
1. Have clear consent from data subjects in order to process personal data
2. Enable them to have access to their data whenever they request it
3. Perform data collection and processing only for a clear purpose known to the data subject
4. Store personal data only for a limited and necessary period of time
5. Allow data subjects the right to be forgotten and make sure third parties are also notified of the requested data deletion.
6. Notify the data protection authority of any breach within the deadline set by the law
Appoint a data protection officer
The first step towards compliance is assessing and precisely defining your data processing flow and evaluate the data security measures you have already implemented.
You need to identify all data handled in your business processes, see which roles have access to it and what applications are used to perform tasks within the company.
Locate the data and be aware of where it is stored , how it is transferred, how it is accessed and who is using it.
Prepare a procedure for action in case there is a data breach so you can act quickly and according to law when necessary
Make sure to educate your staff on the GDPR and avoid any data storage or transfer via personal devices
The California Consumer Privacy Act is a piece of consumer privacy legislation which passed into California law on June 28th of 2018. It will come into force in January 2020 and is designed to give California consumers control over the collection and reselling of their personal data. In addition, the California law allows consumers to sue companies if the privacy guidelines are violated, even if there is no breach.
Consumers are natural persons and must be California residents in order to be protected. Residents are defined as a (1) every individual who is in the State for other than a temporary or transitory purpose, and (2) every individual who is domiciled in the State who is outside the State for a temporary or transitory purpose.
Primary consumer rights include:
1. The right to know whether their personal information is sold or disclosed and to whom.
2.The right to know what personal information is being collected about them.
3. The right to say no to the sale of personal information.
4. The right to access their personal information.
5. The right to request a business to delete any personal information about a consumer collected from that consumer.
6. The right to equal service and price, even if they exercise their privacy rights.
The CCPA applies to all companies that serve California residents and have at least $25 million in annual revenue, as well as companies of any size that have personal data on at least 50,000 people or that collect more than half of their revenues from the sale of personal data. This law applies to all companies handling California consumer’s data – they do not need to be based in California or have a physical presence there. They don't even have to be based in the United States.
Companies have 30 days to comply with the law once regulators notify them of a violation. If the issue isn't resolved, there's a fine of up to $7,500 per record. Penalties of $100 to $750 per consumer per incident, or actual damages, whichever is greater.
As a service provider, your company must ensure that: you can meet the consumer’s request of knowing what personal data you collect about them and for what purpose, you can provide this information for a period of time covering the last 12 months, you give them the right to opt out without withholding future service or discriminating against the consumer in any way, you implement processes to obtain parental or guardian consent for minors under 13 years and the consent of minors between 13 and 16 years to data sharing their data, you enable the deletion of the consumer’s private data upon request.
Mesier can help
MESIER PROACTIVELY RESPONDS TO THE MAIN GDPR PILLARS
Mesier tracks where personally identifiable information is going through the employment of universal directory, provisioning, and the application-assigned workflows. Moreover, Mesier gives you the control and assurance that your pre-defined company policies are being enforced, eliminating any security loopholes within your organizational ecosystem.
DATA SUBJECT’S REQUESTS
Mesier requires an active consent by the data subject each time a new application is being shared with them through the Mesier central dashboard. This provides a detailed explanation about which app is trying to gain access to what type of personal data and to what end it will use it. Mesier pulls this information together and makes it easily accessible to each user, at any time, and enables exporting in a standardized format.
Mesier provides detailed reporting, password scoring system and audit log that together uncover any abnormal activities in a timely manner and raise security alerts. By centralizing all data into one place, data governance and potential audits are made easy.