The General Data Protection Regulation (GDPR) is a landmark new privacy law that entered into force on May 25th 2018. It replaces the Data Protection Directive 95/46/EC and is designed to give greater protection and rights to EU citizens and to redefine the way organizations are approaching data privacy.
It regulates the processing of personal identity information which includes the collection, storage, use, and transfer of personal data about EU citizens.
Under the GDPR, the EU defines "personal data" broadly, without providing a finite list of personal data types, therefore, the law covers any information relating to an identified or identifiable EU citizen:
- Personal data, such as email addresses and employee ID numbers
- Information that could be traced back to a specific person, given the right circumstances
The Regulation states that any organization that processes personally identifiable information of EU citizens needs to comply with the GDPR, regardless of where they are located and where they have an office.
It classifies these entities as either data controllers or data processors:
-Data controller exercises control over the processing of personal data and decides which data to collect
-Data processor acts at the direction of data controller to collect, store, retrieve, or delete personal data
Potential fines predicted for the GDPR non-compliance are severe and amount up to €20.000.000 or 4% of global annual turnover, whichever one is greater.
Another negative impact you may face, if you fail to comply with the GDPR, is the reputational one, where you risk the trust of your employees, business partners, customers, and other entities whose personal data you are handling.
All organizations, whether they are data controllers or processors, must keep detailed written records of all processing activities they perform and take all necessary technical and organisational steps that ensure compliance.
1. Have clear consent from data subjects in order to process personal data
2. Enable them to have access to their data whenever they request it
3. Perform data collection and processing only for a clear purpose known to the data subject
4. Store personal data only for a limited and necessary period of time
5. Allow data subjects the right to be forgotten and make sure third parties are also notified of the requested data deletion.
6. Notify the data protection authority of any breach within the deadline set by the law
Appoint a data protection officer
The first step towards compliance is assessing and precisely defining your data processing flow and evaluate the data security measures you have already implemented.
You need to identify all data handled in your business processes, see which roles have access to it and what applications are used to perform tasks within the company.
Locate the data and be aware of where it is stored , how it is transferred, how it is accessed and who is using it.
Prepare a procedure for action in case there is a data breach so you can act quickly and according to law when necessary
Make sure to educate your staff on the GDPR and avoid any data storage or transfer via personal devices
Mesier can help
MESIER PROACTIVELY RESPONDS TO THE MAIN GDPR PILLARS
Mesier tracks where personally identifiable information is going through the employment of universal directory, provisioning, and the application-assigned workflows. Moreover, Mesier gives you the control and assurance that your pre-defined company policies are being enforced, eliminating any security loopholes within your organizational ecosystem.
DATA SUBJECT’S REQUESTS
Mesier requires an active consent by the data subject each time a new application is being shared with them through the Mesier central dashboard. This provides a detailed explanation about which app is trying to gain access to what type of personal data and to what end it will use it. Mesier pulls this information together and makes it easily accessible to each user, at any time, and enables exporting in a standardized format.
Mesier provides detailed reporting, password scoring system and audit log that together uncover any abnormal activities in a timely manner and raise security alerts. By centralizing all data into one place, data governance and potential audits are made easy.