The European General Data Protection Regulation (GDPR) that recently came into force puts in place a single set of data protection rules across the EU, including the protection of personal data exported outside of Europe.
Tomáš Mičo, ESET Data Protection Officer, said that businesses have already invested significant time and energy into mapping all the processes and reviewing all the agreements as recommended by data protection professionals.
“Moreover, as GDPR has a so-called ‘downstream’ effect, businesses need to apply the same principles to all their arrangements including those with third-party processors and sub-contractors,” explains Mičo.
“Businesses have to make sure they have consent, contract or other legal basis for processing all of the personal data protected by the regulation, for all their end users. For a middle sized business, it can as well mean spending countless hours retroactively contacting all of them if their legal basis is not GDPR valid – including end users that businesses gained through third parties or subcontractors,” adds Mičo.
In addition, individuals have as well the right to request a detailed listing of all their personal data that is being processed, and request it from any vendor that works with the personal data of EU located customers, even if the company is not physically located in the EU. This is especially hard for all the e-commerce businesses and businesses that work with cloud services, ESET said.
Moreover, businesses must have the information about the individual available at any time and keep it protected – encrypted – to be GDPR-compliant. “This way the personal data, even when the company suffers a breach or is hacked, stay protected,” says Mičo.
Penalties for non-compliance can be hard to swallow – we are looking at 2% to 4% of the company’s global annual turnover. A recent survey by IDC, however, reveals that for non-compliance, “regulators are more likely to focus on progress toward the goal than penalising those not quite finished with GDPR conformity”.
Nick FitzGerald, Senior Research Fellow, ESET, said that GDPR has made the discussion of data protection and privacy more prominent in the Asia Pacific region.
"It is too early to measure the impact yet, but some organisations will have spent more, or moved previously planned expenditure forward, to ensure regulatory compliance. These will mainly be organisations with strong European links as there will be more direct pressure from their customers and business partners to comply.
"We have seen increased interest in data protection solutions such as encryption and two-factor authentication (2FA). Other organisations without strong ties to Europe may focus on complying with local regulations such as the Personal Data Protection Act in Singapore and the Notifiable Data Breaches scheme in Australia. It is not clear how the European regulator will enforce action against non-European companies, so as with much of the rest of the world, we will certainly be keeping a close watch for the first regulatory reaches beyond European borders."
Tomáš Mičo, ESET Data Protection Officer, said that businesses have already invested significant time and energy into mapping all the processes and reviewing all the agreements as recommended by data protection professionals.
“Moreover, as GDPR has a so-called ‘downstream’ effect, businesses need to apply the same principles to all their arrangements including those with third-party processors and sub-contractors,” explains Mičo.
“Businesses have to make sure they have consent, contract or other legal basis for processing all of the personal data protected by the regulation, for all their end users. For a middle sized business, it can as well mean spending countless hours retroactively contacting all of them if their legal basis is not GDPR valid – including end users that businesses gained through third parties or subcontractors,” adds Mičo.
In addition, individuals have as well the right to request a detailed listing of all their personal data that is being processed, and request it from any vendor that works with the personal data of EU located customers, even if the company is not physically located in the EU. This is especially hard for all the e-commerce businesses and businesses that work with cloud services, ESET said.
Moreover, businesses must have the information about the individual available at any time and keep it protected – encrypted – to be GDPR-compliant. “This way the personal data, even when the company suffers a breach or is hacked, stay protected,” says Mičo.
Penalties for non-compliance can be hard to swallow – we are looking at 2% to 4% of the company’s global annual turnover. A recent survey by IDC, however, reveals that for non-compliance, “regulators are more likely to focus on progress toward the goal than penalising those not quite finished with GDPR conformity”.
Nick FitzGerald, Senior Research Fellow, ESET, said that GDPR has made the discussion of data protection and privacy more prominent in the Asia Pacific region.
"It is too early to measure the impact yet, but some organisations will have spent more, or moved previously planned expenditure forward, to ensure regulatory compliance. These will mainly be organisations with strong European links as there will be more direct pressure from their customers and business partners to comply.
"We have seen increased interest in data protection solutions such as encryption and two-factor authentication (2FA). Other organisations without strong ties to Europe may focus on complying with local regulations such as the Personal Data Protection Act in Singapore and the Notifiable Data Breaches scheme in Australia. It is not clear how the European regulator will enforce action against non-European companies, so as with much of the rest of the world, we will certainly be keeping a close watch for the first regulatory reaches beyond European borders."
No comments:
Post a Comment