GDPR is an EU regulation that intends to provide protection to personal data of the EU citizens and increase the constraints on organizations who handle these personal data. GDPR law applies to all companies that collect and process data belonging to EU citizens. Its major concern is data protection for individuals within the European Union and manages the export of personal data outside the EU. The primary objective of GDPR is to give citizens back control of their personal data. It will come into action on 25th May 2018.
Data breaches are inevitable. Information gets lost, stolen or otherwise released into the hands of people who were never intended to see it due to their malicious intents. In such cases, GDPR comes into action. Under the terms of GDPR, the organization must not only ensure that the personal data is gathered legally and under strict conditions, but also make sure that those who collect and manage it will be responsible to protect it from any misuse and exploitation and respect the rights of data owners or else face penalties for not doing so. Data breaches should be reported to the authority within 72 hours of discovery.
There are two major parts of the Regulation that are to be highlighted:
- Firstly, the GDPR will be applicable to all companies that control or process data of EU citizens even if they are based outside of the EU.
- Secondly, the penalties for not following the terms and conditions of the Regulation are going to be severe. Based on the type and severity of the violation, organizations will be liable to pay fines of up to €20 million or 4% of their global annual revenue which is something they cannot afford.
GDPR protects a wide range of privacy data which include basic identity information such as name, address and identity number, web data such as location, IP address, cookie data and RFID tags, health and genetic data, racial or ethnic data and so on. This Regulation guarantees data privacy. Safety measures are built into the products and services from the early stage of development, providing data protection to new products and technologies.
Steps to GDPR Compliance
To comply with GDPR, organizations need to follow the steps mentioned below:
- Understand the law– have an idea of the obligations under GDPR as it corresponds to collecting, processing and storing data.
- Create a road map– perform data discovery and document every research, findings, decisions and actions.
- Know which data is regulated– categorize the data based on whether it falls under any GDPR special category, who has access to different types of data, who can share the data, and what applications can process the data.
- Begin with critical data and procedures– assess the risk to all private data and ensure that proper security measures have been assigned.
- Assess and document other risks– look for any other risks that may have been left out during previous assessment.
- Revise and repeat– repeat the core steps (4 to 6) and make the necessary alterations wherever required.
Benefits of GDPR
There are several benefits GDPR provides to businesses which includes a way to build customer trust, improvements in brand image and reputation, data governance, information security, and competitive advantages. One of the major changes GDPR will bring is providing consumers the right to know when their data has been hacked. This legislation says customers must be made responsible without unduly delay. GDPR expands the rights of individuals to control how their personal information is collected and processed and assigns a new set of constraints on organizations to be more accountable to data protection.
GDPR and Hexnode MDM
Enterprise Mobility Management solutions are an integral part of a comprehensive GDPR compliance program. When it comes to securing personal data against breaches and unwarranted access, it’s not just the servers, each endpoint needs to be safeguarded. Hexnode MDM helps you protect all your devices and stay compliant by leveraging a host of enterprise-grade data security features.
- Password protection:Passwords are the first line of defense against unauthorized access to your information assets. With Hexnode MDM, you can enforce password rules on the devices with the required complexity and history requirements for optimal security.
- Data encryption:Force ON data encryption across devices and prevent potential leakage of confidential information.
- Network security:Refrain from sharing network passwords with the users directly. Remotely configure network settings for your device fleet with Hexnode MDM and safely remove them when no longer necessary.
- Email security:Configure Email over-the-air and lock corporate accounts from modifications at the device end. Restrict email sharing across unauthorized apps.
- Application security:Whitelist/Blacklist applications to pre-emptively block risky apps from posing a threat to user privacy and security.
- Containerization:Deploy a secure container and keep all work data away from users’ personal apps and content. Selectively wipe corporate data keeping all personal data intact.
- Lost mode:Pop a missing or stolen device into quarantine mode to invoke instantaneous security lockdown. Initiate remote wipe to erase the device and prevent confidential data from getting into the wrong hands.
- Geofencing:Enable location-based policies to contain devices within a defined geographical region. Configure proactive lockdown when devices exit these safe-zones.
- Compliance engine:Hexnode MDM continually monitors the devices and alerts you whenever there’s a policy violation. You can get all compliances precisely logged and issues remediated quickly.
Key Points of GDPR
There are certain key points that specify the impact GDPR will have on business and they are as follows:
- Increased Territorial Scope– GDPR applies to all companies that process the personal data of individuals residing in the EU, regardless of the company’s location. There is no limitation regarding the landscape and so it expands to a wider geographic scope.
- Penalties– According to the terms of GDPR, a fine of €20 million or 4% of the annual global turnover is to be levied in case the company goes against its policies.
- Consent– Consent must be clear and distinguishable. It should be intelligible and in an easily accessible form, written in plain language. The purpose of data processing must be attached to it.
- Breach Notification– This notification is mandatory in all member states where a data breach may pose a risk to the rights and freedoms of the individuals. This notification should be issued within 72 hours of its occurrence. The customers must also be notified by the data controllers about the data breach without any delay.
- Right to Access– The data controllers are bound to provide the individuals information about whether their data is being processed, if so where it is being processed and for what purpose. The data controllers shall provide a copy of the personal data in electronic format thereby ensuring transparency and increased authority of individuals.
- Right to be Forgotten– The individuals are given the right to ask the data controllers to erase their personal data and stop any further distribution or processing of data. This is commonly known as data erasure.
- Data Portability– The individuals have the power to take back their personal data and transfer it to other data controllers.
- Privacy by Design– This feature depicts the idea that data protection should be a concern from the very beginning of the design stage. It also refers that only the data absolutely necessary for accomplishing a purpose be used. It aims to meet the requirements of the Regulation and protect the rights of the individuals.
- Data Protection Officers– Under GDPR, the data controllers do not need to submit notifications to each local DPA of their data processing activities. Instead, they just need to keep record of their activities. The role of DPO is mandatory in case where the processing operations require regular and systematic monitoring of data subjects on a large scale. Precisely, the DPO:
- Must be appointed based on the professional qualities, expert knowledge on data protection law and practices.
- May be a staff member or an external service provider.
- Contact details must be provided to the relevant DPA.
- Must be provided with the appropriate resources to carry out their tasks and maintain their expert knowledge.
- Must report directly to the highest authority.
- Must not carry out any other task that could cause any kind of conflict.
GDPR is sure to bring drastic changes in the marketing industry. The value of the customers is to reach great heights, only then can marketers receive their desired benefits. For that they need to work even harder in order to attract the target customers. The success of GDPR will lead to greater transparency between the customer and the company that holds their data. If the business is clear and transparent about how it will use the customer’s data, consumers will give their brand the benefit of doubt and will trust them. On the other hand, the bar for marketers would also be raised with the release of GDPR. All the tactics that are not compliant to GDPR would be demolished and new approaches towards marketing would be adopted. Marketers need to be more creative and will have to put in double effort if they want to succeed. This again is not to be viewed as a bad outcome. Anything that gives more importance to customers and allows marketers to get better is to be welcomed.
Originally published at www.hexnode.com on April 24, 2018.