1. Who’s enforcing GDPR?
In May 2018, the GDPR came into force across the whole of the European Union. The GDPR applies equally to all EU member states, but that doesn’t mean each country will enforce its requirements equally. Each member state handles enforcement and will have a regulatory body called a supervisory authority that will be in charge of auditing and enforcement.
28 different countries will handle enforcement. That meansGermany, for example, is expected to be tougher on enforcement of GDPR than elsewhere on the continent given data protection is conducted at a state level. Conversely, the U.K. has traditionally been the member state to push back against any overtly data-privacy regime that could impede global trade.
2. What are the penalties for non-compliance with GDPR?
Penalties can be a fine up to €20 million or 4 percent of a company’s annual revenue, whichever is higher. The latter is the steeper penalty and the assumption is that it will be levied in severe cases when a company has totally disregarded data privacy. The supervisory authority decides the fine’s amount based on the circ*mstances and the violation level.
3. What is a GDPR Data Processing Operation?
- Adata subjectis the person about whom data is being collected.
- Thedata controlleris the person or organization thatdecides why personal data isheld or used,and how it isheld or used.
- Any person or organization thatholds or uses data on behalf of the data controller is adata processor.
The good news is that organizations have become significantly better at containing breaches, with the average time dropping from 70 days in 2016 to 55 days. However, on average companies take nearly 200 days to detect a breach.
4. How does the GDPR handle this?
GDPR refers to the time between detecting a breach to the time of notifying impacted parties about it. However, part of the security for privacy concept is about being able to detect breaches and have best-practice tools and processes in place to do so.
5. What documentation do we need to prove that we’re GDPR compliant?
GDPR, compared to the Data Protection Act that it replaces, states there is a need to demonstrate compliance. According to Article 5(2) of the regulation, “The controller [i.e. your company] shall be responsible for, and be able to demonstrate compliance”.
It is a good idea to document everything about your GDPR process, so it is clear that you have taken the right investigative steps and have made reasonable steps to fix any issues. You then have a document you can point to if you’re ever asked any questions.
6. What are the data requirements for GDPR?
- Data can only be processed for the reasons it was collected
- Data must be accurate and kept up-to-date or else should be otherwise erased
- Data must be stored such that a subject is identifiable no longer than necessary
- Data must be processed securely
7. Is GDPR training mandatory for staff and management?
Anyone whose job involves processing personal data undertakes data protection and data handling training. This includes full-time staff, third-party contractors, temporary employees, and volunteers.
8. Does GDPR compliance differ based on the number of employees a company has?
GDPR doesn’t differentiate between the size of organizations.
9. What type of language should be included in a consent policy?
Check out the Tessian privacy policy, which shows you how detailed consent needs to be.
10. Is appointing a DPO mandatory?
GDPR requires appointing a DPO when an organization performs data processing on a large scale, processes certain types of data or processes data on an ongoing basis as opposed to a one-time process.
11. What happens if some data is processed outside the EU?
The GDPR allows for data transfers to countries deemed by the European Commission to provide an adequate level of personal data protection. In the absence, transfers are also allowed outside non-EU states under certain circ*mstances like standard contractual clauses or binding corporate rules.
12. Does GDPR affect US-based companies?
Any U.S. company that has a web presence and markets their products over the web will have to take notice. Article 3 of the GDPR says that if you collect personal data or behavioral information from someone in an EU country, your company is subject to the requirements of the GDPR.
13. If we are based in the US, have EU citizen data and experience a breach, who do we notify?
There are rules around what authority should be notified based on criteria like the situation, the organization and where the processing occurs.
How can Tessian make you GDPR Compliant?
Under GDPR, an organization is most likely to suffer a fine or penalty due to data loss through a misdirected email. Misdirected emails were the number one form of data loss reported to the Information Commissioner’s Office (ICO) in 2017. Some notable examples of penalties issued by the ICO for misaddressed emails include 56 Dean Street Clinic who were fined £180,000 for inadvertently disclosing the identities of HIV positive patients and also Dyfed-Powys Police who were fined £150,000 for inadvertently disclosing the identities of registered sex offenders to a member of the public.
GDPR forces organizations to report all personal data breaches to the appropriate governing body and maintain a register of these internally. Under GDPR, organizations have an obligation to report misdirected emails to the ICO and face fines of up to 4% of global turnover depending on the severity of the breach. Given that misdirected emails are the number one type of data security incident currently reported to the ICO, this should be of significant concern for all organizations in the transitioning years toward GDPR.
Tessian uses machine learning to automatically detect when emails are being sent to the wrong person, allowing organizations to both prevent information being sent to the wrong person and crucially, retain an audit log of warning messages shown to users when sending emails and the response that the user made on the warning that was shown.
The audit feature and preventative nature of Tessian align with the GDPR requirement “to implement appropriate technical and organizational measures together with a process for regularly testing, assessing and evaluating the effectiveness of those measures to ensure the security of processing” (Article 32).
Furthermore, with increasing numbers of firms adopting Tessian’s technology and their role in helping advising other companies in their transition to GDPR, simply relying on staff being as careful as possible and internal training, becomes an untenable posture when protecting personal data.
I'm an expert well-versed in the intricacies of the General Data Protection Regulation (GDPR) and its implications for businesses and organizations. My expertise is grounded in a thorough understanding of the legal framework, enforcement mechanisms, and practical implications of GDPR compliance.
Let's delve into the concepts presented in the article:
1. Enforcement of GDPR
The GDPR is enforced across the European Union, with each member state responsible for enforcement. There are 28 different countries, each with its own supervisory authority overseeing auditing and enforcement. The level of enforcement can vary among member states, with Germany expected to be more stringent compared to others.
2. Penalties for Non-Compliance
Penalties for non-compliance with GDPR can be substantial, with fines reaching up to €20 million or 4% of a company's annual revenue, whichever is higher. The severity of the penalty is determined by the supervisory authority based on the circ*mstances and the level of violation.
3. GDPR Data Processing Operation
Key players in GDPR data processing include the data subject (person about whom data is collected), data controller (decides why and how data is held), and data processor (entity holding or using data on behalf of the data controller). The GDPR emphasizes the need for organizations to promptly detect and notify breaches.
4. Breach Detection and Notification
GDPR addresses the time between detecting a breach and notifying affected parties. It highlights the importance of having effective tools and processes in place for breach detection. The average time to detect breaches has improved, but organizations still take around 200 days on average to detect a breach.
5. Documentation for GDPR Compliance
Documentation is crucial for demonstrating GDPR compliance. The regulation requires organizations to be responsible for and able to demonstrate compliance. Keeping records of the GDPR process helps prove that appropriate steps have been taken to address any issues.
6. Data Requirements for GDPR
GDPR outlines specific requirements for data processing, including processing data only for the intended purposes, ensuring accuracy, and securely processing and storing data.
7-13. Various Aspects of GDPR Compliance
The article covers a range of topics, including mandatory GDPR training for staff, the lack of differentiation based on the size of organizations, consent policy language, the appointment of a Data Protection Officer (DPO), handling data processing outside the EU, and the impact of GDPR on U.S.-based companies.
Tessian's Role in GDPR Compliance
The article introduces Tessian's role in GDPR compliance, specifically in preventing data loss through misdirected emails. Tessian employs machine learning to automatically detect and prevent emails from being sent to the wrong recipients, aligning with GDPR requirements for implementing technical and organizational measures to ensure data security.
In summary, the article provides a comprehensive overview of key GDPR concepts and emphasizes the importance of compliance in today's data-driven landscape, with Tessian serving as a technological solution to address specific challenges related to misdirected emails and data security incidents.
