EU General Data Protection Regulation (EU GDPR)

Enforcement date: 25 May 2018 - at which time those organizations in non-compliance will face heavy fines.

Keep Compliant with Kingston

Keep Compliant with Kingston

Available options cover every need from Personal, Corporate to Government.

  • 100% Compliant Encrypted USB data storage
  • Simple, easy to use, no software or drivers needed
  • Designed for quick and efficient deployment

Manage Threats and Reduce Risks

EU GDPR: Top 5 main areas to make sure you’re compliant:
  1. Appoint Data Protection Officers (DPOs)
  2. Establish Cyber Security Program
  3. Security of data processing standards
  4. Documented Accountability
  5. Understand Consent
Are there any penalties for non-compliance?

Are there any penalties for non-compliance?

  • Under GDPR organizations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater).
  • Company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting impact assessment.
  • It is important to note that these rules apply to both controllers and processors - meaning 'clouds' will not be exempt from GDPR enforcement.
Data encryption
  • Implement “appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including…encryption of personal data" (Article 32, Security of processing)
  • The proposal calls for organizations to encrypt sensitive data both in-transit and at-rest.
  • Requires organizations who process or hold personal identifiable information of EU residents to implement adequate security measures to protect personal data loss.
  • Organizations will be required to include these enhanced data processing standards in their contracts with third party service providers.
How does this affect my business?
  • Any company that works with information relating to EU citizens will have to comply
  • It is important to note that these rules apply to both controllers and processors ─ meaning 'clouds' will not be exempt from GDPR enforcement
  • Applies to all organizations ─ EU or and non-EU ─ who process data of EU citizens
  • Requires organizations who process or hold personally identifiable information to implement adequate security measures to protect personal data loss.
What should my business do to be compliant?

What should my business do to be compliant?

  • Self-evaluate
    A Data Protection Officer is needed for companies who employ 250 or more people. Organizations need to conduct internal review of the handling of personally identifiable information of its employees and customers
  • Map internal and external products / devices that store data
    Log and require company equipment used, to be covered under your data security policy and ensure data encryption is utilized. Items such as, but not limited to: servers, hard drives, SSDs, USB Flash drives, computers and mobile devices
  • Inventory Analysis
    Evaluate the amount of personal data in totality
  • Purge
    Eliminate archives of unnecessary personal identifiable information (PII)
  • Controllers of Information
    Review privacy risk and impact assessments
  • Contracts
    Future-proof your business by enacting policies now that become mandatory after the effective start date in May 2018
  • Data Breaches
    Regulation requires notice within 72 hours

Solution - Implement appropriate safeguards, technical standards and policies, such as: data encryption of personal data / personal identifiable information (PII) to mitigate risk of non-compliance Learn more

Consumer Benefits
  • More protection by GDPR and ability to remain anonymous
  • Gives power to consumer by empowering their right if they do not wish to share data
  • New enhanced rights for the consumer - ‘right to be forgotten’ - a ‘right of data portability’ demanding companies to end use of their data
  • Companies non-compliant of these consumer rights are subject to more lawsuits by consumers and legal entities
Increased Territorial Scope (extra-territorial applicability)

Increased Territorial Scope (extra-territorial applicability)

Arguably the biggest change to the regulatory landscape of data privacy.

  • Extended jurisdiction of the GDPR applies to all companies processing the personal data of data subjects residing in the Union, regardless of the company’s location.
Consent

The conditions for consent have been strengthened, and companies will no longer be able to use long illegible terms and conditions full of legalese, as the request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent.

  • Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it.
Breach Notification

Notifications of data breaches must be accomplished within 72 hours of learning of the breach, where feasible, although notification need not be made to the DPA if it is unlikely to result in risk to the rights or freedoms of individuals.

Right to be Forgotten

Also known as Data Erasure, the right to be forgotten entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data and potentially have third parties halt processing of the data. The conditions for erasure, as outlined in ( article 17), include the data no longer being relevant to original purposes for processing, or a data subjects withdrawing consent.

It should also be noted that this right requires controllers to compare the subjects' rights to "the public interest in the availability of the data" when considering such requests.

What is Personal Identifiable Information (PII)?

Personally Identifiable Information (PII) refers to data held about EU citizens that, if disclosed, could result in damages to those whose information has been compromised. PII might include medical records, biometric data, passport numbers, and Personally Identifiable Financial Information (PIFI) such as social security and credit card details. Information that might not be considered PII, such as first name and surname, can become PII if linked to other data.

  • An organization's data assets should be identified as part of a risk assessment, including how data is stored and accessed, what level of risk it's exposed to and whether it contains PII. Data assets might be stored in application databases, server file systems and on end user devices.
Highlighted Segments
  • A single set of EU-wide rules — a single EU-wide law for data protection is estimated to make savings of €2.3 billion per year
  • A data protection officer, responsible for data protection, will be designated by public authorities and by businesses which process data on a large scale
  • One-stop-shop – businesses only have to deal with one single supervisory authority (in the EU country in which they are mainly based)
  • EU rules for non-EU companies – companies based outside the EU must apply the same rules when offering services or goods, or monitoring behaviour of individuals within the EU
  • Innovation-friendly rules – a guarantee that data protection safeguards are built into products and services from the earliest stage of development (data protection by design and by default)
  • Privacy-friendly techniques such as pseudonymisation (when identifying fields within a data record are replaced by one or more artificial identifiers) and encryption (when data is coded in such a way that only authorised parties can read it)
  • Impact assessments – businesses will have to carry out impact assessments when data processing may result in a high risk for the rights and freedoms of individuals
  • Record-keeping – SMEs are not required to keep records of processing activities, unless the processing is regular or likely to result in a risk to the rights and freedoms of the person whose data is being processed

Learn more here

Key Dates under General Data Protection Regulation (GDPR)
  • January 31, 2018PCI-DSS v3.2
    Requirement on Multi-Factor Authentication (8.3.1) - Affects global organizations
  • June 30, 2018PCI-DSS v3.2
    Requirements on upgrading SSL Encryption (2.2.3, 2.3, 4.1) - Affects global organizations
  • April 2018PSD2 – Payment Services Directive 2 - Affects European businesses
  • May 2018GDPR – General Data Protection Regulation - Affects global organizations
        Back To Top