promo solutions eugdpr

EU GDPR

EU General Data Protection Regulation

Nov 2018
Blog Home

EU General Data Protection Regulation (EU GDPR)

One small element to the GDPR, but an important one: Keep Compliant with Kingston Encrypted USB

Manage Threats and Reduce Risks

Available options cover every need from Personal, Corporate to Government.

  • 100% compliant encrypted USB data storage
  • Simple, easy to use, no software or drivers needed
  • Designed for quick and efficient deployment
EUGDPR Compliance Logos
Keep Compliant with Kingston

EU GDPR: Top 5 main areas to be aware of

  1. Encryption - Security of data processing standards (Article 32, Security of processing)
  2. Appoint Data Protection Officers (DPOs)
  3. Establish a Cyber Security Programme
  4. Documented Accountability
  5. Understand Consent

Are there any penalties for non-compliance?

Are there any penalties for non-compliance?
  • Under GDPR, organisations in breach of GDPR can be fined up to 4% of annual global turnover or roughly $21,952 million USD (€20 million - whichever is greater).
  • Companies can be fined 2% for not having their records in order (article 28), for not notifying the supervising authority and the data subject about a breach or for not conducting an impact assessment.
  • It is important to note that these rules apply to both controllers and processors - meaning 'clouds' will not be exempt from GDPR enforcement.

What Do I Need To Know?

How does this affect my business?

  • Any company that works with information relating to EU citizens will have to comply
  • It is important to note that these rules apply to both controllers and processors ─ meaning 'clouds' will not be exempt from GDPR enforcement
  • Applies to all organisations ─ EU and non-EU ─ that process data of EU citizens
  • Requires organisations that process or hold personally identifiable information to implement adequate security measures to protect against the loss of personal data.

What should my business do to be compliant?

  • Self-evaluate - A Data Protection Officer is needed for companies who employ 250 or more people. Organisations must conduct an internal review of the handling of personally identifiable information of their employees and customers
  • Document internal and external products/devices that store data - A record must be kept of the company equipment used and covered under your data security policy to ensure that data encryption is used. This includes items such as servers, hard drives, SSDs, USB Flash drives, computers and mobile devices
  • Inventory Analysis - Evaluate the amount of personal data in totality
  • Purge - Eliminate archives of unnecessary personally identifiable information (PII)
  • Controllers of Information - Review the privacy risk and perform impact assessments
  • Contracts - Future-proof your business by enacting policies now that will become mandatory after the effective start date in May 2018
  • Data Breaches - Regulation requires notice within 72 hours

Solution - Implement appropriate safeguards, technical standards and policies, such as: data encryption of personal data / personally identifiable information (PII) to mitigate the risk of non-compliance. Learn more

Data encryption

  • A Kingston and IronKey Encrypted USB drive is one of the solutions to standardise on for data encryption compliance
  • Implement “appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including…encryption of personal data" (Article 32, Security of processing)
  • The proposal calls for organisations to encrypt sensitive data both when in transit and at rest.
  • It requires organisations that process or hold personally identifiable information of EU residents to implement adequate security measures to protect against the loss of personal data.
  • Organisations will be required to include these enhanced data processing standards in their contracts with third-party service providers.

Increased Territorial Scope (extra-territorial applicability)

Arguably the biggest change to the regulatory landscape of data privacy.

  • Extended jurisdiction of the GDPR applies to all companies processing the personal data of data subjects residing in the Union, regardless of the company’s location.

Breach Notification

Notifications of data breaches must be provided within 72 hours of learning about the breach, where feasible, although notification need not be made to the DPA if it is unlikely to result in risk to the rights or freedoms of individuals.

New Consumer Rights

Consumer Benefits

Consumer Benefits

  • More protection by GDPR and ability to remain anonymous
  • Gives power to consumers by empowering their rights if they do not wish to share data
  • New enhanced rights for the consumer - ‘right to be forgotten’ - a ‘right of data portability’ demanding that companies end the use of their data
  • Companies that do not comply with these consumer rights will be subject to an increased number of lawsuits by consumers and legal entities

Consent

The conditions for consent have been strengthened, and companies will no longer be able to use long illegible terms and conditions full of legalese. The request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent.

  • Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it.

Right to be Forgotten

Also known as Data Erasure, the right to be forgotten entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data and potentially have third parties halt processing of the data. The conditions for erasure, as outlined in (article 17), include the data no longer being relevant to the original purposes for processing or a data subject withdrawing consent.

It should also be noted that this right requires controllers to compare the subjects' rights to "the public interest in the availability of the data" when considering such requests.

What is Personal Identifiable Information (PII)?

Personally Identifiable Information (PII) refers to data held about EU citizens that, if disclosed, could result in damages to those whose information has been compromised. PII might include medical records, biometric data, passport numbers, and Personally Identifiable Financial Information (PIFI) such as social security and credit card details. Information that might not be considered PII, such as a first name and surname, can become PII if linked to other data.

  • An organisation's data assets should be identified as part of a risk assessment, including how data is stored and accessed, what level of risk it is exposed to and whether it contains PII. Data assets might be stored in application databases, server file systems and on end user devices.
What is Personal Identifiable Information (PII)?

Highlighted Segments

  • A single set of EU-wide rules — a single EU-wide law for data protection is estimated to make savings of €2.3 billion per year
  • A data protection officer, responsible for data protection, will be designated by public authorities and by businesses which process data on a large scale
  • One-stop-shop – businesses have to deal with only one single supervisory authority (in the EU country in which they are mainly based)
  • EU rules for non-EU companies – companies based outside the EU must apply the same rules when offering services or goods, or monitoring the behaviour of individuals within the EU
  • Innovation-friendly rules – a guarantee that data protection safeguards are built into products and services from the earliest stage of development (data protection by design and by default)
  • Privacy-friendly techniques such as pseudonymisation (when identifying fields within a data record are replaced by one or more artificial identifiers) and encryption (when data is coded in such a way that only authorised parties can read it)
  • Impact assessments – businesses will have to carry out impact assessments when data processing may result in a high risk for the rights and freedoms of individuals
  • Record-keeping – SMEs are not required to keep records of processing activities unless the processing takes place on a regular basis or is likely to result in a risk to the rights and freedoms of the person whose data is being processed

Learn more here

Key Dates under General Data Protection Regulation (GDPR)

  • 31 January 2018 PCI-DSS v3.2 – Requirement on Multi-Factor Authentication (8.3.1) - Affects global organisations
  • 30 June 2018 PCI-DSS v3.2 – Requirements on upgrading SSL Encryption (2.2.3, 2.3, 4.1) - Affects global organisations
  • April 2018 PSD2 – Payment Services Directive 2 - Affects European businesses
  • May 2018 GDPR – General Data Protection Regulation - Affects global organisations

More information

Learn More about Encrypted USB Drive
Learn More about, Encrypted USB Drive - Kingston Technology