Data privacy is the component of data security that is focused on the compliant handling of sensitive or personal data. It is inevitably interlinked with data security, as governments across the globe have set standards for how sensitive or personal data should be protected.
But while many countries have already put regulations in place, organisations that operate internationally might be a little confused with the differences between each local piece of legislation. In fact, there isn’t yet a global standard for how personal information should be collected, handled and stored. For this reason, it is essential for organisations to understand the fundamentals of each regions’ rules, as the fines imposed for being found non-compliant are substantial.
Since the introduction of GDPR in May 2018, nearly all EU member states have introduced their own supplements to the regulations. This set of laws remains the benchmark for many of the countries that are currently following suit in designing policies to protect individuals’ personal information.
Among the breakthrough restrictions introduced with GDPR, there are:
- Enabling Data Protection Authorities (DPAs) to make binding decisions and issue administrative sanctions including fines
- The right to object to processing based on controller or public interests
- Data breach notification to DPA and sometimes to data subjects
- Stronger consent requirements
- Including biometric and/or genetic data in the definition of sensitive data
- Introducing Data Protection Officers (DPOs) as a mandatory role in an organisation in case of certain types of personal data processing
These laws require a complex chain of responsibility overseen by a company’s DPO (or shared DPO between many companies), who essentially manages the processing and controlling of data as a program. Two years since the introduction, companies are still struggling to become compliant.
As with all privacy programs, consider your company’s path to GDPR compliance more like a journey, rather than a static objective. Full GDPR compliance can be achieved, but it also needs to be maintained and monitored continuously, as requirements will shift over time. This is where the DPO role can help to make sure all requirements within GDPR can be achieved.
The biggest thing to remember about this regulation, is not however what it covers. The biggest point of this regulation is that it covers data handling with an extraterritorial focus. This means that if you handle data of European residents, or store data in Europe, then you fall under the GDPR, and it will be enforced.