- 1 Billion data records stolen in 2014
- +78% increase in one year (2013)
- 2,803,036 data records/day
- 116,793 every hour
- 1,947 every minute
- 32 every second
Shocking worldwide stats!
The EU General Data Protection Regulation (GDPR) – is on personal data protection: processing and free movement of data.
It considers important aspects like globalization and technological developments like social media networks and cloud computing. Which the existing EU Data Protection Directive 95/46/EC does not.
What does this mean for you / your business – probably nothing at present…read on!
Do you process or store personal data?
Think payroll, personnel file, emergency contact details, pensions, product research groups, account data, retail transactions, credit / loyalty cards…the list is endless with the addition of all the app data we now collect in organisations to help us better understand our customer.
Have you ever had any personal data breaches, would you know if you had ever had any breaches? –for every 100 EU internet users 56 records are compromised.
These breaches are divided into two areas:
- 41% theft by hackers.
- 57% organisation errors, insider abuse, internal management
Retail and Finance being the most affected industries in financial accounts and account access over 50% of breaches.
Impacts of a data breach
- Financial Losses
- Board, CEO and shares affected
The Regulation sets out the following penalties:
- Fines of up to %5 of global turnover
- Cost per breached record in excess of 200Euros
- Personal liability
- Loss of reputation & customer / supplier / employee trust
Personal data & information must be:
- accurate and
- kept up-to-date &
- kept in a form
- which permits identification no longer than necessary.
… privacy by design & by default…
Jan 2016 Final publishing for the Regulation.
Compliance required within the following two years by Jan 2018
Approach: Privacy by design.
- Implement technical & organisational measures and procedures:
- … to ensure that the privacy & data protection requirements are adhered to.
- Implement mechanisms ensuring:
- … only data is processed which is “really necessary for the specific purpose” of processing
- …data is “not collected or retained” beyond the “minimum necessary”
- …the “amount of data” and “time of storage” is limited to the minimum
- …that data is “not made accessible” to an indefinite number of individuals.
Anonymisation of Data
If data is to be anonymised it must be to the point of not only removing identification marks but also removing the ability to be singled out. There for if you have a list of personal data, name details are removed but personal characteristics remain. For example hair colour and if only one person has ginger hair. It means that the person can still be singled out of the anonymised, therefore the data has not be effectively anonymised. Leading to a breach and the implications of a breach.
Consent to data must be Opt in, rather than an implied opting in with opting out being the option.
Use of children’s personal data has different terms of consent.
Do you need a Data Protection Officer (DPO)?
You need one if:
- Processing is carried out by a Public Authority or Body
- Company is established in the EU and/or uses equipment to process personal data in the EU.
- +250 employees*
- Processing of >5000 EU data subjects in a 12 month period*
- Core activities consist of operations that require regular systemic monitoring of Data Subjects
- Core activities involve processing Sensitive Personal data, location data, data about children, or employees in large scale filing systems
- Must be involved in a “timely manner” in all issues which – this has changed recently from 24hrs to a reasonable period of time (time period not specified)
- DPO must perform tasks independently and not receive any instructions on how to perform their function
- Shall report directly to the Executive Management
- Executive Management shall appoint a member who shall be responsible for compliance (or DPO is member of Ex. Mgt. team (Germany)).
- DPO is Personally liable (data processor liability applicable if DPO is proven to be compliant)
Approach: Data Quality as a driver for lowering risk & cost.
Will data privacy and protection become your companies’ differentiator?
Credit to Inpuls at the MDM DG Conference for information and statistics.
Image credit: coinoutletatm.com