GDPR - The Bunker Secure Hosting

6 downloads 356 Views 2MB Size Report
impact assessments (PIAs), audits, policy reviews and activity records. Data breaches that must be reported include: •
General Data Protection Regulation (GDPR) Infographic The General Data Protection Regulation (GDPR) is the biggest shake-up to privacy regulation in 20 YEARS.

What is GDPR?

GDPR is a set of rules and regulations designed to strengthen and unify data protection for individuals within the EU, enabling people to better control their personal data.

GDPR will give EU citizens: • •

Easier access to their personal data The right to data portability

• •

The right to “be forgotten” The right to know about data breaches

New principles under the GDPR: •

Lawfulness, fairness and transparency



Purpose limitation



Data minimisation



Accuracy



Storage limitation



Integrity and confidentiality



Accountability

Personal data must be processed lawfully, fairly and in a transparent manner Personal data must only be collected for specified, explicit and legitimate purposes Personal data must be adequate, relevant and limited to only what is necessary Personal data must be accurate and, where necessary, kept up-to-date Personal data must be kept in a format that permits identification of data subjects for no longer than necessary Personal data must be processed in a manner that ensure appropriate security of the data The data controller shall be responsible for and able to demonstrate compliance with these principles

What is GDPR?

Rapid Growth of Global Data

over one-third of data

will live in or pass through the cloud

Experts estimate a

t1

er Exp

4,300% increase

2

in annual data generation by

4300%

ert p x E

2020

80%

of all data is stored by

enterprises Increase in Frequency, Size and Scale of Data Breaches

Cyber criminals compromised more than A BILLION data records in 2014 in more than 1,500 security breaches, equating to 32 records lost or stolen every second

This is a 49% increase

49%

78% increase

in the number of records lost or stolen compared to 2013

78%

in data breaches and a...

In 2005, 157 data breaches were reported in the U.S. In 2014, 783 data breaches were reported –

an increase of almost 500% Despite this, only 28% of security breaches were disclosed last year.

How Will GDPR Affect EU Organisations? Any EU organisation that collects and stores personally identifiable information (PII) will be subject to the rules and regulations set out in the GDPR. The GDPR applies to any entity managing EU citizens’ data, irrespective of its location. European countries have two years to comply by 25th May 2018 Data breaches must be reported within 72 hours of the breach occurring. Data breaches that must be reported include: • Confidentiality breaches Unauthorised access to, or disclosure of, personal data



Integrity breaches



Availability breaches

The unauthorized alteration of personal data The accidental or unlawful destruction or loss of personal data

All organisations need to implement a wide range of measures including privacy impact assessments (PIAs), audits, policy reviews and activity records.

What Will Happen to Organisations that Fail to Comply?

Administrative Fines

Data breaches

Non-compliance

Up to €10m or 2% of global turnover, whichever is greater

Up to €20m or 4% of global turnover, whichever is greater

€10m or 2%

€20m or 4%

Is Your Company Ready for GDPR? 90% of Europeans want the same data protection rights across the EU. According to a survey of IT departments by Ipswitch in 2014:

56%

of respondents could not accurately identify what “GDPR” means

12%

52%

Only 12% of respondents felt ready for the change

admitted they were not ready for GDPR

35%

confessed to not knowing whether their IT policies and processes were up to the job

13%

Just 13% planned to invest more time understanding and preparing for GDPR

Key Obligations •

Privacy by design



Privacy Impact Assessments (PIAs)



Appointment of a Data Protection Officer (DPO)

Organisations must implement measures to show that they have considered and integrated data compliance measures The GDPR formalises a requirement for PIAs to be carried out

Article 37 requires controllers and processors of personal information to designate a data protection officer of personal information to designate a data protection officer

The Bunker Can Help with GDPR The introduction of GDPR means that if you are using someone to do something for you and that involves systems upon which PII is processed, stored and transmitted, you now have a legal obligation to ensure you know who they are and what they are doing. For The Bunker however, the requirements of the GDPR do not represent anything new or challenging, because for us they are business as usual. We build to the PCI DSS standard whether clients request it or not and we have been doing so for a long time. We have all the appropriate controls in place and the documentation and certifications to demonstrate compliance to any information security mandate.

Data Sources The Bunker (http://www.thebunker.net/resource/what-the-general-data-protection-regulation-gdpr-means-for-customers-and-suppliers-in-the-it-outsourcing-supply-chain/) Computer Weekly (http://www.computerweekly.com/news/2240240346/Data-breaches-up-49-in-2014-exposing-more-than-a-billion-records) Privacy Rights Clearing House (http://www.privacyrights.org/data-breach) CSC (http://www.csc.com/insights/flxwd/78931-big_data_universe_beginning_to_explode) Digital Guardian (https://digitalguardian.com/blog/history-data-breaches)

The Bunker Secure Hosting, Ash Radar Station, Marshborough Road, Sandwich, Kent CT13 0PL www.thebunker.net

01304 814800

[email protected]