The Internet has drastically changed in the past few years. Consumers have now become very aware of their privacy issues. Many consumers want to be in control of the data that they create and share online. European regulators started taking notice that the customers are being negatively affected due to the lack of proper regulation. It is for this reason that they created the General Data Protection Regulation (GDPR).

The data privacy rules which firms are required to follow under GDPR are stringent, and the penalties for violations are steep.

GDPR requirements

  1. Obtaining consent
  2. Timely breach notification
  3. Right to data access
  4. Right to be forgotten
  5. Data portability
  6. Privacy by design
  7. Potential data protection officers

Challenge For Privacy

Being aware of data handled is just the first step for organizations, which are then required to put great attention on the legal basis of the processing of all personal data. Where relying on consent, small and medium-sized companies first need to know as quickly as possible when this consent is obtained, even for existing customers. Moreover, organizations are required to guarantee to their data subjects the basic rights listed in the GDPR, this implies that organizations have to be sure that there are systems and processes implemented in order for these rights to be met. Data protection has to be considered implemented in systems, and processes implemented inside a company, just before the beginning of processing.

Challenge For Security

Data must be kept safe, but there are various kinds of data, each with a different level of associated risk. Once they have identified the kind of data handled, even organizations are required by the GDPR to evaluate which types of data processing could result in a high risk for individuals. The ideal target for hackers are the SMEs which are actually part of a bigger supply chain, most of the time representing a way to get in touch with the “big players” acting at the top, to whom SMEs act as suppliers.

Challenge For Governance

Dealing with data implies a new way to review internal and external management systems. Implementing a system for the management of personal data, including what the company is expected to do in case of a data breach, means that there should be a policy shared by all staff informing them about procedures, data retention periods set by the company, and purposes of the data processing in place. At the same time, governance is also a matter of nurturing the company’s relationships with third parties – suppliers in the first place: this could happen with IT services, where the customer (the company) is a controller and the IT service provider acts as a processor. The same kind of relationship could be the basis of the contract with a supplier in charge of the employee payroll. In both of these situations, the company is expected to require a contract where technical and organizational measures or standards are implemented to manage and keep data safe.

Therefore, we could affirm that the GDPR is more than a set of rules that every organization, even the smallest one, has to be compliant with. It is just more. It is a regulation that – along with setting requirements – also helps and recommends. Everything is in the aim of personal data to be protected.

Stay Updated

Get our latest Post