General Data Protection Regulation (GDPR) is a set of regulations which necessitates firms to protect the data and privacy of its clients with respect to the transactions that these firms undergo with these clients. Any non-compliance in this regard on part of companies would result in penalties and other legal procedures.
This legislation was instituted after an increasing concern in the consumer community about the unsafety of their data and usage of their private data without their consent by private firms for their own organizational use. The loss of banking and other financial data is a concern shared by a majority of people and this leads to erosion of trust between firms and the general public.
Under GDPR privacy data of different types are covered which include:
- Basic identity information such as name, address and ID numbers
- Web data such as location, IP address, cookie data and RFID tags
- Health and genetic data
- Biometric data
- Racial or ethnic data
- Political opinions
- Sexual orientation
This compliance came into effect on 25th May 2018 and it defines several roles that are responsible for ensuring compliance: data controller, data processor and the data protection officer (DPO). The data controller lays out how personal data is processed and the purposes for which it is processed. The controller also ensures that outside contractors comply.
What this means is that all existing contracts with processors (e.g., cloud providers, SaaS vendors, or payroll service providers) and customers need to clearly state the responsibilities. The revised contracts also need to broadly outline the consistent processes for how data is managed and protected, and the way breaches are reported. Before those contracts can be revised, business leaders, IT, and security teams need to be clear as to how the data is stored and processed and collectively agreed upon on a complaint process for reporting.
A clearly defined path in the contract is necessary in order to retrieve the information required to get to the person in your organization responsible for reporting the breach. A regulator is not going to say that there shouldn’t have had a breach, they are going to say there should have been policies, procedures, and a response structure in place to solve those issues quickly.