WHAT IS THE GDPR?

The GDPR is the new sweeping European Union (EU) legislation that modernizes and reforms the laws that address the handling of personal data. It replaces the European Data Protection Directive (95/46/EC) which was implemented inconsistently across Europe and did not have legislative authority.
The GDPR carries provisions that require businesses to protect the personal data and privacy of the citizens of the European Union (EU) for transactions that occur within EU member states, as well as provisions for regulating the export of personal data outside the EU.
The GDPR also introduces penalties for organizations that violate the rules as well as remedies for those that suffer data breaches.


What kind of data does the GDPR protect?

The regulation applies to a broad array of personal data, including a person's name and government ID numbers. It also protects information that can show a person's activity both online and in the real world. That includes location information, as well as IP addresses, cookies and other data that lets companies track users as they browse the internet.

Highlights

  • The GDPR applies to all 28 EU member states and has the full force of the law.
  • It applies to EU citizens’ personal data, regardless of where it is collected, stored, or processed – whether inside or outside of the EU.
  • If your company collects and stores the personal data of EU citizens, the GDPR is relevant to your organization, even if you don’t have a formal presence in the EU zone.
  • There is a transition period of two years for organizations to implement compliant processes. The deadline is May 2018.
  • The GDPR does not apply to the processing of personal data as it pertains to matters of national security or "purely personal or household activity."

Security Actions required

GDPR has specific instructions for what types of security action may be required:

  • The encryption and pseudonymization of personal data.
  • Organizations should make provisions for regular testing, assessment, and evaluations of the effectiveness of technical and organizational policies for ensuring the security of the data.
  • Provisions for confidentiality, integrity, availability, and resilience of processing systems and services.
  • In the event of a physical or technical incident, organizations are entitled to restore the availability and access to personal data in a timely manner.

Personal data

The GDPR intends to protect the personal data of EU residents and the data which is deemed personal is:

  • Basic identity information such as name, email, address, and ID numbers
  • Web data such as location, IP address, cookies data, and RFID tags
  • Health, genetic, and biometric data
  • Racial or ethnic data
  • Political opinions
  • Sexual orientation

NOTABLE CHANGES

Stricter consent rules

  • The GDPR requires that individuals give unambiguous, informed consent before their data may be processed. Consent cannot be assumed from inaction.

Enhanced rights for data subjects

  • Individuals have more rights under the GDPR including rights to: have their personal data erased, have inaccurate data corrected, be removed from digital marketing, and request personal data be ported to another service provider.

Data breach notification

  • Organizations must notify those whose data has been breached, within 72 hours of the breach.

Increased accountability measures

  • There are a number of new governance requirements for subject organizations, including conducting privacy impact assessments and appointing a data protection officer.

Substantial fines

  • Maximum penalties are €20 million or 4% of annual global revenue, whichever is greater.

DATA MINIMIZATION VS DATA MAXIMIZATION

Today, most businesses and their marketing teams follow the practice of data maximization, that is, collecting as much data about consumers as possible, sometimes before they know exactly what, how, or when that data will be used. In addition they will extract as much value out of this data as they can, including at times, reusing it for various purposes or even selling it to another party. One of the biggest tenets of the GDPR is the principle of data minimization, that is, that firms collect only the smallest amount of personal data for the shortest period of time possible, and delete it as quickly as possible after its specific purpose is completed.


Ready to Comply with GDPR?

Today, I’m very pleased to announce that our services comply with the General Data Protection Regulation (GDPR). This means that, in addition to benefiting from all of the measures that Prithost already takes to maintain services security, customers can deploy our services as a key part of their GDPR compliance plans.

This announcement confirms we have completed the entirety of our GDPR service readiness audit, validating that all generally available services and features adhere to the high privacy bar and data protection standards required of data processors by the GDPR.

Along with this announcement, I’d like to highlight the following examples of ways Prithost can help you accelerate your own GDPR compliance efforts.


Compliance-enabling Services

Many requirements under the GDPR focus on ensuring effective control and protection of personal data. Our services give you the capability to implement your own security measures in the ways you need in order to enable your compliance with the GDPR, including specific measures such as:

  • Encryption of personal data
  • Ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services
  • Ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
  • Processes for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of processing

Security of Personal Data

During our GDPR service readiness audit, our security and compliance experts confirmed that Prithost has in place effective technical and organizational measures for data processors to secure personal data in accordance with the GDPR.

Security remains our highest priority, and we continue to innovate and invest in a high bar for security and compliance across all global operations.


GDPR – ARE YOU READY?

The European Union has a new privacy law, the GDPR, which goes into effect in May 2018, and unlike previous laws, these are extra-territorial. That means the new privacy law applies to countries outside of the EU. We’ve put together a breakdown of what it means for you as a website owner.

GDPR is introduced to protect personal data of EU citizens. Update your data protection policy and become GDPR compliant.

To know briefly about GDPR : https://gdpr-info.eu/art-4-gdpr/