GDPR is not bad. Let's be careful, but do not panic
A considerable part of the commentators offer almost apocalyptic visions related to the May 25 that is coming into force. GDPR, or the general regulation on the protection of personal data. Penalties provided by the GDPR make a big impression, but let us remember that there may be mitigating circumstances for the entrepreneur that affect their reduction or even abolition.
Caution - yes, panic - no
As is well known, the GDPR introduces the possibility of imposing significant fines on organizations that will not adequately protect personal data. Amounts of quotas referred to in the GDPR (4% of global company revenues or 20 million euros) stimulate the imagination and are often referred to in the discussions on the regulation. But do you have to think that such punishments will actually be administered?
In our opinion, there is no reason to panic. It is necessary to reasonably approach to the storage of personal data, taking care of their security and not to disregard the requirements resulting from the GDPR. In many organizations, this is a good time to verify that your personal data is necessary to conduct business. In the case of security breaches, the company will have to prove that it has made good decisions regarding the processing of personal data
- comments Jolanta Malak, regional director of Fortinet in Poland.
Burglaries are inevitable
According to a study conducted by Fortinet, as many as 95% of enterprises in Poland fell victim to security breaches in 2015-2017.
Modern attacks are so advanced that you can reduce the risk of their occurrence, but it is difficult to eliminate them completely. The provisions contained in the GDPR allow us to suppose that sanctions concerning personal data breaches will be imposed differently depending on whether the threat will result from a cyber attack or inappropriate data storage by enterprises. Therefore, it is worth to prepare appropriate data security mechanisms that are well implemented, allow for the conscious use of customer and employee databases and reduce the risk of losing control over them.
It is worth recalling here the data from the Trustwave report of 2017 on global security. A cybercriminal has an average of 65 days before his attack is detected. The longer such a "window" remains open, the more time a criminal may devote to searching, finding and stealing data.
If the company detects an infringement of personal data protection covered by the provisions of the GDPR, it has 72 hours to report this fact to the competent supervisory authority, unless, as mentioned in art. 33 of the GDPR, "it is unlikely that this violation would result in the risk of violating the rights or freedoms of natural persons". This means that within three days, the company should determine the personal data relating to the breach, what personal data were exposed to the threat and what is the extent of the potential impact of this infringement on specific natural persons.
In order to meet these requirements, a company that has detected a data breach must quickly identify the systems the criminal has gotten into. Usually, it is necessary to examine the network traffic and check individual devices and applications
- explains Robert Dąbrowski, head of the Fortinet engineering team.
However, if an enterprise does not report a breach of data protection to third parties, it must be absolutely sure that the provisions of the GDPR allow it.
Modern security is the key
The GDPR regulations encourage enterprises to implement modern security technologies. This is art. 25 of the Regulation: "having regard to the state of technical knowledge, [...] the administrator - in determining the processing methods and the processing itself - implements appropriate technical and organizational measures, such as pseudonymisation, designed to effectively implement data protection rules ...".
Although the GDPR does not define at any point the term "taking into account the state of technical knowledge", it clearly indicates that it is covered by pseudonymisation. It consists in replacing personal identifiers, such as first and last names, with sequences of reversible, consistent characters serving as a pseudonym. The key is a separate file that collates individual personal identifiers with the pseudonyms assigned to them.
However, determining which technologies can be considered modern simply evolves as the IT solutions market changes.
GDPR: No time for panic
Until the entry into force of the GDPR regulations, no one knows exactly how the individual countries will enforce these provisions. Interesting in this context is the statement of Elizabeth Denham, British Information Commissioner, who wrote on her blog:
It is a panic to suggest that from the outset we will exemplify companies for minor infringements or that maximum penalties will become the norm.
However, you must be ready for the GDPR to pay attention to all aspects of the company's approach to security. Any organization in the world that processes personal data of EU residents must now reliably assess their IT security infrastructure and draw the appropriate conclusions from this assessment. Obviously, this should be meticulously and carefully, certainly there is no need to panic.
Add new comment
Learn more about our offer
We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.