8 Things to Know About the GDPR
Deutsche Zusammenfassung unten.
And companies only have around 500 days left to prepare all of the necessary data security and data privacy measures. Enough time? Just, if you start right away with an own project, said SEC Consult General Manager Markus Robin and data privacy expert Dr. Rainer Knyrim at the SEC Consult Business Breakfast on November 16, 2016 in Vienna. Both experts explained, what to know about the new regulation and which steps to take, to be “data-ready” when the law comes into force with May 2018.
Around 50 guests out of economy, finance and public service joined the SEC Business Breakfast to inform themselves about the upcoming EU general data protection regulation. Sooner, heavier and more serious than expected was the audience tenor. Companies must meet organizational and technical protection measures in the areas of privacy and data security - proven and documented. While the topic is complicated and by far more complex than two hours could ever bear (we still tried to in one previous blogpost), Markus Robin as well as Dr. Rainer Knyrim broke down the most important things to know:
1. No one is exceptedNo matter which sector, size or state – if data from EU-citizens are processed, companies will fall under the legal specifications of the GDPR. Even considering employee data. Important is to categorize all of the data for an overview and a meaningful risk analysis.
2. Two year realisation periodThe EU general data-protection-regulation is part of the EU data privacy reform and came into force on May 24, 2016. In exactly two years or better said May 25, 2018 all affected companies and their applications need to prove and document organizational and technical protection measures regarding personal data.
3. Special categories of data – we all have themBy definition, sensitive data occur when facts about religion, health, sexuality or other very personal information are stored. So even if you’re not a health institute, you probably still collect data from your employee’s sick leaves, making it already sensitive data in your company.
4. From 10k to 10 Million EuroIf 10k didn’t hurt, probably 10 Million Euro will do. The penalty for not fulfilling the necessary measures will be determined by the realised preparations, but however can lead up to 20 Million Euro or four percent of the prior-year-sales. With that, the new penalty height is no joke and corresponds to several annual IT-budgets.
5. Policies and Compliance for service providersCompanies need to make sure, that their whole service chain follows the rules of the data-protection-regulation. Current and coming supplier contracts must be based on own data processing contracts – otherwise it could lead to complicity in case of abuse or lost proposals.
6. Workshops, Workshops, WorkshopsThe best security measures won’t be enough, if employees are not sensitized for data privacy and security. Regular workshops can help to prevent data leaks or abuse caused by unawareness / human error. Because “fake president frauds” and other easily done phishing mails alone offer enough space for crucial mistakes.
7. Everything must be documented“Yeah, we’ve done everything we could” won’t be enough when it comes to prove all of the preparations a company took in regard to the GDPR. Everything should be documented – spreadsheets, data directories or, for example, even lists of the time and date of penetration tests, employee trainings or information mailings.
8. Sampling inspections are already heldBad news for companies, who still believe that there is enough time left: Responsible authorities already started with sampling inspections. Of course, penalties are currently very low, but early preparations could provide examined companies with a good standing in front of state officials.
Given the short realisation period of now a mere 500 days, Markus Robin and Dr. Rainer Knyrim recommend:
Start a Risk Analysis and Prepare an Implementation Plan – NOW!
Find an Implementation-Partner
Join the next SEC Business Breakfast to be updated about cyber security issues and REGISTER NOW
About the SEC Business Breakfast
SEC Business Breakfast is a networking series by SEC Consult about actual cyber security topics that addresses chief information officers. A casual environment with delicious breakfast provides space for networking and discussions but also insights and recommendation from security experts.
SEC Business Breakfast: "Nichts funktioniert ohne Datenverarbeitung!"
Und Unternehmen bleiben nur noch rund 500 Tage, um die notwendigen Datenschutz- und Datensicherheits-Maßnahmen umzusetzen. Genug Zeit? Nur, wenn man gleich damit anfängt und dafür ein eigenes Projekt ins Leben ruft, meinen SEC Consult General Manager Markus Robin und Datenschutzexperte Dr. Rainer Knyrim. Im Rahmen des SEC Consult Business Breakfast am 16. November in Wien erklärten die beiden Experten in wenigen Schritten, was es über die neue Verordnung zu wissen gibt und was es braucht, um mit Inkrafttreten des Gesetzes im April 2018 „data-fit“ zu sein.
Weitere Infos zur EU-DS-GVO finden Sie hier.