3 Conflicting Things About GDPR Compliance
General Data Protection Regulations (GDPR) is set to replace the existing data protection law of 1995 on 25th May 2018. The law requires all the companies who are processing, storing or collecting the personal data of European Citizens to follow the GDPR requirements before the said date. The following companies will be required to provide their compliance:
All companies located in European countries
Based outside EU but process the data of EU citizens
Organizations having more than 250 employees
Organizations having fewer than 250 employees but process the sensitive, personal data of the EU residents.
The ones not complying the regulations will be facing huge fines and penalties. The problem with the companies is that they do not understand few of the GDPR requirements. It is recommended to consult one of the GDPR consulting firms to avoid fines.
Ambiguity about “reasonable protection” In the GDPR compliance requirements, it has stated that companies should provide “reasonable security” to the citizen’s personal data. But it never explained what reasonable security means. Different people are interpreting it differently, and they are unsure if their data security measures will be "reasonable" or not. Because of this ambiguity, it is difficult for them to take required security measures. Who will be responsible for data security? The GDPR law has assigned the role of ensuring GDPR compliance to the Data processors and Data Controllers and Data protection officers. Every company has to employ one of these professionals to comply with the requirements. These professionals will be responsible for telling how and why the data is being processed. The data controller will be responsible for non-compliance and data breaches. Only the law enforcement agencies are not required to deploy any Data Protection Officer. Type of personal data to be protected
Personal information (Name, Address and ID Numbers)
Web data (IP address, RFID tags and cookie data)
Health information
Biometric information
Racial data
Political data
Sexual orientation
Right to be forgotten It is another difficult DGPR requirement. It requires all the companies to remove the personal data of their client if it’s not useful anymore or permanently remove it at the request of the client. Organizations are vulnerable to fines and penalties because they don’t know which customer’s data should be purged forever. This law has ambiguities which might turn against organizations. It is an observation that DGPR will impose fine on some of the companies in the initial stage to send a strong message. However, as a first line of defense implementing a security operation system (SOC) is a good step towards ensuring data security. For companies based in the UK SOC system is the best available solution to handle security breaches.