The Gen­eral Data Col­lec­tion Reg­u­la­tion: 10 ques­tions and an­swers

Ottawa Citizen - - CYBER SECURITY - PETER KENTER Post­media Con­tent Works

The Euro­pean Union’s Gen­eral Data Pro­tec­tion Reg­u­la­tion, or GDPR, has some North Amer­i­can com­pa­nies so wor­ried about com­pli­ance that they’ve tem­po­rar­ily sus­pended the ac­counts of 500 mil­lion Euro­peans. Com­pa­nies should be cau­tious but not afraid of GDPR, says Alex Shan, chief ex­ec­u­tive of­fi­cer with Cana­dian IT ser­vice provider Jol­era Inc. Many com­pa­nies may al­ready be com­ply­ing with el­e­ments of GDPR, while oth­ers sim­ply need to im­prove their data col­lec­tion, breach re­sponse and se­cu­rity game.

What is GDPR ask­ing com­pa­nies to do?


As of May 25, 2018, it places obli­ga­tions on com­pa­nies that col­lect and process per­sonal data from EU res­i­dents.

What’s got com­pa­nies so wor­ried?


The ad­min­is­tra­tive fines for in­fringe­ment are pretty scary — up to 10 mil­lion eu­ros or two per cent of world­wide in­come. How­ever, you’d have to be grossly neg­li­gent with per­sonal data and failed to fol­low re­port­ing re­quire­ments be­fore even trig­ger­ing a dis­cus­sion about fines.

How much ef­fort would it take for Cana­dian com­pa­nies to comply with GDPR?


Many fac­tors would im­pact the ef­fort, such as type of in­dus­try, data col­lected, how per­mis­sion to col­lect data is ob­tained and how stored data is pro­tected. For com­pa­nies that meet the re­quire­ments of Canada’s Per­sonal In­for­ma­tion Pro­tec­tion and Elec­tronic Doc­u­ments Act (PIPEDA) or the U.S. Health In­surance Porta­bil­ity and Ac­count­ing Act, some el­e­ments of these reg­u­la­tions are al­ready con­sis­tent with GDPR pro­vi­sions.

If I want to check my com­pany’s com­pli­ance with GDPR, what’s the best place to start? AS

Read the GDPR. It’s writ­ten in plain language. Sec­ond, con­sult with your se­cu­rity and pri­vacy teams to as­cer­tain ar­eas of data col­lec­tion and us­age risks in your or­ga­ni­za­tion. Fi­nally, con­sult with a GDPR ex­pert and le­gal coun­sel to en­sure you have your bases cov­ered.

What are the two most im­por­tant re­quire­ments of GDPR? AS

The first is to col­lect and use only data for which the in­di­vid­ual gives con­sent, and to seek that con­sent in a trans­par­ent fash­ion. The sec­ond is to use data only for the pur­poses agreed to by the in­di­vid­ual. You must also of­fer cus­tomers a trans­par­ent method to with­draw con­sent and erase their data, where there are no le­gal grounds to keep it.

How can a com­pany’s data pol­icy help to keep data se­cure?


The most se­cure data is data you never col­lect and store. The GDPR re­quires that you col­lect only per­sonal data you need to per­form the ser­vice or con­duct re­search agreed to by cus­tomers — and to store that data for only as long as you need it. If you’re con­duct­ing ag­gre­gate re­search on users, do you need to store names, ad­dresses or phone num­bers? The more un­nec­es­sary data you col­lect, the greater your po­ten­tial li­a­bil­ity.

How can a com­pany pro­tect data it needs to store longer?

AS Em­ploy a ro­bust data se­cu­rity pos­ture, mak­ing it hard for in­trud­ers to ac­cess your net­work via the in­ter­net and WIFI and through user ac­tions. In­stall a net­work fire­wall, then mon­i­tor and con­trol in­com­ing and out­go­ing net­work traf­fic to iden­tify and stop un­usual or ma­li­cious ac­tiv­ity. Also pro­tect lap­tops, com­put­ers and smart phones.

Blan­ket data with lay­ers of pro­tec­tion in­clud­ing re­strict­ing ac­cess to staff that need to use the data. Use data en­cryp­tion and file in­tegrity mon­i­tor­ing.

Fi­nally, train em­ploy­ees to pro­tect data in their care and to rec­og­nize scams and fraud­u­lent links that might ex­pose data to theft.

While you can achieve a de­gree of pro­tec­tion us­ing pas­sive con­trols, adding a hu­man el­e­ment to su­per­vise net­work traf­fic can make the dif­fer­ence be­tween fend­ing off a cy­ber at­tack and al­low­ing bad ac­tors to achieve their goals.

If cus­tomers con­sent to shar­ing their data with third par­ties, what is my li­a­bil­ity for the se­cu­rity of that data? AS

You should share data only with down­stream par­ties who share your re­spect for the se­cu­rity of that data. Other­wise, you could be held re­spon­si­ble for any­thing that hap­pens to that in­for­ma­tion.

What if a cus­tomer’s data has been breached?

AS GDPR has re­port­ing re­quire­ments and time­lines that a com­pany must ad­here to in case of a per­sonal data breach. There are guide­lines and thresh­olds for re­port­ing to the data con­troller, the su­per­vi­sory author­ity and the in­di­vid­ual. Tech­nol­ogy is an in­te­gral part of col­lect­ing the nec­es­sary in­for­ma­tion to in­form the com­mu­ni­ca­tions re­quired when a per­sonal data breach oc­curs.

What does the fu­ture look like for reg­u­la­tions such as GDPR and PIPEDA?

AS It’s likely that best prac­tices from each reg­u­la­tion will evolve into more global reg­u­la­tions. In the mean­time, don’t let GDPR scare you. It of­fers com­pa­nies a chance to see what they’re al­ready do­ing right and ad­dress ar­eas where they can do bet­ter.


ar­ti­cle in­ter­viewed The are in­for­ma­tion the only pur­poses opin­ions and is only. pro­vided of pro­vided the It in­di­vid­ual should in for this not in­for­ma­tional be used to de­ter­mine how GDPR might ap­ply to you and your or­ga­ni­za­tion or be con­sid­ered as le­gal ad­vice. Or­ga­ni­za­tions and in­di­vid­u­als seek­ing ad­vice on how GDPR may ap­ply to their or­ga­ni­za­tion should con­sult or seek ad­vice from a qual­i­fied le­gal rep­re­sen­ta­tive.

Newspapers in English

Newspapers from Canada

© PressReader. All rights reserved.