What is GDPR?
Because cyber criminals are mostly interested in Personally Identifiable Information (PII), GDPR can be explained as follow: “Any company, enterprise, small or large who handle personally identifiable data must put in place safeguards to guaranty the confidentiality, the integrity, and security of all systems and services that handle this data”. The General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA). The regulation applies to all companies (including foreign companies) who service Europeans customers. Although the regulation applies to all companies, it is obviously easier to enforce and constrain companies who have offices in Europe or have legal representation in Europe.
The GDPR regulation took effect on 25th of Mai 2018.
"Processor or Data Processor” - means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller."
"Controller” – means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing of personal data…"
Data Processing under GDPR
One of the most significant changes brought in by GDPR is that it places direct safe keeping obligations on data processors. While data processors have a variety of business models, from on-premises processors to cloud service providers, the new GDPR provisions apply the same obligations to all of them with respect of the processing of client personal data.
Main Obligations of GDPR
The GDPR main obligation is based of auto-responsibility or self-governance with some oversight. If you fall within the scope of the GDPR as a data processor, there are a number of key compliance points, the majority of which are set out in Articles 28-37 of the GDPR.
Data Controller under GDPR
Data controllers may only appoint data processors, which provide sufficient guarantees to implement appropriate technical and organisational measures to ensure processing meets the requirements of the GDPR.
Demonstrating Compliance of the Regulation
One of the threads, which run through the GDPR, is the requirement to demonstrate compliance. Processors are under an obligation to maintain a record of all categories of processing activities. This must include details of the controllers and any other processors and of any relevant Data Protection Officers (DPOs), the categories of processing carried out, details of any transfers to third countries and a general description of technical and organizational security measures.
These records must be provided to the supervisory authority upon request.