GDPR – General Data Protection Regulation

What is the GDPR and why is it important?

The GDPR (General Data Protection Regulation) is a European Union regulation that came into force in 2018. It is intended to ensure the protection of personal data in the EU and regulates how companies and organizations are allowed to process this data. It is so important because it strengthens the protection of people’s privacy in the digital world and at the same time ensures transparency. Cybersecurity plays a key role here, as companies are obliged to take technical and organizational measures to protect personal data. Data breaches can have catastrophic consequences, both for the individuals concerned and for the companies responsible for protecting them.

What data is protected by the GDPR?

The GDPR protects personal data that makes a person directly or indirectly identifiable. This includes obvious data such as name, email address and telephone number, but also less obvious information such as IP addresses, cookies, location data, and in some cases even pseudonymized data. Particularly sensitive categories, such as health data, genetic and biometric data, require even stricter protection measures. Companies must ensure that this data is protected by data encryption, access restrictions and other security measures.

What rights do individuals have under the GDPR?

Individuals have a number of rights under the GDPR that allow them to retain control over their data. These include:

  • Right of access: Individuals can ask companies to disclose what data is stored about them and how it is used.
  • Right to rectification: Individuals have the right to have incorrect or incomplete data corrected.
  • Right to erasure (“right to be forgotten”): Individuals can request that their data be deleted if it is no longer required or has been processed unlawfully.
  • Right to data portability: Individuals can request their data in a structured, commonly used and machine-readable format and have it transferred to another company.
  • Right to object: Individuals may object to the processing of their data, in particular with regard to direct marketing or profiling.

Companies must not only implement these rights in their processes, but also provide technological measures to enable these rights efficiently and securely.

Who must comply with the GDPR?

The GDPR applies to all companies worldwide that process the personal data of EU citizens, regardless of where the company is based. This means that US or Asian companies that process EU data must also comply with the GDPR. Companies must be able to demonstrate that they have taken appropriate safeguards to secure personal data, such as encryption, firewalls and proactive security monitoring. If they fail to do so, they risk penalties.

What are the penalties for non-compliance with the GDPR?

Violations of the GDPR can result in drastic penalties. The maximum fine is either up to €20 million or 4% of the company’s global annual turnover – whichever is higher. Examples of breaches can include data leaks, inadequate protection of personal data or failure to implement user rights. From a cybersecurity perspective, this means that weak security practices, a lack of encryption or unsecured cloud services could hit companies hard.

Do I need the user’s consent to collect data?

In many cases, user consent is required before personal data can be collected or processed. This consent must be voluntary, specific, informed and unambiguous. It is not permissible to use pre-ticked consent boxes or to hide consent in opaque terms of use. Cybersecurity teams must ensure that the mechanisms for obtaining consent are tamper-proof, i.e. protected against potential attempts at abuse.

What is a data protection impact assessment (DPIA)?

A data protection impact assessment (DPIA) is a risk analysis tool and is necessary if data processing is likely to pose a high risk to the rights and freedoms of data subjects. An example would be the processing of sensitive health data or the creation of extensive profiles. The DPIA helps to identify potential data protection risks at an early stage and to take appropriate measures to minimize these risks. As a cybersecurity expert, I would recommend paying attention to security threats such as data leaks, insider threats or hacker attacks during the DPIA and planning appropriate defensive measures.

How can companies ensure GDPR compliance?

In order to be GDPR-compliant, companies should implement a range of technical and organizational measures:

  • Encryption of sensitive data both during transmission and storage.
  • Introduce access controls so that only authorized employees have access to personal data.
  • Carry out regular security checks and penetration tests to identify vulnerabilities in the IT infrastructure.
  • Employee training on data protection and security protocols.
  • Logging and monitoring of data access in order to detect irregularities quickly.
  • Use data minimization, i.e. only collect the data that is absolutely necessary.

These measures not only help with GDPR compliance, but also increase the overall security of the company infrastructure against cyber threats.

What is a data protection officer (DPO)?

A Data Protection Officer (DPO) is a person or body responsible for ensuring that a company complies with the GDPR. A DPO is necessary for companies that either process sensitive data on a large scale or whose core business is the monitoring of individuals. The DPO oversees data protection strategies, trains staff and acts as a point of contact for data protection authorities. In larger companies or organizations, the DPO may work closely with the IT security team to ensure that cybersecurity measures are aligned with the GDPR.

How long can companies store personal data?

Companies may only store personal data for as long as it is required for the stated purpose. After that, the data must either be deleted or anonymized. From a cybersecurity perspective, this means that companies should implement automated deletion processes to ensure that data is not stored for longer than necessary. Backup systems must also be checked regularly to ensure that no personal data is stored unnecessarily in archives or backups.

Cookie Consent with Real Cookie Banner