GDPR Risk Assessment
A General Data Protection Regulation (GDPR) Risk Assessment is a necessary component for any company that operates on the global stage and takes data security seriously.
Determining Global Risk
The General Data Protection Regulation (GDPR) is an information privacy regulation enacted in 2018 for members of the European Union (EU). It is a core component of human rights law with regard to the use of personal data in the digital age. The rights it grants individuals are considerable.
Rights Of Individuals
The GDPR includes the following rights for individuals.
- The Right to be Informed
- The Right of Access
- The Right to Rectification
- The Right to Erasure
- The Right to Restrict Processing
- The Right to Data Portability
- The Right to Object
- The Right not to be Subject to Automated Decision-Making Including Profiling
Data Breaches
The GDPR introduces a requirement for all organizations to report certain types of data breach to the Information Commissioner’s Office (ICO) within the EU and in some cases, directly to individuals.
The GDPR requires companies to implement an Incident Response Program, putting procedures in place to effectively prevent, detect, respond, report and investigate a breach containing critical data and personally identifiable information (PII).
Larger organizations are required to develop policies and procedures for managing a data breach event. Failure to report a breach when required within a timely manner can result in a fine, as well as a fine for the breach itself.
Extraterritorial Jurisdiction
American companies may conclude that, because they reside outside the EU, they are not under the jurisdiction of the requirements of GDPR. This is only partially true.
The GDPR law was written by the EU to apply to data controllers and processors outside of the European Economic Area (EEA). In the perspective of the EU, if American companies offer goods or services to data subjects within the EEA or are monitoring the behavior of data subjects within the EEA, the regulation applies - regardless of where the processing takes place.
This gives the GDPR an “Extraterritorial Jurisdiction”.
Punitive Fines
American companies that disregard the GDPR may find themselves subject to substantial penalties. The punishment levied for an infringement of the GDPR is substantial: a fine up to €10 million or up to 2% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater.
If your company operates globally with customers in the EU, it’s important to add a GDPR component to your yearly Enterprise Risk Assessment. A General Data Protection Regulation (GDPR) Risk Assessment from Cybermode will assess a company’s exposure to the law and better prepare it to decisively address an adverse breach event.
