GDPR stands for General Data Protection Regulations and is a law that was implemented by the European Parliament, the Council of the European Union, and the European Commission. The GDPR is focused on the European Union and all EU Citizens. However, it is applicable to all businesses worldwide. It was implemented in May 2018 and requires all businesses to protect the data collected by them of any person.
In recent years we have had a couple of major data breaches, that allowed personal information to be distributed without consent.
A few that made headlines are:
South African Postbank – a master key was obtained by an employee. This affected 8 to 10 million Postbank accounts that are generally used for social grants. It is still unsure if any funds were stolen.
Chartered Professional Accountants of Canada – an unauthorized third party gained access to personal information of over 300k members and stakeholders. This included names, addresses, email addresses, and employer information.
Truecaller – in May 2020 47.5 million users’ personal data was found on the dark web for US$1’000. This included phone numbers, service providers, names, genders, and a number of other information. Truecaller, however, denies this breach and says it is part of the previous breach that took place in May 2019.
LiveJournal – a blogging platform has apparently been suffering from data breaches for a while and it has been reported that some users have received extortion letters tied to their account. Multiple hackers have confirmed that the rumors are true and that they have been selling the user data on the dark web. The data breach included usernames, emails, and plaintext passwords of over 26 million users.
Nintendo – The video game giant experienced a breach of 160k users’ login details. Some of these users also had fraudulent purchases take place on their accounts.
You only have to type in Data Breach in Google to see who has been affected. I know that this bothers me personally as I would not want my personal information distributed and may be used against me or in fraudulent transactions. Identity thefts are a real thing and we should all be very careful in this digital age.
What does GDPR mean for your business?
You might have a contact form on your website or a mailing list that people can opt into. The information that you collect here needs to be protected and not shared or sold to any third party. You are responsible for the data and can be held liable should it be leaked.
Even though GDPR is an EU policy, you should still implement it in your business as you never know who is on your mailing list and where they are located. Your client could be based in one country, but their business is registered in the EU, or they may relocate. If you manage a newsletter for your client, you will need to be GDPR compliant as you have access to information that could be from an EU client or business on YOUR CLIENTS list.
Rather protect yourself from the start than have to try and fix something when it is too late.
What to do in the case where you experience a data breach?
- Notify your DPA that there has been a personal data breach
- Notify the individual that their personal data has been compromised
- Or make a public statement if the breach was too large for you to contact each individual person.
LGPD – Lei Geral de Proteção de Dados
The new law is expected to come into effect in 2020 and is very similar to GDPR except that it will require every legal entity that collects data to have a Data Processing Officer The LGPD recognizes more lawful grounds for data collection than GDPR so there is no need to panic regarding what types of data that can be collected, and the rights of data subjects are also the same.