The European Union’s (EU) General Data Protection Regulation (GDPR) is a privacy regulation which when into effect on the May 25th 2018. The GDPR grants EU citizens the following rights.

 

• The right to be informed - EU citizens have the right to be informed about the collection and use of their personal data, which leads to a variety of information obligations by the controller.

• The right of access - EU citizens have the right to request data controllers to provide them with a copy of their PI.

• The right to rectification - EU citizens have the right to request data controllers which have inaccurate personal data to rectify it, or completed if it is incomplete.

• The right to erasure/to be forgotten - EU citizens have the right to request data controllers which store or process PI to erase it and be forgotten.

• The right to restrict processing -  EU citizens have the right to restrict the processing of their personal data in certain circumstances. This means that an individual can limit the way that an organization uses their data.

• The right to data portability -  EU citizens have the right to obtain data that a data controller holds on them and to reuse it for their own purposes.

• The right to object - EU citizens have the right to object to certain types of data processing and stop a company from continuing to process their personal data.

• The rights in relation to automated decision making and profiling - EU citizens have the right to restrict data controllers from making solely automated decisions, including those based on profiling, that have a legal or similarly significant effect on individuals.

​

Who needs to comply with the GDPR? Any company that stores or processes personal information about EU citizens within EU states must comply with the GDPR, even if they do not have a business presence within the EU. Specific criteria for companies required to comply are:

• A presence in an EU country.

• No presence in the EU, but it processes personal data of European residents.

• More than 250 employees.

• Fewer than 250 employees but its data-processing impacts the rights and freedoms of data subjects, is not occasional, or includes certain types of sensitive personal data. 

 

What are the risks and penalties for noncompliance with GDPR?

 

• On the lower level up to €10 million, or 2% of the worldwide annual revenue of the prior financial year, whichever is higher, shall be issued for certain infringements.

• On the upper level up to €20 million, or 4% of the worldwide annual revenue of the prior financial year, whichever is higher, shall be issued for certain infringements.

​

How can Array Cyber Consulting help organizations cost effectively comply with the GDPR while minimizing the impact of compliance on the organization’s objectives?

 

• Create and or review the organizations policies and procedures for GDPR compliance

• Create and or review an organizational PI data map to understand the movement and storage of PI throughout the organization

• Ascertain through surveys, interviews, and vulnerability scans the organization’s current state of GDPR compliance

• Enumerate, risk rate, and prioritize all issues in regards to GDPR compliance to ensure optimum utilization of available compliance resources

• Provide prioritized, and cost effective remediation recommendations which do not adversely effect the organization’s business objectives