This post is from the Arxan blog and has not been updated since the original publish date.
by Asma Zubair, Senior Director of Product Management
If you are busy preparing for GDPR (General Data Protection Regulation), you are not alone. The GDPR will affect a very large number of organizations -- practically every organization that does business in the EU or is located in EU. Google Trends shows that interest in GDPR all over the world has increased rapidly in 2017.
The surge in GDPR related queries is driven by organizations trying to figure out what GDPR is, how it will impact them and what they can do to comply with it. This post provides an overview of GDPR and helps you prepare for the fast approaching GDPR enforcement deadline. The GDPR was announced in 2016 and will take effect on 25 May 2018. It is an all-encompassing regulation designed to protect EU residents’ privacy and personal data. GDPR violations will incur fines of up to 20 million euros or 4% of the company’s global annual turnover, whichever is higher. So, GDPR is not something to be taken lightly.
The first step for any organization looking to comply with GDPR is to review if they are processing personal data, i.e. any information that directly or indirectly identifies an individual. If so, they need to ensure the following:
- They have tools and processes for dealing with data subjects’ rights - such as the right to be informed (for transparency in how organizations use personal data), right of access (to their information), right to rectification and right to be forgotten, etc.
- Employees and customers have been informed of all data processing activities and data transfers performed on their personal data
- A detailed record is maintained of all processing activities, including the purpose of processing, a description of data, and security measures taken to protect it
- Any third parties processing European personal data on the organization’s behalf comply with the GDPR requirements
- Personal data is transferred outside the European Economic area only if recipients have adequate level of protection in place
GDPR requires organizations to have “privacy by design and default.” This means organizations need to take data privacy into account through all stages of projects and have extensive systems and processes in place for data protection. Because data is almost always accessed, written, and modified through applications, protecting your applications is critical for data protection. Unprotected applications can be reverse engineered and repackaged to bypass access checks, or have malware inserted. Applications, when not protected properly, can have their cryptographic keys stolen, potentially revealing unauthorized access to personal data. Under the GDPR, such breaches will result in hefty fines.
Additionally, organizations need to consider management of enterprise apps. For more information about how mobile application management supports privacy and mitigates risk by managing corporate data while leaving personal data untouched, watch this webinar with 451 Research on “How the GDPR Impacts Your Enterprise Mobility Management Practices.”