GDPR is the gold standard for data protection. Many other legislative frameworks have used it as a model, like California Consumer Privacy Act (CCPA,)<\/a> Brazil\u2019s Lei Geral de Prote\u00e7\u00e3o de Dados (LGPD)<\/a> and the proposed strengthening of Australia\u2019s Privacy Act 1988<\/a>. Complying with GDPR won\u2019t always mean you\u2019re complying with other jurisdictions\u2019 regulations, so if you\u2019re sending personal data across borders, get local advice.<\/p>\n GDPR is built around defining what it means to be a data controller or data processor<\/a>, and what each must do. A controller decides what personal data to collect, gathers it and decides how to use it. A processor receives personal data from another party and processes it as directed, but doesn\u2019t decide how it\u2019s used. The law says controllers must use only processors with technical and organizational structures that ensure data privacy.<\/p>\n Data breaches mean business disruption and reputational damage<\/a>. Then there\u2019s the money. Under GDPR, controller and processor may face huge fines: 20 million euro or up to four percent of the previous year\u2019s turnover \u2013 whichever is greater. In 2019, British Airways faced a record-breaking 183 million British pounds for a breach<\/a>.<\/p>\n Although GDPR came into force in 2018, many companies still aren\u2019t paying attention, says Jamel Ahmed of UK data privacy consultants Kazient Privacy Experts<\/a>. \u201cIt\u2019s true for large enterprises to small- to medium-sized businesses. I often find bigger companies have excellent internal data security<\/a> processes. The compliance people will ask the right questions and demand evidence. But along the supply chain, there\u2019s a massive gap relating to personal data. It\u2019s to do with a lack of understanding, and limited awareness and expertise.\u201d Your data handling shouldn\u2019t just satisfy legal and regulatory requirements. It should also follow best practice and ethics. If you\u2019re remiss, the consequences can be severe.<\/p>\n Peter Wright, Managing Director, Digital Law <\/p><\/cite><\/blockquote>\n Do your due diligence when you start a relationship with a supplier that involves passing data. Ahmed says, \u201cAs a minimum, check new suppliers are registered with UK\u2019s Information Commissioner\u2019s Office (ICO,)<\/a> or your country\u2019s equivalent. Check they have good policy and practice. Check they understand their data privacy obligations and responsibilities.<\/p>\n \u201cDo they have a dedicated data protection officer (DPO,) and what are their qualifications and experience? I\u2019d also want to see evidence they\u2019ve spent time developing good practices rather than just complying with a checklist they\u2019ve downloaded from somewhere.\u201d<\/p>\n The GDPR says there must be a written contract between data controller and processor, and what the contract terms must be<\/a>, including type of data, how long it may be kept for and the nature and purpose of data processing. Data privacy experts think agreements between controller and processor should go further, drilling down to detail, showing the controller is giving enough oversight.<\/p>\nPrivacy holes affect businesses of all sizes<\/h2>\n
\n![\"data](\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2020\/06\/16033641\/160_2-1024x768.jpg\")
\nPeter Wright agrees. He\u2019s Managing Director of UK\u2019s Digital Law<\/a>, specializing in online, data and cyber issues. \u201cIt\u2019s been overlooked in the past. And while there\u2019s more awareness now, that doesn\u2019t mean it\u2019s enough.\u201d<\/p>\nHow to tighten the links<\/h2>\n
1.\u00a0\u00a0\u00a0 Ask data-processing suppliers the right questions<\/h3>\n
2.\u00a0\u00a0\u00a0 Have a contract that goes above and beyond<\/h3>\n
3.\u00a0\u00a0\u00a0 Have a plan in place for what the controller does when there\u2019s a breach<\/h3>\n