General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) 2016/679 replaces the 1995 EU Data Protection Directive and brings into effect a standardized data protection law across all 28 EU countries.

The new regulation focuses on the privacy rights of individuals, and the rights around the control, use and protection of Personally Identifiable Information (PII). GDPR is designed to harmonize data privacy laws across Europe. It has been instituted to protect and empower all EU citizen’s data privacy and to reshape the way organizations approach data privacy.

Across all the states in Europe, the GDPR has gone into effect but, in spite of the seeming localized nature of the regulation, the scope of the GDPR extends beyond Europe to include companies operating outside the EU but involved in the processing of information relating to EU citizens.

What has changed in respect to private data handling?

The GDPR has announced new obligations for companies in matters such as data subject consent, data anonymization, data breach notification, trans-border data transfers, data destruction and private data handling, to name a few.

Some of the new obligations for companies in relation to private data handling includes;

• Consent for use – consent must be as easy to withdraw as it is to give.
• Right to access – right to know if personal data is used and to get a copy from the data controller.
• Data portability – subjects can obtain/reuse their data by transferring it across IT environments.
• Right to be forgotten – when no longer relevant, data subjects can have data controllers erase their data and stop its dissemination.
• Security of processing – processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized processing and against accidental loss, destruction or damage using appropriate technical or organizational measures (integrity and confidentiality).
• Privacy by design – include data protection from onset of designing systems, products and services.
• Breach notification – must notify their data controllers and country data protector regulators within 72 hours.
• Data Protection Officers – professional officers appointed in large orgs (250+ employees) to systematically monitor or process personal data.

Obligations of companies in relation to data destruction (Hard drives, RFID badges, etc  )

Companies are expected by this regulation to shift significantly towards preventive monitoring measures on how data is stored and destroyed.

Organisations are expected to review the GDPR shredding requirements to reduce risk of data breaches, and to maintain a strict guideline to a secure destruction process.

The process should follow this path;

• Creation of a standard clear desk and safe data destruction policy
• Provision of locked consoles for the deposit of documents or media meant for destruction.
• On-site destruction protocol with issuance of certificate of destruction
• In the case of off-site destruction, proper audit of the site must have been conducted to assure the safety of all data.

Secure destruction of documents and hard-drives are familiar to most companies, but RFID secure destruction is largely unknown and presents specific challenges to standard destruction procedures.

• Erasing an RFID card is often not sufficient
  Most RFID cards have sectors that are read only, one-time-writable, or irreversible: meaning data cannot be revoked electronically.
  
  
• Shredding or cutting is not sufficient
  Shredding or cutting an RFID card will break the antenna, but the chip that stores the data is unaffected. Attaching a new antenna will allow the card's data to be read again.

To date, the only system that can securely disable RFID cards is the NFC Kill.

Risks of non-compliance

The GDPR places a financial liability on organizations found culpable in a data breach. The regulation places a €20 million or 4% of a firm's global turnover depending on which is greater as fine on erring organizations.