Do you recall one of the largest breaches of personal data in 2017?
March 2017, Dun and Bradstreet: 33.6 million files.1 This data contained names, email addresses and telephone numbers. Although this is information that Dun and Bradstreet notes would “typically be found on a business card,” this data is included under the European Union General Data Protection Regulation (GDPR) definition of personal data.
According to the GDPR principles set out in Article 5, personal data must be: 2
(a) Processed lawfully, fairly and in a transparent manner
(b) Collected for specified, explicit and legitimate purposes
(c) Limited to what is necessary in relation to the purpose for which it is processed
(d) Accurate, relevant and kept up to date
(e) Kept and stored for no longer than necessary for the purpose it was processed and in accordance with appropriate technical and organizational measures
(f) Processed in a manner that ensures appropriate security that protects against unauthorized or unlawful processing, loss, destruction or damage
Companies need to consider two key factors: accountability and compliance. Under GDPR, companies will be more accountable for their handling of personal information. Key changes many companies will need to make are:
- Change how they collect, use and transfer personal data
- Make changes to or implement new IT systems dedicated to maintaining appropriate technical and organizational measures with a level of security appropriate to the risk
- Update privacy notices, policies, and contracts and terms with suppliers, customers, resellers and others
- Consider data privacy in product design by default, which may include pseudonymization and encryption of personal data
- Organizations must be able to notify the relevant supervisory authorities of a breach within 72 hours of discovery3
For a more detailed view of what organizations need to know to prepare for GDPR in the short time that is left, read our white paper.
1 Dun & Bradstreet database breached, 33.6M les vulnerable. https://www.scmagazine.com/dun-bradstreet-database-breached-336m-files-vulnerable/article/644419/
2 See Article 33: https://gdpr-info.eu/art-33-gdpr/
3 Official GDPR Text (PDF): http://data.consilium.europa.eu/doc/document/ST-5419-2016-INIT/en/pdf