Articles Blog

Alpine Security’s GDPR Awareness Training Sample

Alpine Security’s GDPR Awareness Training Sample


– Well GDPR stands for the General Data
Protection Regulation. It represents one of the most
stringent data privacy laws in the world. It went into effect May 25, 2018, but many organizations around
the world still struggle to be truly GDPR compliant. GDPR standardizes the data
protection regulations across all 28 of the
European Union countries and deals with rules of how we create, store and transmit data
amongst businesses. It also covers concepts like personal information
or personal data. What we here in the United States refer to as personally identifiable information. GDPR replace the 1995 European Union Data Protection Directive. Let’s talk about why we need GDPR. Well if you think about
the way we live our lives, essentially, almost everything that we do revolves around data. The data that we put
into our address fields when we go shopping on Amazon or the data that we have to fill out when
we go to the doctor’s office or the dentist. Filling out insurance,
card applications, loans, rental agreements, banking contracts, pretty much anything and
everything that we do. Sending pictures to our
relatives and loved ones that live far away. All of that essentially is data, and that’s where the GDPR comes in. GDPR provides a series of benefits back to the hands of the people. The data subjects that
actually own that date. It extends protection
of that personal data and gives the rights into how
data is going to be handled or controlled back to the data subject. Builds customer confidence
between customers who want to do business with organizations and transparency from those organizations on how they’re gonna handle data. One of the most difficult
concepts in cybersecurity is really incorporating security
into a business’s culture. Well GDPR helps with that
by embedding the concept of privacy and data
handling into all aspects of the business. The way they hire employees,
the way they train them, all of their business processes
are built around privacy and data handling. And it definitely allows
companies and businesses to improve their data management process and enhance their data security posture. Make sure that they have an
up-to-date real-time inventory of personal data, and
reduces maintenance costs to most organizations by
reducing unnecessary data. It allows them to implement
stringent security measures to help protect that data. I always like to tell my
student in all my classes it can’t be stolen, if it
wasn’t there to begin with. Who has to comply with GDPR? Well GDPR applies to organizations located within the European Union. It also applies to organizations
outside of European Union if they offer their goods or services to, or monitor the behavior of
European Union data subjects. And this is where GDPR
can get really tricky. Don’t have to be physically
inside the European Union to be subject to this requirements. It applies to all companies
that process, hold or transfer personal data of data subjects residing in the European Union, regardless of where those
companies may be located. This is why a lot of companies are unsure whether or not they
actually have to comply with GDPR requirements. They may be in the United States, but if they have the data
of European Union citizens, they must comply. What happens if they don’t comply? Well let’s talk about the penalties. Failure to comply with GDPR can result in some pretty hefty fines. €10 million or up to 2% of
the annual worldwide revenue of the business can be the fine or penalty if they fail to comply. In some cases it can be
even more significant, €20 million or up to 4% of their annual worldwide revenue. Whichever one is greater. That can be a pretty hefty fine. Let’s talk about penalties
for data breaches prior to GDPR. And some penalties that
we’ve seen after GDPR. Let’s start with Facebook. Cambridge Analytica allows
data to be harvested without permission from
millions of Facebook accounts. 87 million users, 70.6 million users were from the United States alone. Most of this data was
created to kind of be used for advertisements for political events. However, none of the subjects whose data was compromised
gave permission. That’s a lot of people. And the penalty for
this was only $608,000. Now let’s take a look at Google. So this is after GDPR went into effect. $57 million or €50 million as a fine by France’s privacy regulator for a breach of GDPR that was triggered from only two complaints. Google did not provide
transparency of information and had no legal basis
to process user data for advertisements in
the way it was doing, and that’s what actually
got them the spine. That’s a lot of money for two complaints. Let’s take a look at another one. Let’s look at Marriott Hotels & Resorts. They were hit with $123
million fine, €99 million in the UK for a breach
of GDPR regulations. Hackers stole 383 million guest records. Of those records 385,000
card numbers were still valid at the time of the breach. This was a pretty big violation,
and a pretty big fine. Now let’s look at the biggest one so far. British Airways recently was
hit with a $230 million fine, or €204 million in the UK for GDPR breach. It was the largest penalty
against a company to date.

Leave a Reply

Your email address will not be published. Required fields are marked *