One of the latest changes encompasses the way organisations use online resources to collect data and their legal obligations is the EU General Data Protection Regulation (GDPR) – a regulation implemented by the EU governing bodies (the European Council, the European Commission and the European Parliament) with the primary goal of unifying and strengthening data protection principles for European Union citizens.
Research shows over three-quarters of business apps lack the ability to guarantee compliance under GDPR. 75% of the apps tracked by researchers failed in areas such as following data portability requirements and deleting personal data within a reasonable timeframe.
Amongst other worrying statistics gathered by the report are the number of companies (11%) whose apps have been signed off whilst laced with malware, a quarter of which have been shared internally, externally or even publically. Moreover, cloud apps account for 73.5% of data loss prevention violations.
The data collected by the research highlights the increasing number of challenges businesses face when dealing with regulations such as the European Union’s GDPR, especially when trying to incorporate them into complex cloud-based networks which are now an integral part of most companies’ IT infrastructure.
GDPR Overview
Any business that collects, processes or stores data from EU-based individuals is impacted by the GDPR – essentially every company trading in the European Union. The aim of the regulation is to ensure data protection laws across the 28 member countries are up-to-date and standardised, encompassing any ambiguities that have surfaced with the growing popularity of cloud networks and the rise of social media platforms over the last couple of decades since the issuing of the original EU Data Protection Directive in 1995.
International consistency in data protection laws is of particular importance for safeguarding the rights of both individuals and organisations due to the fact that nowadays many businesses operate across borders. The main responsibilities for businesses are set out by the data protection principles under the GDPR, with the most notable addition being the accountability principle. Companies are now required to document any decisions made regarding a processing activity as a way of demonstrating compliance with the principles.
What is included in the GDPR’s principles?
Similarly to the Data Protection Act (DPA), the GDPR’s principles apply to personal data but the difference between the two is in the detail. The new definition is a lot more detailed and takes care to clarify that information from the digital world, such as IP addresses and other online identifiers, can also be classified as personal data. This wider definition is a reflection of technological advancements and changes in the way information about people is gathered by businesses.
Additionally, ‘special categories of personal data’ are referred to by the GDPR as ‘sensitive personal data’ – this mostly includes the same categories as stated in the DPA, with a few minor alterations – for instance, the inclusion of biometric and genetic data processed for the unique identification of an individual.