In light of the recent implementation of the General Data Protection Regulation (GDPR) in the European Union (EU), the topics of data protection and privacy policies are circulating through the news and our email inboxes. Even though GDPR is a regulation in the EU, it still affects many US companies and organizations. At the very least, GDPR encourages organizations to revisit current data protection policies to ensure that proper data security procedures are taken to maintain privacy and protection.
GDPR Overview
The GDPR serves as a legal guideline regarding data collection and processing for organizations worldwide to maintain data rights of EU citizens. The regulation was approved in April of 2016, but was most recently implemented on May 25, 2018. The purpose of GDPR is to update data legislation to apply to the current digital age, provide greater protection and rights to individuals regarding their data, and to harmonize data laws in the EU.
Policies & principles included in the GDPR:
- Data protection is a fundamental right
- Required consent that must be freely given from the individual, and statements must be clear, specific, and contain an explicit, legitimate purpose for the collection of data.
- Personal data must be processed lawfully and with transparency
- Companies are required to correct errors in individual’s personal data
- Notification of hack or breach to protection authority within 72 hours of first awareness & customers must be notified “without undue delay”
- Individuals have the right to access data and to know whether personal data is being processed, where it is being processed, and the purpose of the data processing
- Individuals have the right to be forgotten and have their data erased
- Data can be transmitted to another controller or received by individual upon request
- Data controllers must “implement appropriate technical and organizational measures to protect rights of EU data subjects”
- GDPR is applicable to organizations established outside of the EU that market or offer goods or services to individuals located in the EU, and to organizations that monitor behavior of EU individuals
- Prohibits weak protection of sensitive information
- Data protected by GDPR includes:
- Personally identifiable information
- Web-based data (user location, IP addresses, Cookies, RFID tags)
- Health and genetic data
- Biometric data
- Racial and/or ethnic data
- Political opinions
- Sexual orientation
GDPR & US healthcare:
Both GDPR and HIPAA work to protect consumer data, but GDPR is more strict than HIPAA as it broadens the scope of what is considered personal data. The GDPR requires faster processing of data requests with EU patients, mandates data encryption, has a strict data breach notification policy, and requires more extensive data protection for certain categories of personal data.US healthcare facilities that market toward EU citizens will have to maintain compliance with the GDPR, but facilities that typically do not cater services towards european citizens may only have to be compliant with GDPR if a data breach occurs and EU citizen’s data is affected, or if a facility that has treated an EU citizen tracks that individual’s behavior after they have returned to the EU. If you are apart of a healthcare facility and have any questions or concerns about compliance with GDPR, feel free to contact us.
Effects of GDPR in the US:
GDPR has numerous effects on US companies and organizations as the regulation is far reaching. Many US organizations are subject to the GDPR, but for others, the GDPR serves as a high standard of data protection and security. The GDPR ultimately forces US companies to adjust how they collect, store, process, and protect consumer data. Despite not every organization being required to be compliant with GDPR, it is still a good idea to revisit and update data protection and security policies and procedures to reflect today’s digital lifestyle.
The Importance of Proper Password Security
Article 32 of the GDPR states, “Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk…” The article also includes specific measures that should be implemented to ensure the security of consumer data, which include pseudonymization and encryption of data, maintaining the confidentiality, integrity, and availability of processes, systems, and services used in data protection and processing, the ability to restore access to personal data if an event occurs, as well as regular tests to ensure the effectiveness of security processes.
Although it isn’t specifically stated in the GDPR, password security is an important part of maintaining strong data protection. Revisiting and updating password policies and procedures is a good idea for all individuals and organizations, even those that do not have to be compliant with GDPR. Technology security training that includes proper password usage should be implemented at every organization, regardless of size. Proper password and data protection procedures should include a strong password policy, two-factor authentication, and a self-service and secure reset system. While nothing can keep you perfectly safe, securing passwords, financial information, and sensitive personal information from others has become increasingly critical in this digital age. Below are some common password mistakes and guidelines for proper password procedures:
Common password mistakes:
- Consecutive keyboard combinations (12345 or qwerty)
- Using names of spouses, kids, pets, etc. or personal information like birth date → These answers to security questions can likely be found on social media accounts
- Reusing passwords across multiple sites
- Forgetting to log off a device
- Using common dictionary words
Guidelines for smart password practices:
- Passwords should make sense to you, but not to others
- Have different passwords for different accounts
- Makes sure no one is around or watching when you type in your passwords
- Always log off devices
- Use up-to-date security software
- Avoid entering passwords on computers you do not control
- Avoid entering passwords on unsecure wifi
- You, and only you should know your passwords
- Periodically change passwords
- Avoid reusing previous passwords
- Use at least 12-16 characters with lowercase, uppercase, numbers, and symbols
- Keep written passwords away from devices
- Consider securing passwords with a password manager
- 1Password
- LastPass
- DashLane
- Enable multi-factor identification
- Avoid common passwords and words/dictionary words
- 1111, qwerty, password, football
- Use phrases instead of just words, for example:
- 1L!ke23atfo0d = I like to eat food
- B3_r!ght_b@ck = be right back
Despite the fact that the GDPR is in place to protect European Union citizens, it still affects many US organizations. Even for those US organizations and individuals that the GDPR doesn’t directly affect, it still provides numerous reminders on the importance of implementing essential data protection. Password protection and utilization is one area that most individuals could benefit from revisiting. If you have any questions regarding how the GDPR could affect your organization, or you would like some more information on how you or your organization can implement better password security, contact us over at Spectrum IT Solutions.