Extract from article by Akshay Sharma
The GDPR has significant technological and organizational requirements for businesses to protect and administer the use of personal data. The key requirements fall into three categories that must be owned and managed by a new, mandated role, the Data Protection Officer:
- Protection of Personal Data: Take a risk-based approach to data protection and security, by assessing, monitoring and plugging all vulnerabilities, and notifying authorities when personal data has been compromised.
- Use of Personal Data: Disclosure and consent in the use of personal data with a lawful basis for processing such personal data.
- Control of Personal Data: Provide individuals with control of the provisioning and permitted use of their personal data including the right to erasure, data portability, and visibility to their personal data held by a processor or data controller.
While security (network security, IoT security, application-security) is a critical piece in privacy, privacy regulations like GDPR have additional elements like policy enforcement, monitoring, control and reporting, to flag and control a rogue IT administrator as an example, or someone internally casually looking at a customer’s private data. So a business can be secure, but still be non-GDPR compliant. And an insecure firm, is most definitely non-GDPR compliant.