Category Archives: GDPR

How-to-create-a-GDPR-compliant-password-policy

How to create a GDPR compliant password policy

GDPR stands for General Data Protection Regulation which came into force in May 2018 for European Union. This rule applies to all the organizations that are doing business with European citizens even if they are not from EU.

As like other data-protection regulations, GDPR is vague when it comes to the exact details of how to implement a GDPR compliant security policy. For example, there’s no mention of passwords, but it does demand a high level of protection over personally identifiable data.

The procedures for accessing this data must take every reasonable measure to ensure compliance, as ignorance is not a valid excuse for failing to protect customer data.

First of all we need to make user to understand what strong password is. Policy should have specified some basic rules which constitute an acceptable password, namely passwords that are impossible to hack with a brute force attack.

A strong password should be difficult for a computer to guess by trying every possible combination of characters. The longer the password and the larger the character set, the longer it would take to crack. It should be always alpha numeric along with some special characters like symbols.

Personal information should be prohibited

most challenging aspect while preparing the compliant password policy is always finding the right comparison between what’s memorable & what is secure.

Few users choose to write the password to avoid forgetting them which is an extraordinarily bad idea. Some users also use like birthday, pet name & other family members name as password which is again incorrect.

This is often found that cybercriminals trace those kinds of passwords while checking the information on social media. Train your employees about the dangers of using personal information as passwords.

Single sign on implementation

It is normal that people with multiple accounts on different sites use different passwords. So it is possible for them to forget those passwords.

In the workplace especially, it makes sense to implement a single sign-on feature that provides employees with immediate access to every system they need to do their jobs.

Administrators can further manage access rights to ensure they follow the principle of least privilege. Single sign-on shouldn’t mean providing access to all the data in your company’s care.

Regular password reset should not be enforced

Industry experts have always recommended that users should regularly reset their passwords after every three months. But it is not necessary as chances are higher for the users to forget the new password.

GDPR-Compliance-for-US-Companies

GDPR Compliance for US Companies

As the GDPR states that each and every company (Both inside EU and outside EU) that have access to the individual’s data have to comply with GDPR regulations. So from the law, it is very clear that even US companies that can access EU resident’s data have complied with GDPR. If any US company fails to comply with GDPR then they have to pay heavy penalties for noncompliance. The main purpose of this regulation is to protect the data of the EU residents.

GDPR compliance checklist for US companies

  • Conduct an information audit for EU personal data

If you are a US company then you have to conduct an information audit for EU personal data.  Check if your organization needs to comply with GDPR or not. During the audit you must check what personal data your organization process and if the data belongs to EU residents then your organization have to comply with GDPR. If your company is processing services that are related to offering good or other IT services then you have to company with GDPR. If you need more information about GDPR data protection then you have go through the Article 23 of GDPR.

  • The Right to be Forgotten and Data Subject Rights

To the people of EU, GDPR has given then 2 additional rights. They are
i) the right to be forgotten (erasure) and ii) the right to portability of their data. The rights of data subjects are extensive under GDPR governed by Articles 15-22 of GDPR.  According to these rights, EU resident has the right to receive a copy of their personal data at any time period. They also have the right to object to processing including automated processing and profiling.

  • Controllers and Processors

There are two categories set by GDPR guideline and these are called data processors or data controllers. Here you have to check if your company is a data processor or a data controller. Data Processor Company processes the individual’s personal data on behalf of a controller whereas data controller determines the purposes and means of how customer data is to be processed. A company can be both data controller and data processor at the same time. Both Controllers and Processors have dissimilar implications regarding how they meet the terms with the GDPR for US organizations.

  • Designate a representative in the European UnionFor the non EU companies, it is required to appoint a representative based in one of the EU member states under article 27 of GDPR.

Above we have listed few of the important steps that will help you avoid drawing scrutiny from EU regulatory authorities.

6-Countries-with-GDPR-like-Data-Privacy-Laws

6 Countries with GDPR-like Data Privacy Laws

Since the GDPR has been introduced, many other countries are following the same trend to protect the personal data of their individuals. Surely it is true that GDPR is not the beginning and certainly it won’t be the end. With the advancement in technology today, it has been easy for cybercriminals and hackers to steal the data of an individual and that is why each country is bringing strict laws that will protect the user data.

To help you get started, here are six examples of countries who have adopted comparable data privacy laws:

1. Brazil:- After  GDPR was introduced in EU, Brazil also brought their LGPD which stands for Lei Geral de Proteçao de Dados. The law is very much similar to GDPR in terms of scope, applicability, and financial penalties for non-compliance. According to this law, any organizations that want to do business with Latin America’s largest economy have to comply with LGPD by February 2020. If any organization does not comply with LGPD in Brazil then they have to pay fine up to 50 million BRL (approximately 11.8 million EUR).

2. Australia:- In February 2018, Australia also brought the Privacy Amendment (Notifiable Data Breaches) to Australia’s Privacy Act. According to this law, any company that have annual turnover of over 3 milling AUD have to disclose data breaches that pose a “real threat of serious harm” within 30 days of their discovery. If an organization fails to do so then they have to pay up to 1.8 million AUD (approximately 1.1 million EUR).

3. USA: – In U.S.A, currently there is no data privacy law applicable to all industries on the federal level. Although, every state in the US has its own data privacy laws to protect the personal data of U.S individuals. These rules and regulation in each state have set their own scope, applicability, and penalties. But if we talk about these states then the most recent and strict law adopted by any U.S state is California Consumer Privacy Act (CCPA). CCPA has many codes and standards that overlap with GDPR.

4. Japan:-
In May 2017, Japan’s Act on Protection of Personal Information was enforced. The law is much similar to GDPR and all the organizations (Both foreign and domestic companies) that have access to the data of Japanese citizens have to comply with this law. Similar to GDPR, companies located outside of Japan also have to follow the guidelines laid down in Act.

5. South Korea: – In South Korea, the law that protects the data of South Korean residents was introduced way before GDPR. South Korea’s Personal Information Protection Act has been in effect since September of 2011.6.

6. Thailand: – Thailand introduced the PDPA (Personal Data Protection Act) in February 2019. This act will come into effect on 27 May 2020. PDPA is very much similar to GDPR in many ways including the protection of personal data of residents etc.