– Companies Storing Genetic Data Risk Huge Fines Under GDPR

By   ISBuzz Team
Writer , Information Security Buzz | Oct 05, 2017 11:30 am PST

Following news that has been forced to change a controversial policy regarding their usage of customers DNA data; revoking a clause that said they could store it ‘in perpetuity’, Andy Waterhouse, EMEA Director at RSA commented below.

Andy Waterhouse, EMEA Director at RSA:

isbuzz author male 1“People are right to be concerned. This incident exemplifies why we need GDPR. While the company has consent, it is buried in the paperwork and people might not be aware they are giving so much away. This will not be possible under GDPR, as consumers will need to ‘opt-in’ to such demands – they simply cannot continue to hold the data unless we have explicitly agreed to it, they can’t just hide it in the consent in legal clauses. This will be a big challenge for many organisations.

As technology continues to hurdle forward at breakneck speed, consumer rights have to evolve with it and give consumers greater control. In contrast to the previous Data Protection Act, GDPR enshrines rights to one’s genetic data as a core component of the legislation itself as the definition of Personally Identifiable Information (PII) data has expanded to include genetic data. Anything that can be used to identify a person is classified as PII Data, which EU citizens must now explicitly consent for companies to use – this moves beyond the traditional names, addresses and bank details into new areas like DNA, fingerprints, and eye scans – a fact that business must respect.

For companies handling genetic data, stories like this should act as a wake-up call that things need to change. To date, many will not have needed to comply with the Data Protection Act, but with GDPR coming round the corner, there will be big changes to be made as they will now need to foster a awareness and accountability for the data they store and how it’s used. This is why we advise customers to take a business-driven approach to GDPR; take a step back, understand your business risk, design processes, apply controls that make sense for your organisation and use technology to automate and improve. There isn’t a one size fits all approach, and no silver bullets.”